Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pc Locks Up, Unknown Cause


  • This topic is locked This topic is locked
2 replies to this topic

#1 tonak

tonak

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:03 PM

Posted 14 May 2008 - 05:19 PM

dell inspiron 8200, xp pro sp3 for now, I routinely run adaware professional, xoftspy, regmechanic, and mcafee av. Machine has been scanned with all. Adaware kicks up a reg change on booting about a tsmsiuninstaller registry change, which occurs everytime whether I accept or block, regmechanic is picking up a mcplugin.dll and afew other mcplugins which I have no explanation for, and I am posting my hjt logs if I don't lockup while doing so =)

Deckard's System Scanner v20071014.68
Run by Robert on 2008-05-13 15:51:25
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Robert.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:51:38 PM, on 5/13/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program Files\I8kfanGUI\I8kfanGUI.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\Linksys\Wireless-N Network Monitor\NICServ.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Robert\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Robert.exe
C:\WINDOWS\system32\imapi.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webcenters.netscape.compuserve.com/menu/default.jsp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://webcenters.netscape.compuserve.com/menu/default.jsp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://webcenters.netscape.compuserve.com/menu/default.jsp
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKCU\..\Run: [i8kfangui] C:\Program Files\I8kfanGUI\I8kfanGUI.exe /startup
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} (Scanner.SysScanner) - http://i.dell.com/images/global/js/scanner/SysProExe.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1206748967765
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: NICSer_WPC300N - Unknown owner - C:\Program Files\Linksys\Wireless-N Network Monitor\NICServ.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5595 bytes

-- Files created between 2008-04-13 and 2008-05-13 -----------------------------

2008-05-13 10:25:10 0 d------c- C:\WINDOWS\Prefetch
2008-05-13 10:03:30 0 d------c- C:\WINDOWS\system32\scripting
2008-05-13 10:03:30 0 d------c- C:\WINDOWS\l2schemas
2008-05-13 10:03:29 0 d------c- C:\WINDOWS\system32\en
2008-05-13 10:03:28 0 d------c- C:\WINDOWS\system32\bits
2008-05-13 09:59:18 0 d------c- C:\WINDOWS\ServicePackFiles
2008-05-13 09:55:39 0 d------c- C:\WINDOWS\network diagnostic
2008-05-11 21:09:06 0 d------c- C:\Program Files\Trend Micro
2008-05-11 07:32:22 0 d------c- C:\Program Files\Microsoft Bootvis
2008-05-09 21:54:49 0 d------c- C:\Program Files\AnalogX
2008-05-09 12:51:09 0 d-ah---c- C:\Documents and Settings\All Users\Application Data\GTek
2008-05-09 08:53:44 106496 --a----c- C:\WINDOWS\CBTWlanSrv.exe <Not Verified; ; CBT Wlan Servic Application>
2008-05-09 08:52:56 94208 --a----c- C:\WINDOWS\UITabCtrl.dll <Not Verified; CyberTAN; UITab Contorl DLL>
2008-05-09 08:52:55 126976 --a----c- C:\WINDOWS\UIListCtrl.dll <Not Verified; CyberTAN; UIList Contorl DLL>
2008-05-09 08:52:55 139264 --a----c- C:\WINDOWS\UIButton.dll <Not Verified; CyberTAN; UIButton Control DLL>
2008-05-09 08:52:55 20480 --a----c- C:\WINDOWS\RegActiveX.exe <Not Verified; ; RegActiveX Application>
2008-05-09 08:52:08 0 d------c- C:\Linksys Driver
2008-05-07 14:45:07 143360 --a----c- C:\WINDOWS\system32\dunzip32.dll <Not Verified; Inner Media, Inc.; DynaZIP-32 Multi-Threading UnZIP DLL>
2008-05-07 14:42:07 0 d------c- C:\Program Files\McAfee.com
2008-05-07 14:42:02 0 d------c- C:\Program Files\Common Files\McAfee
2008-05-07 14:41:55 0 d------c- C:\Program Files\McAfee
2008-05-07 14:31:36 0 d------c- C:\Documents and Settings\All Users\Application Data\McAfee
2008-05-06 09:25:52 0 d------c- C:\Documents and Settings\Robert\Application Data\GARMIN
2008-05-03 18:35:28 0 d------c- C:\Program Files\Sony
2008-04-29 09:26:51 8320 --a----c- C:\WINDOWS\system32\drivers\grmnusb.sys <Not Verified; GARMIN Corp.; Garmin USB GPS>
2008-04-29 09:26:51 18432 --a----c- C:\WINDOWS\system32\drivers\grmngen.sys <Not Verified; GARMIN Corp.; >
2008-04-29 09:26:51 11776 --a----c- C:\WINDOWS\system32\drivers\grmn1200.sys <Not Verified; GARMIN Corp.; grmn1200>
2008-04-29 09:26:51 16512 --a----c- C:\WINDOWS\system32\drivers\grmn0400.sys <Not Verified; GARMIN Corp.; GARMIN USB HS DATACARD PROGRAMMER (install) W4R3>
2008-04-29 09:26:51 17536 --a----c- C:\WINDOWS\system32\drivers\grmn0200.sys <Not Verified; GARMIN Corp.; grmn0200>
2008-04-29 09:25:03 0 d------c- C:\Garmin
2008-04-19 19:11:58 0 d--h---c- C:\WINDOWS\PIF
2008-04-19 16:21:50 0 d------c- C:\TOPO!
2008-04-13 20:05:50 0 d------c- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-04-13 20:05:11 0 d------c- C:\Program Files\Yahoo!


