Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vista Vulnerabilities And Rootkit Sysbus32


  • Please log in to reply
16 replies to this topic

#1 indireneedofhelp

indireneedofhelp

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:27 AM

Posted 31 May 2008 - 12:36 AM

I am running vista basic and I used smit fraud fix to scan my computer and find out that i have a rootkit installed on it!! I have factory restored from the discs that have come with the computer yet all the file, unwanted services/processes continue to reinstall even with the factory boot disk. I have run various a-squared apps, gmer, atool, hookanlz, rootkit hookanalyzer, and sarsfx but nothign seems to work. Everytime i feel like im getting somewhere aka (removing unwanted reg files and soforth) my computer either logs out or restarts...so i end up getting no where.I have been trying to fix this computer for way too long and someone suggested posting to a forum so im giving it a shot. (i realize im not supposed to run smitfraudfix without professional help, however i was given the program from HP tech. support and they told me to run it)
If anyone can help me your help is much appreciated!!! my HiJack scan follows:

Deckard's System Scanner v20071014.68
Run by PC-LAW on 2008-05-31 01:27:32
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- Last 5 Restore Point(s) --
22: 2008-05-31 05:09:49 UTC - RP26 - Windows Update
21: 2008-05-31 01:27:59 UTC - RP25 - Windows Update
20: 2008-05-30 04:54:12 UTC - RP24 - Windows Update
19: 2008-05-30 04:50:18 UTC - RP23 - Windows Update
18: 2008-05-29 10:56:54 UTC - RP22 - Windows Update


-- First Restore Point --
1: 2008-05-29 03:05:22 UTC - RP3 - Removed Microsoft Visual C++ 2005 Redistributable


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 503 MiB (1024 MiB recommended).


-- HijackThis (run as PC-LAW.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:29:45, on 5/31/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\wuauclt.exe
C:\Users\PC-LAW\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8MZI5879\dss[1].exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\PC-LAW.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O23 - Service: a-squared Anti-Dialer Service (a2AntiDialer) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Dialer\a2service.exe
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: DisplayLink Service (DisplayLinkService) - DisplayLink Corp. - C:\Program Files\DisplayLink Core Software\DisplayLinkService.exe
O23 - Service: ECPOGMZIDF - Unknown owner - C:\Users\PC-LAW\AppData\Local\Temp\ECPOGMZIDF.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: VZDWKYLIQ - Unknown owner - C:\Users\PC-LAW\AppData\Local\Temp\VZDWKYLIQ.exe (file missing)

--
End of file - 3260 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

All drivers whitelisted.


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 DisplayLinkService (DisplayLink Service) - "c:\program files\displaylink core software\displaylinkservice.exe" <Not Verified; DisplayLink Corp.; DisplayLink Core Software v4.2.6711.0>

S2 CLTNetCnService (Symantec Lic NetConnect service) - "c:\program files\common files\symantec shared\ccsvchst.exe" /h cccommon (file missing)
S3 ECPOGMZIDF - c:\users\pc-law\appdata\local\temp\ecpogmzidf.exe (file missing)
S3 VZDWKYLIQ - c:\users\pc-law\appdata\local\temp\vzdwkyliq.exe (file missing)


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft ISATAP Adapter
Device ID: ROOT\*ISATAP\0000
Manufacturer: Microsoft
Name: isatap.dubalovbabybleep
PNP Device ID: ROOT\*ISATAP\0000
Service: tunnel