-- Find3M Report ---------------------------------------------------------------

2008-05-13 10:04:14 0 d------c- C:\Program Files\Messenger
2008-05-13 10:03:28 0 d------c- C:\Program Files\Movie Maker
2008-05-13 09:58:46 0 d------c- C:\Program Files\Windows NT
2008-05-11 11:42:12 0 d------c- C:\Program Files\XoftSpySE
2008-05-10 21:22:04 4 --a----c- C:\WINDOWS\system32\8B502B
2008-05-10 13:37:18 0 d------c- C:\Program Files\Common Files
2008-05-10 13:36:40 0 d------c- C:\Program Files\Linksys
2008-05-10 13:36:40 0 d--h---c- C:\Program Files\InstallShield Installation Information
2008-04-12 17:05:03 0 d------c- C:\Program Files\SystemRequirementsLab
2008-04-12 12:07:06 0 d------c- C:\Program Files\Dell
2008-04-12 08:29:01 0 d------c- C:\Program Files\I8kfanGUI
2008-04-12 08:29:00 0 d------c- C:\Program Files\I8kfanGUI(2)
2008-04-11 20:55:24 8112 --a----c- C:\WINDOWS\system32\nvModes.dat
2008-04-07 01:28:50 0 d------c- C:\Program Files\Intel
2008-04-04 21:33:52 0 d------c- C:\Program Files\Magellan
2008-04-04 11:22:55 0 d------c- C:\Documents and Settings\Robert\Application Data\Adobe
2008-04-01 09:50:10 0 d------c- C:\Program Files\MSECache
2008-03-31 13:55:28 0 d------c- C:\Program Files\CyberLink
2008-03-31 10:58:29 0 d------c- C:\Program Files\WON
2008-03-31 10:58:13 0 d------c- C:\Program Files\Common Files\InstallShield
2008-03-31 10:32:25 0 d------c- C:\Program Files\Common Files\AnswerWorks 4.0
2008-03-31 09:33:42 0 d------c- C:\Program Files\Common Files\Intuit
2008-03-31 09:32:11 0 d------c- C:\Program Files\Intuit
2008-03-31 08:58:56 227840 --a----c- C:\WINDOWS\system32\RpaEdit.exe <Not Verified; CompuServe, Inc.; CompuServe Remote Passphrase Authentication (Virtual Key) v3.0>
2008-03-30 17:39:35 98816 --a----c- C:\WINDOWS\system32\sh31w32.dll
2008-03-29 16:13:08 0 d------c- C:\Program Files\Citrix
2008-03-29 11:11:29 0 d------c- C:\Program Files\Windows Media Connect 2
2008-03-29 10:32:28 0 d------c- C:\Program Files\Rhapsody
2008-03-29 10:24:12 0 d------c- C:\Program Files\Common Files\Real
2008-03-29 10:23:40 0 d------c- C:\Documents and Settings\Robert\Application Data\Real
2008-03-28 21:43:30 0 d------c- C:\Program Files\AVG
2008-03-28 18:58:45 0 d------c- C:\Documents and Settings\Robert\Application Data\Macromedia
2008-03-28 18:49:24 0 d------c- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-28 18:46:49 0 d------c- C:\Program Files\Common Files\Adobe
2008-03-28 17:53:10 0 d------c- C:\Documents and Settings\Robert\Application Data\Lavasoft
2008-03-28 17:53:00 0 d------c- C:\Program Files\Lavasoft
2008-03-28 17:50:02 0 d------c- C:\Documents and Settings\Robert\Application Data\U3
2008-03-28 17:48:06 0 d------c- C:\Program Files\CONEXANT
2008-03-28 17:00:01 0 d------c- C:\Documents and Settings\Robert\Application Data\Identities
2008-03-28 16:53:59 0 d------c- C:\Program Files\microsoft frontpage
2008-03-28 16:53:22 0 -rahs--c- C:\MSDOS.SYS
2008-03-28 16:53:22 0 -rahs--c- C:\IO.SYS
2008-03-28 16:53:22 0 --a----c- C:\CONFIG.SYS
2008-03-28 16:53:22 0 --a----c- C:\AUTOEXEC.BAT
2008-03-28 16:51:46 0 d--h---c- C:\Program Files\WindowsUpdate
2008-03-28 16:50:51 0 d------c- C:\Program Files\Common Files\MSSoap
2008-03-28 16:49:45 21640 --a----c- C:\WINDOWS\system32\emptyregdb.dat
2008-03-28 16:49:14 0 d------c- C:\Program Files\Online Services
2008-03-28 16:49:04 0 d------c- C:\Program Files\MSN Gaming Zone
2008-03-28 09:40:41 0 d------c- C:\Program Files\Common Files\ODBC
2008-03-28 09:40:38 0 d------c- C:\Program Files\Common Files\SpeechEngines
2008-03-28 09:40:09 62 --ahs---- C:\Documents and Settings\Robert\Application Data\desktop.ini