-- Files created between 2008-04-30 and 2008-05-31 -----------------------------

2008-06-01 19:03:36 0 d-------- C:\System Volume Information
2008-05-31 01:18:12 0 d-------- C:\Windows\system32\Kaspersky Lab <KASPER~1>
2008-05-30 02:45:15 0 d-------- C:\Program Files\Trend Micro
2008-05-30 02:23:27 0 d-------- C:\Program Files\a-squared HiJackFree
2008-05-30 02:12:40 0 d-------- C:\Program Files\a-squared Free
2008-05-30 02:02:57 0 d-------- C:\Program Files\a-squared Anti-Dialer
2008-05-29 07:20:22 0 d-------- C:\Program Files\RootKit Hook Analyzer
2008-05-29 06:37:53 1524224 --a------ C:\Windows\system32\wucltux.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-05-29 06:32:21 0 d-------- C:\Program Files\Sophos
2008-05-29 05:08:43 1680 --a------ C:\Windows\system32\tmp.reg
2008-05-29 05:08:24 25600 --a------ C:\Windows\system32\WS2Fix.exe
2008-05-29 05:08:24 289144 --a------ C:\Windows\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-05-29 05:08:24 86528 --a------ C:\Windows\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-05-29 05:08:24 288417 --a------ C:\Windows\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-05-29 05:08:24 53248 --a------ C:\Windows\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-05-29 05:08:24 82944 --a------ C:\Windows\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-05-29 05:08:24 51200 --a------ C:\Windows\system32\dumphive.exe
2008-05-29 05:08:24 82944 --a------ C:\Windows\system32\404Fix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-05-29 03:30:42 0 d-------- C:\Windows\system32\URTTemp
2008-05-29 03:30:25 0 d-------- C:\Program Files\SuperAdBlocker.com
2008-05-29 03:22:40 0 d-------- C:\Users\All Users\PrevxCSI
2008-05-29 01:48:42 0 d-------- C:\perflogs
2008-05-29 01:33:03 0 d--hs---- C:\found.000
2008-05-29 01:27:42 0 d-------- C:\Windows\SoftwareDistribution
2008-05-29 01:25:48 0 dr------- C:\Users\DBW-LAW\Searches
2008-05-29 01:25:33 0 dr------- C:\Users\DBW-LAW\Contacts
2008-05-29 01:25:21 0 d--hs---- C:\Users\DBW-LAW\Templates
2008-05-29 01:25:21 0 d--hs---- C:\Users\DBW-LAW\Local Settings
2008-05-29 01:25:20 0 d--hs---- C:\Users\DBW-LAW\Start Menu
2008-05-29 01:25:20 0 d--hs---- C:\Users\DBW-LAW\SendTo
2008-05-29 01:25:20 0 d--hs---- C:\Users\DBW-LAW\Recent
2008-05-29 01:25:20 0 d--hs---- C:\Users\DBW-LAW\PrintHood
2008-05-29 01:25:20 0 d--hs---- C:\Users\DBW-LAW\NetHood
2008-05-29 01:25:20 0 d--hs---- C:\Users\DBW-LAW\My Documents
2008-05-29 01:25:20 0 d--hs---- C:\Users\DBW-LAW\Cookies
2008-05-29 01:25:20 0 d--hs---- C:\Users\DBW-LAW\Application Data
2008-05-29 01:25:19 0 dr------- C:\Users\DBW-LAW\Videos
2008-05-29 01:25:19 0 dr------- C:\Users\DBW-LAW\Saved Games
2008-05-29 01:25:19 0 dr------- C:\Users\DBW-LAW\Pictures
2008-05-29 01:25:19 0 dr------- C:\Users\DBW-LAW\Music
2008-05-29 01:25:19 0 dr------- C:\Users\DBW-LAW\Links
2008-05-29 01:25:19 0 dr------- C:\Users\DBW-LAW\Favorites
2008-05-29 01:25:19 0 dr------- C:\Users\DBW-LAW\Downloads
2008-05-29 01:25:19 0 dr------- C:\Users\DBW-LAW\Documents
2008-05-29 01:25:19 0 dr------- C:\Users\DBW-LAW\Desktop
2008-05-29 01:25:19 0 d--h----- C:\Users\DBW-LAW\AppData
2008-05-29 01:25:18 786432 --ahs---- C:\Users\DBW-LAW\NTUSER.DAT
2008-05-29 01:11:50 417792 --a------ C:\Windows\system32\Cmeau106.exe <Not Verified; C-MEDIA; CmeAu Application>
2008-05-29 01:11:22 65536 --a------ C:\Windows\VMix.dll
2008-05-29 01:11:04 0 d-------- C:\Program Files\TOSHIBA Video Dock
2008-05-29 01:10:17 0 d-------- C:\Program Files\DisplayLink Core Software
2008-05-29 01:09:14 0 d-------- C:\Program Files\TOSHIBA
2008-05-28 22:50:20 0 dr------- C:\Users\PC-LAW\Searches
2008-05-28 22:50:07 0 dr------- C:\Users\PC-LAW\Contacts
2008-05-28 22:48:20 44 --a------ C:\Windows\system\hpsysdrv.dat
2008-05-28 22:44:45 0 d--hs---- C:\Users\PC-LAW\Templates
2008-05-28 22:44:45 0 d--hs---- C:\Users\PC-LAW\Start Menu
2008-05-28 22:44:45 0 d--hs---- C:\Users\PC-LAW\SendTo
2008-05-28 22:44:45 0 d--hs---- C:\Users\PC-LAW\Recent
2008-05-28 22:44:45 0 d--hs---- C:\Users\PC-LAW\PrintHood
2008-05-28 22:44:45 0 d--hs---- C:\Users\PC-LAW\NetHood
2008-05-28 22:44:45 0 d--hs---- C:\Users\PC-LAW\My Documents
2008-05-28 22:44:45 0 d--hs---- C:\Users\PC-LAW\Local Settings
2008-05-28 22:44:45 0 d--hs---- C:\Users\PC-LAW\Cookies
2008-05-28 22:44:45 0 d--hs---- C:\Users\PC-LAW\Application Data
2008-05-28 22:44:44 0 dr------- C:\Users\PC-LAW\Videos
2008-05-28 22:44:44 0 dr------- C:\Users\PC-LAW\Saved Games
2008-05-28 22:44:44 0 dr------- C:\Users\PC-LAW\Pictures
2008-05-28 22:44:44 1048576 --ahs---- C:\Users\PC-LAW\NTUSER.DAT
2008-05-28 22:44:44 0 dr------- C:\Users\PC-LAW\Music
2008-05-28 22:44:44 0 dr------- C:\Users\PC-LAW\Links
2008-05-28 22:44:44 0 dr------- C:\Users\PC-LAW\Favorites
2008-05-28 22:44:44 0 dr------- C:\Users\PC-LAW\Downloads
2008-05-28 22:44:44 0 dr------- C:\Users\PC-LAW\Documents
2008-05-28 22:44:44 0 dr------- C:\Users\PC-LAW\Desktop
2008-05-28 22:44:44 0 d--h----- C:\Users\PC-LAW\AppData
2008-05-28 22:37:34 0 d--hs---- C:\Users\Default\Templates
2008-05-28 22:37:34 0 d--hs---- C:\Users\Default\Start Menu
2008-05-28 22:37:34 0 d--hs---- C:\Users\Default\SendTo
2008-05-28 22:37:34 0 d--hs---- C:\Users\Default\Recent
2008-05-28 22:37:34 0 d--hs---- C:\Users\Default\PrintHood
2008-05-28 22:37:34 0 d--hs---- C:\Users\Default\NetHood
2008-05-28 22:37:34 0 d--hs---- C:\Users\Default\Local Settings
2008-05-28 22:37:34 0 d--hs---- C:\Users\Default\Cookies
2008-05-28 22:37:34 0 d--hs---- C:\Users\All Users\Templates
2008-05-28 22:37:34 0 d--hs---- C:\Users\All Users\Start Menu
2008-05-28 22:37:34 0 d--hs---- C:\Users\All Users\Favorites
2008-05-28 22:37:34 0 d--hs---- C:\Users\All Users\Documents
2008-05-28 22:37:34 0 d--hs---- C:\Users\All Users\Desktop
2008-05-28 22:37:34 0 d--hs---- C:\Users\All Users\Application Data
2008-05-28 22:37:34 0 d--hs---- C:\Documents and Settings
2008-05-28 22:37:33 0 d--hs---- C:\Users\Default\My Documents
2008-05-28 22:37:33 0 d--hs---- C:\Users\Default\Application Data