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RegistryMechanic"="" []
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [02/10/2003 09:27 AM]
"nwiz"="nwiz.exe" [02/10/2003 09:27 AM C:\WINDOWS\system32\nwiz.exe]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AWMON"="C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe" [05/25/2005 12:12 PM]
"i8kfangui"="C:\Program Files\I8kfanGUI\I8kfanGUI.exe" [02/16/2007 10:58 AM]
"NVIEW"="nview.dll,nViewLoadHook" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [10/2/2007 8:03:35 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll 04/04/2008 12:38 AM 10536 C:\Program Files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders rpasspc.dll, msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvcDeckard's System Scanner v20071014.68
Run by Robert on 2008-05-13 15:51:25
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Robert.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:51:38 PM, on 5/13/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program Files\I8kfanGUI\I8kfanGUI.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\Linksys\Wireless-N Network Monitor\NICServ.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Robert\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Robert.exe
C:\WINDOWS\system32\imapi.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webcenters.netscape.compuserve.com/menu/default.jsp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://webcenters.netscape.compuserve.com/menu/default.jsp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://webcenters.netscape.compuserve.com/menu/default.jsp
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKCU\..\Run: [i8kfangui] C:\Program Files\I8kfanGUI\I8kfanGUI.exe /startup
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} (Scanner.SysScanner) - http://i.dell.com/images/global/js/scanner/SysProExe.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1206748967765
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: NICSer_WPC300N - Unknown owner - C:\Program Files\Linksys\Wireless-N Network Monitor\NICServ.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5595 bytes