-- Find3M Report ---------------------------------------------------------------

2008-05-30 21:45:41 0 d-------- C:\Program Files\Windows Mail
2008-05-30 21:45:29 0 d-------- C:\Program Files\Windows Sidebar
2008-05-30 02:09:07 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-29 06:18:07 0 d-------- C:\Program Files\Common Files
2008-05-29 05:51:51 35 --a------ C:\Users\PC-LAW\AppData\Roaming\SetValue.bat
2008-05-29 05:51:51 691 --a------ C:\Users\PC-LAW\AppData\Roaming\GetValue.vbs
2008-05-29 05:35:38 0 d-------- C:\Users\PC-LAW\AppData\Roaming\Adobe
2008-05-29 03:31:52 0 d-------- C:\Users\PC-LAW\AppData\Roaming\SuperAdBlocker.com
2008-05-29 02:58:31 98 --a------ C:\Users\PC-LAW\AppData\Roaming\wklnhst.dat
2008-05-29 02:19:45 0 d-------- C:\Users\PC-LAW\AppData\Roaming\Template
2008-05-28 23:30:41 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-05-28 23:30:40 0 d-------- C:\Program Files\Compaq Connections
2008-05-28 23:20:25 0 d-------- C:\Program Files\Hewlett-Packard
2008-05-28 23:18:33 0 d-------- C:\Program Files\Common Files\InstallShield
2008-05-28 23:18:18 0 d-------- C:\Program Files\HP
2008-05-28 23:11:47 0 d-------- C:\Program Files\Yahoo!
2008-05-28 23:11:04 0 d-------- C:\Program Files\Common Files\Real
2008-05-28 23:11:03 0 d-------- C:\Program Files\Real
2008-05-28 23:10:59 0 d-------- C:\Users\PC-LAW\AppData\Roaming\Real
2008-05-28 22:52:29 0 d-------- C:\Users\PC-LAW\AppData\Roaming\Hewlett-Packard
2008-05-28 22:50:10 0 d-------- C:\Users\PC-LAW\AppData\Roaming\Identities
2008-05-28 22:48:13 0 d-------- C:\Users\PC-LAW\AppData\Roaming\Macromedia


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE WebClient
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc wlansvc EMDMgmt TabletInputService WPDBusEnum
LocalServiceNoNetwork PLA DPS BFE mpssvc


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-05-31 01:30:51 ------------

Edited by indireneedofhelp, 31 May 2008 - 01:09 AM.


BC AdBot (Login to Remove)

 


m

#2 Jacee

Jacee

    Bleeping around


  • Malware Response Team
  • 3,714 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:27 AM

Posted 31 May 2008 - 04:26 PM

indireneedofhelp, if you haven't done so, go to a known, clean computer and change all your passwords. Be particularly careful about sensitive and personal imformation that you may have used or will use online with this machine....Credit Card numbers and Banking!

I don't see an active antivirus program.
Please download free Avira Antivirus (you can update it to Premuim, later if you wish to):
http://www.free-av.com/en/download/index.html

I also don't see an active firewall...please make sure that Vista's firewall is turned on in the Security Center! Click on the 'start orb', then click on 'control panel' to find the "Security Center".

Next,
Download SUPERAntiSpyware Home Edition (free version)
SUPERAntiSpyware
Home Edition (free version)

Install it and double-click the icon on your desktop to run it.
It will ask if you want to update the program definitions, click Yes.

***Close all other browser windows before
scanning
  • Under Configuration and Preferences, click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked:
  • Scan for tracking cookie
  • Terminate memory threats before quarantining.
    Please leave the others unchecked.
  • Click the Close button to leave the control center screen.
  • On the main screen, under Scan for Harmful Software
    click Scan your computer.
  • On the left check C:\Fixed Drive.
  • On the right, under Complete Scan, choose Perform
    Complete Scan
    .

    Click Next to start the scan. Please be patient while it scans your
    computer.
    After the scan is complete a summary box will appear. Click OK.

    Make sure everything in the white box has a check next to it, then click
    Next.
    It will quarantine what it found and if it asks if you want to reboot, click
    Yes.

    To retrieve the removal information, please do the following:
  • After reboot, double-click the SUPERAntispyware icon on your
    desktop.
    Click Preferences. Click the Statistics/Logs tab.
  • Under Scanner Logs, double-click SUPERAntiSpyware Scan
    Log
    .
    It will open in your default text editor (such as Notepad/Wordpad).
  • Highlight everything in the notepad, then right-click and choose copy.
    Click close and close again to exit the program.

    Please copy and paste that information here with a new HijackThis log.

MS_MVP.gif
MS MVP Windows-Security 2006-2016
Member of UNITE, the Unified Network of Instructors and Trusted Eliminators

Admin PC Pitstop


#3 indireneedofhelp

indireneedofhelp
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:27 AM

Posted 02 June 2008 - 05:11 PM

the only other computer i have is a mac but its been acting weird latley too. They were hooked up to the same network and i think it must have something on it too...is there a hijack this for mac?? Im in the process of cleaning my desktop right now. Thank you for the advice about the credit cards. Although i was a lil bit too late, Im glad i cought i b4 it got worse. Thanks again
DW

#4 indireneedofhelp

indireneedofhelp
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:27 AM

Posted 02 June 2008 - 05:35 PM

i dont know if this is any help but i did a scan on the mac and its not looking good??? its also the computer i used to change my pswds should i go to like kinkos and change them again?