-- Files created between 2008-04-13 and 2008-05-13 -----------------------------

2008-05-13 10:25:10 0 d------c- C:\WINDOWS\Prefetch
2008-05-13 10:03:30 0 d------c- C:\WINDOWS\system32\scripting
2008-05-13 10:03:30 0 d------c- C:\WINDOWS\l2schemas
2008-05-13 10:03:29 0 d------c- C:\WINDOWS\system32\en
2008-05-13 10:03:28 0 d------c- C:\WINDOWS\system32\bits
2008-05-13 09:59:18 0 d------c- C:\WINDOWS\ServicePackFiles
2008-05-13 09:55:39 0 d------c- C:\WINDOWS\network diagnostic
2008-05-11 21:09:06 0 d------c- C:\Program Files\Trend Micro
2008-05-11 07:32:22 0 d------c- C:\Program Files\Microsoft Bootvis
2008-05-09 21:54:49 0 d------c- C:\Program Files\AnalogX
2008-05-09 12:51:09 0 d-ah---c- C:\Documents and Settings\All Users\Application Data\GTek
2008-05-09 08:53:44 106496 --a----c- C:\WINDOWS\CBTWlanSrv.exe <Not Verified; ; CBT Wlan Servic Application>
2008-05-09 08:52:56 94208 --a----c- C:\WINDOWS\UITabCtrl.dll <Not Verified; CyberTAN; UITab Contorl DLL>
2008-05-09 08:52:55 126976 --a----c- C:\WINDOWS\UIListCtrl.dll <Not Verified; CyberTAN; UIList Contorl DLL>
2008-05-09 08:52:55 139264 --a----c- C:\WINDOWS\UIButton.dll <Not Verified; CyberTAN; UIButton Control DLL>
2008-05-09 08:52:55 20480 --a----c- C:\WINDOWS\RegActiveX.exe <Not Verified; ; RegActiveX Application>
2008-05-09 08:52:08 0 d------c- C:\Linksys Driver
2008-05-07 14:45:07 143360 --a----c- C:\WINDOWS\system32\dunzip32.dll <Not Verified; Inner Media, Inc.; DynaZIP-32 Multi-Threading UnZIP DLL>
2008-05-07 14:42:07 0 d------c- C:\Program Files\McAfee.com
2008-05-07 14:42:02 0 d------c- C:\Program Files\Common Files\McAfee
2008-05-07 14:41:55 0 d------c- C:\Program Files\McAfee
2008-05-07 14:31:36 0 d------c- C:\Documents and Settings\All Users\Application Data\McAfee
2008-05-06 09:25:52 0 d------c- C:\Documents and Settings\Robert\Application Data\GARMIN
2008-05-03 18:35:28 0 d------c- C:\Program Files\Sony
2008-04-29 09:26:51 8320 --a----c- C:\WINDOWS\system32\drivers\grmnusb.sys <Not Verified; GARMIN Corp.; Garmin USB GPS>
2008-04-29 09:26:51 18432 --a----c- C:\WINDOWS\system32\drivers\grmngen.sys <Not Verified; GARMIN Corp.; >
2008-04-29 09:26:51 11776 --a----c- C:\WINDOWS\system32\drivers\grmn1200.sys <Not Verified; GARMIN Corp.; grmn1200>
2008-04-29 09:26:51 16512 --a----c- C:\WINDOWS\system32\drivers\grmn0400.sys <Not Verified; GARMIN Corp.; GARMIN USB HS DATACARD PROGRAMMER (install) W4R3>
2008-04-29 09:26:51 17536 --a----c- C:\WINDOWS\system32\drivers\grmn0200.sys <Not Verified; GARMIN Corp.; grmn0200>
2008-04-29 09:25:03 0 d------c- C:\Garmin
2008-04-19 19:11:58 0 d--h---c- C:\WINDOWS\PIF
2008-04-19 16:21:50 0 d------c- C:\TOPO!
2008-04-13 20:05:50 0 d------c- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-04-13 20:05:11 0 d------c- C:\Program Files\Yahoo!