Last login: Mon Jun 2 18:30:08 on ttys001
daniel-weinsteins-macbook:~ DBW1123$ clear











































daniel-weinsteins-macbook:~ DBW1123$ touch /tmp/rkhunter.0.log && echo OS X Rootkit Hunter needs to be started with administrator privileges, please authenticate first. > /tmp/rkhunter.0.log && clear && tail -f /tmp/rkhunter.0.log










































OS X Rootkit Hunter needs to be started with administrator privileges, please authenticate first.
69[ Rootkit Hunter version 1.3.0 ]
Running Rootkit Hunter version 1.3.0 on daniel-weinsteins-macbook

Checking system commands...

Performing 'strings' command checks
Checking 'strings' command [ OK ]

Performing 'shared libraries' checks
Checking for preloading variables [ None found ]
Checking for preload file [ Not found ]
Checking LD_LIBRARY_PATH variable [ Skipped ]

Performing file properties checks
Checking for prerequisites [ Warning ]
The (command properties test) is not completly supported in this version of OSX rootkit hunter
/bin/bash [ OK ]
/bin/cat [ OK ]
/bin/chmod [ OK ]
/bin/cp [ OK ]
/bin/csh [ OK ]
/bin/date [ OK ]
/bin/df [ OK ]
/bin/echo [ OK ]
/bin/ed [ OK ]
/bin/kill [ OK ]
/bin/ls [ OK ]
/bin/mv [ OK ]
/bin/ps [ OK ]
/bin/pwd [ OK ]
/bin/sh [ OK ]
/bin/test [ OK ]
/usr/bin/awk [ OK ]
/usr/bin/basename [ OK ]
/usr/bin/curl [ OK ]
/usr/bin/cut [ OK ]
/usr/bin/diff [ OK ]
/usr/bin/dirname [ OK ]
/usr/bin/du [ OK ]
/usr/bin/egrep [ OK ]
/usr/bin/env [ OK ]
/usr/bin/fgrep [ OK ]
/usr/bin/file [ OK ]
/usr/bin/find [ OK ]
/usr/bin/grep [ OK ]
/usr/bin/groups [ OK ]
/usr/bin/head [ OK ]
/usr/bin/id [ OK ]
/usr/bin/killall [ OK ]
/usr/bin/last [ OK ]
/usr/bin/less [ OK ]
/usr/bin/locate [ OK ]
/usr/bin/logger [ OK ]
/usr/bin/login [ OK ]
/usr/bin/mail [ OK ]
/usr/bin/mktemp [ OK ]
/usr/bin/more [ OK ]
/usr/bin/newgrp [ OK ]
/usr/bin/passwd [ OK ]
/usr/bin/perl [ OK ]
/usr/bin/readlink [ OK ]
/usr/bin/sed [ OK ]
/usr/bin/sort [ OK ]
/usr/bin/stat [ OK ]
/usr/bin/strings [ OK ]
/usr/bin/su [ OK ]
/usr/bin/sudo [ OK ]
/usr/bin/tail [ OK ]
/usr/bin/top [ OK ]
/usr/bin/touch [ OK ]
/usr/bin/tr [ OK ]
/usr/bin/uname [ OK ]
/usr/bin/uniq [ OK ]
/usr/bin/users [ OK ]
/usr/bin/w [ OK ]
/usr/bin/wc [ OK ]
/usr/bin/whatis [ OK ]
/usr/bin/whereis [ OK ]
/usr/bin/which [ OK ]
/usr/bin/who [ OK ]
/usr/bin/whoami [ OK ]
/sbin/dmesg [ OK ]
/sbin/ifconfig [ OK ]
/sbin/md5 [ OK ]
/sbin/mount [ OK ]
/sbin/nologin [ OK ]
/usr/sbin/chown [ OK ]
/usr/sbin/chroot [ OK ]
/usr/sbin/cron [ OK ]
/usr/sbin/lsof [ OK ]
/usr/sbin/netstat [ OK ]
/usr/sbin/newsyslog [ OK ]
/usr/sbin/sysctl [ OK ]
/usr/sbin/syslogd [ OK ]
/usr/sbin/vipw [ OK ]
/usr/libexec/tcpd [ OK ]

Checking for rootkits...

Performing check of known rootkit files and directories
55808 Trojan - Variant A [ Not found ]
ADM Worm [ Not found ]
AjaKit Rootkit [ Not found ]
aPa Kit [ Not found ]
Apache Worm [ Not found ]
Ambient (ark) Rootkit [ Not found ]
Balaur Rootkit [ Not found ]
BeastKit Rootkit [ Not found ]
beX2 Rootkit [ Not found ]
BOBKit Rootkit [ Not found ]
CiNIK Worm (Slapper.B variant) [ Not found ]
Danny-Boy's Abuse Kit [ Not found ]
Devil RootKit [ Not found ]
Dica-Kit Rootkit [ Not found ]
Dreams Rootkit [ Not found ]
Duarawkz Rootkit [ Not found ]
Enye LKM [ Not found ]
Flea Linux Rootkit [ Not found ]
FreeBSD Rootkit [ Not found ]
bleep`it Rootkit [ Not found ]
GasKit Rootkit [ Not found ]
Heroin LKM [ Not found ]
HjC Kit [ Not found ]
ignoKit Rootkit [ Not found ]
ImperalsS-FBRK Rootkit [ Not found ]
Irix Rootkit [ Not found ]
Kitko Rootkit [ Not found ]
Knark Rootkit [ Not found ]
Li0n Worm [ Not found ]
Lockit / LJK2 Rootkit [ Not found ]
Mood-NT Rootkit [ Not found ]
MRK Rootkit [ Not found ]
Ni0 Rootkit [ Not found ]
Ohhara Rootkit [ Not found ]
Optic Kit (Tux) Worm [ Not found ]
Oz Rootkit [ Not found ]
Phalanx Rootkit [ Not found ]
Portacelo Rootkit [ Not found ]
R3dstorm Toolkit [ Not found ]
RH-Sharpe's Rootkit [ Not found ]
RSHA's Rootkit [ Not found ]
Scalper Worm [ Not found ]
Sebek LKM [ Not found ]
Shutdown Rootkit [ Not found ]
SHV4 Rootkit [ Not found ]
SHV5 Rootkit [ Not found ]
Sin Rootkit [ Not found ]
Slapper Worm [ Not found ]
Sneakin Rootkit [ Not found ]
Suckit Rootkit [ Not found ]
SunOS Rootkit [ Not found ]
SunOS / NSDAP Rootkit [ Not found ]
Superkit Rootkit [ Not found ]
TBD (Telnet BackDoor) [ Not found ]
TeLeKiT Rootkit [ Not found ]
T0rn Rootkit [ Not found ]
Trojanit Kit [ Not found ]
Tuxtendo Rootkit [ Not found ]
URK Rootkit [ Not found ]
VcKit Rootkit [ Not found ]
Volc Rootkit [ Not found ]
X-Org SunOS Rootkit [ Not found ]
zaRwT.KiT Rootkit [ Not found ]

Performing additional rootkit checks
Checking for possible rootkit files and directories [ None found ]

Performing malware checks
Checking running processes for suspicious files [ None found ]
Checking for hidden processes [ Skipped ]
Checking for login backdoors [ None found ]
Checking for suspicious directories [ None found ]
Checking for sniffer log files [ None found ]

Checking the network...

Performing check for backdoor ports
Checking for UDP port 2001 [ Not found ]
Checking for TCP port 2006 [ Not found ]
Checking for TCP port 2128 [ Not found ]
Checking for TCP port 14856 [ Not found ]
Checking for TCP port 47107 [ Not found ]
Checking for TCP port 60922 [ Not found ]

Now we run an additional connection check, to inform you about used and listen tcp-ports
and their appropriate process/commands. - This additional check was created by Christian Hornung

There is a LISTEN tcp Port localhost:ipp created by Process/Command: cupsd
There is a LISTEN tcp Port localhost:ipp created by Process/Command: launchd

FYI, named services are described in the file /etc/services



Performing checks on the network interfaces
Checking for promiscuous interfaces [ None found ]

Checking the local host...