-- Find3M Report ---------------------------------------------------------------

2008-05-13 10:04:14 0 d------c- C:\Program Files\Messenger
2008-05-13 10:03:28 0 d------c- C:\Program Files\Movie Maker
2008-05-13 09:58:46 0 d------c- C:\Program Files\Windows NT
2008-05-11 11:42:12 0 d------c- C:\Program Files\XoftSpySE
2008-05-10 21:22:04 4 --a----c- C:\WINDOWS\system32\8B502B
2008-05-10 13:37:18 0 d------c- C:\Program Files\Common Files
2008-05-10 13:36:40 0 d------c- C:\Program Files\Linksys
2008-05-10 13:36:40 0 d--h---c- C:\Program Files\InstallShield Installation Information
2008-04-12 17:05:03 0 d------c- C:\Program Files\SystemRequirementsLab
2008-04-12 12:07:06 0 d------c- C:\Program Files\Dell
2008-04-12 08:29:01 0 d------c- C:\Program Files\I8kfanGUI
2008-04-12 08:29:00 0 d------c- C:\Program Files\I8kfanGUI(2)
2008-04-11 20:55:24 8112 --a----c- C:\WINDOWS\system32\nvModes.dat
2008-04-07 01:28:50 0 d------c- C:\Program Files\Intel
2008-04-04 21:33:52 0 d------c- C:\Program Files\Magellan
2008-04-04 11:22:55 0 d------c- C:\Documents and Settings\Robert\Application Data\Adobe
2008-04-01 09:50:10 0 d------c- C:\Program Files\MSECache
2008-03-31 13:55:28 0 d------c- C:\Program Files\CyberLink
2008-03-31 10:58:29 0 d------c- C:\Program Files\WON
2008-03-31 10:58:13 0 d------c- C:\Program Files\Common Files\InstallShield
2008-03-31 10:32:25 0 d------c- C:\Program Files\Common Files\AnswerWorks 4.0
2008-03-31 09:33:42 0 d------c- C:\Program Files\Common Files\Intuit
2008-03-31 09:32:11 0 d------c- C:\Program Files\Intuit
2008-03-31 08:58:56 227840 --a----c- C:\WINDOWS\system32\RpaEdit.exe <Not Verified; CompuServe, Inc.; CompuServe Remote Passphrase Authentication (Virtual Key) v3.0>
2008-03-30 17:39:35 98816 --a----c- C:\WINDOWS\system32\sh31w32.dll
2008-03-29 16:13:08 0 d------c- C:\Program Files\Citrix
2008-03-29 11:11:29 0 d------c- C:\Program Files\Windows Media Connect 2
2008-03-29 10:32:28 0 d------c- C:\Program Files\Rhapsody
2008-03-29 10:24:12 0 d------c- C:\Program Files\Common Files\Real
2008-03-29 10:23:40 0 d------c- C:\Documents and Settings\Robert\Application Data\Real
2008-03-28 21:43:30 0 d------c- C:\Program Files\AVG
2008-03-28 18:58:45 0 d------c- C:\Documents and Settings\Robert\Application Data\Macromedia
2008-03-28 18:49:24 0 d------c- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-28 18:46:49 0 d------c- C:\Program Files\Common Files\Adobe
2008-03-28 17:53:10 0 d------c- C:\Documents and Settings\Robert\Application Data\Lavasoft
2008-03-28 17:53:00 0 d------c- C:\Program Files\Lavasoft
2008-03-28 17:50:02 0 d------c- C:\Documents and Settings\Robert\Application Data\U3
2008-03-28 17:48:06 0 d------c- C:\Program Files\CONEXANT
2008-03-28 17:00:01 0 d------c- C:\Documents and Settings\Robert\Application Data\Identities
2008-03-28 16:53:59 0 d------c- C:\Program Files\microsoft frontpage
2008-03-28 16:53:22 0 -rahs--c- C:\MSDOS.SYS
2008-03-28 16:53:22 0 -rahs--c- C:\IO.SYS
2008-03-28 16:53:22 0 --a----c- C:\CONFIG.SYS
2008-03-28 16:53:22 0 --a----c- C:\AUTOEXEC.BAT
2008-03-28 16:51:46 0 d--h---c- C:\Program Files\WindowsUpdate
2008-03-28 16:50:51 0 d------c- C:\Program Files\Common Files\MSSoap
2008-03-28 16:49:45 21640 --a----c- C:\WINDOWS\system32\emptyregdb.dat
2008-03-28 16:49:14 0 d------c- C:\Program Files\Online Services
2008-03-28 16:49:04 0 d------c- C:\Program Files\MSN Gaming Zone
2008-03-28 09:40:41 0 d------c- C:\Program Files\Common Files\ODBC
2008-03-28 09:40:38 0 d------c- C:\Program Files\Common Files\SpeechEngines
2008-03-28 09:40:09 62 --ahs---- C:\Documents and Settings\Robert\Application Data\desktop.ini


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RegistryMechanic"="" []
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [02/10/2003 09:27 AM]
"nwiz"="nwiz.exe" [02/10/2003 09:27 AM C:\WINDOWS\system32\nwiz.exe]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AWMON"="C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe" [05/25/2005 12:12 PM]
"i8kfangui"="C:\Program Files\I8kfanGUI\I8kfanGUI.exe" [02/16/2007 10:58 AM]
"NVIEW"="nview.dll,nViewLoadHook" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [10/2/2007 8:03:35 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll 04/04/2008 12:38 AM 10536 C:\Program Files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders rpasspc.dll, msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc




-- End of Deckard's System Scanner: finished at 2008-05-13 15:54:54 ------------






-- End of Deckard's System Scanner: finished at 2008-05-13 15:54:54 ------------

BC AdBot (Login to Remove)

 


m

#2 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:03:03 PM

Posted 06 June 2008 - 05:06 PM

Welcome to the BleepingComputer Forums. Since it has been a few days, please post a new HijackThis log. Thank you for your patience.

If you have already posted this log at another forum or if you decide to seek help at another forum, please let us know. There is a shortage of helpers and taking the time of two volunteer helpers means that someone else may not be helped.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#3 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:03:03 PM

Posted 23 June 2008 - 01:58 PM

This subject is now closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users