Performing group and account checks
Checking for passwd file [ Found ]
Checking for root equivalent (UID 0) accounts [ None found ]
Checking for passwordless accounts [ None found ]
Checking for passwd file changes [ None found ]
Checking for group file changes [ None found ]
Checking root account shell history files [ None found ]

Performing system configuration file checks
Checking for SSH configuration file [ Found ]
Checking if SSH root access is allowed [ OK ]
Checking if SSH protocol v1 is allowed [ Not allowed ]
Checking for running syslog daemon [ Found ]
Checking for syslog configuration file [ Found ]
Checking if syslog remote logging is allowed [ Warning ]
Syslog configuration file allows remote logging: install.* @127.0.0.1:32376

Performing filesystem checks
Checking /dev for suspicious file types [ None found ]
Checking for hidden files and directories [ Warning ]
Hidden file found: /usr/share/man/man5/.rhosts.5.gz: gzip compressed data, was ".rhosts.5", from Unix, last modified: Thu Sep 27 21:49:57 2007

Checking application versions...

Checking version of Apache [ OK ]
Checking version of Bind DNS [ OK ]
Checking version of OpenSSL [ OK ]
Checking version of PHP [ OK ]
Checking version of Procmail MTA [ OK ]
Checking version of OpenSSH [ OK ]


System checks summary
=====================

File properties checks...
Required commands check failed
Files checked: 80
Suspect files: 0

Rootkit checks...
Rootkits checked : 77
Possible rootkits: 0

Applications checks...
Applications checked: 6
Suspect applications: 0

The system checks took: 59 seconds

All results have been written to the logfile (/tmp/rkhunter.log)

One or more warnings have been found while checking the system.
Please check the log file (/tmp/rkhunter.log)

Many thanks to the founder and developer of the original rootkit hunter:
Michael Boelen from www.rootkit.nl

To exit press ctrl+c and then ctrl+d

#5 indireneedofhelp

indireneedofhelp
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:27 AM

Posted 02 June 2008 - 05:48 PM

the superantispyware keeps giving me a windows installer error that says: "The windows installer service could not be accessed. This can occur if teh windows installer is not installed correctly. Contact your support personnel for assistance." However i was able to install the antivirus and run a scan with that. I will post another hijak this log once the scan is through.

Additionally i posted the only other computer i have access to but for some reason i think it has some spyware on it as well. I used this computer to change my psswrds...should i go to like kinkos or someplace like that and use those computers. If you could pls tell me if the mac is safe to use?? thanks a bunch
DW

#6 indireneedofhelp

indireneedofhelp
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:27 AM

Posted 02 June 2008 - 06:08 PM

Here is the scan from the antivirus u gave me:


Avira AntiVir Personal
Report file date: Monday, June 02, 2008 18:35

Scanning for 1306923 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows Vista
Windows version: (plain) [6.0.6000]
Boot mode: Normally booted
Username: SYSTEM
Computer name: PC-LAW-PC

Version information:
BUILD.DAT : 8.1.00.295 16479 Bytes 4/9/2008 16:24:00
AVSCAN.EXE : 8.1.2.12 311553 Bytes 3/18/2008 15:02:56
AVSCAN.DLL : 8.1.1.0 53505 Bytes 2/7/2008 14:43:37
LUKE.DLL : 8.1.2.9 151809 Bytes 2/28/2008 14:41:23
LUKERES.DLL : 8.1.2.1 12033 Bytes 2/21/2008 14:28:40
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 7/18/2007 16:33:34
ANTIVIR1.VDF : 7.0.3.2 5447168 Bytes 3/7/2008 19:08:58
ANTIVIR2.VDF : 7.0.4.120 2206720 Bytes 6/1/2008 22:30:12
ANTIVIR3.VDF : 7.0.4.127 41472 Bytes 6/2/2008 22:30:14
Engineversion : 8.1.0.51
AEVDF.DLL : 8.1.0.5 102772 Bytes 2/25/2008 15:58:21
AESCRIPT.DLL : 8.1.0.37 270715 Bytes 6/2/2008 22:30:40
AESCN.DLL : 8.1.0.20 119157 Bytes 6/2/2008 22:30:38
AERDL.DLL : 8.1.0.20 418165 Bytes 6/2/2008 22:30:37
AEPACK.DLL : 8.1.1.5 364918 Bytes 6/2/2008 22:30:35
AEOFFICE.DLL : 8.1.0.18 192890 Bytes 6/2/2008 22:30:32
AEHEUR.DLL : 8.1.0.29 1253750 Bytes 6/2/2008 22:30:30
AEHELP.DLL : 8.1.0.15 115063 Bytes 6/2/2008 22:30:22
AEGEN.DLL : 8.1.0.25 307573 Bytes 6/2/2008 22:30:21
AEEMU.DLL : 8.1.0.6 430451 Bytes 6/2/2008 22:30:18
AECORE.DLL : 8.1.0.30 168311 Bytes 6/2/2008 22:30:16
AVWINLL.DLL : 1.0.0.7 14593 Bytes 1/23/2008 23:07:53
AVPREF.DLL : 8.0.0.1 25857 Bytes 2/18/2008 16:37:50
AVREP.DLL : 7.0.0.1 155688 Bytes 4/16/2007 19:26:47
AVREG.DLL : 8.0.0.0 30977 Bytes 1/23/2008 23:07:49
AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 14:29:23
AVEVTLOG.DLL : 8.0.0.11 114945 Bytes 2/28/2008 14:31:31
SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/22/2008 23:28:02
SMTPLIB.DLL : 1.2.0.19 28929 Bytes 1/23/2008 23:08:39
NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 18:05:10
RCIMAGE.DLL : 8.0.0.35 2371841 Bytes 3/10/2008 20:37:25
RCTEXT.DLL : 8.0.32.0 86273 Bytes 3/6/2008 18:02:11

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:, D:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Monday, June 02, 2008 18:35

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'VSSVC.exe' - '1' Module(s) have been scanned
Scan process 'taskeng.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'infocard.exe' - '1' Module(s) have been scanned
Scan process 'iexplore.exe' - '1' Module(s) have been scanned
Scan process 'ieuser.exe' - '1' Module(s) have been scanned
Scan process 'DisplayLinkUI.exe' - '1' Module(s) have been scanned
Scan process 'DisplayLinkManager.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'dwm.exe' - '1' Module(s) have been scanned
Scan process 'taskeng.exe' - '1' Module(s) have been scanned
Scan process 'taskeng.exe' - '1' Module(s) have been scanned
Scan process 'SearchIndexer.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'LSSrvc.exe' - '1' Module(s) have been scanned
Scan process 'a2service.exe' - '1' Module(s) have been scanned
Scan process 'a2service.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'DisplayLinkService.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'SLsvc.exe' - '1' Module(s) have been scanned
Scan process 'audiodg.exe' - '0' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsm.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'wininit.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
45 processes with 45 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!

Starting to scan the registry.
The registry was scanned ( '3' files ).


Starting the file scan:

Begin scan in 'C:\' <COMPAQ>
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Users\PC-LAW\Desktop\SmitfraudFix.exe
[DETECTION] Contains detection pattern of the dropper DR/Tool.Reboot.F.8
[NOTE] The file was moved to '48ad7930.qua'!
Begin scan in 'D:\' <RECOVERY>


End of the scan: Monday, June 02, 2008 19:01
Used time: 25:47 min

The scan has been done completely.

9464 Scanning directories
134378 Files were scanned
1 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
0 files were deleted
0 files were repaired
1 files were moved to quarantine
0 files were renamed
1 Files cannot be scanned
134377 Files not concerned
803 Archives were scanned
1 Warnings
1 Notes



Avira AntiVir Personal
Report file date: Monday, June 02, 2008 18:35

Scanning for 1306923 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows Vista
Windows version: (plain) [6.0.6000]
Boot mode: Normally booted
Username: SYSTEM
Computer name: PC-LAW-PC

Version information:
BUILD.DAT : 8.1.00.295 16479 Bytes 4/9/2008 16:24:00
AVSCAN.EXE : 8.1.2.12 311553 Bytes 3/18/2008 15:02:56
AVSCAN.DLL : 8.1.1.0 53505 Bytes 2/7/2008 14:43:37
LUKE.DLL : 8.1.2.9 151809 Bytes 2/28/2008 14:41:23
LUKERES.DLL : 8.1.2.1 12033 Bytes 2/21/2008 14:28:40
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 7/18/2007 16:33:34
ANTIVIR1.VDF : 7.0.3.2 5447168 Bytes 3/7/2008 19:08:58
ANTIVIR2.VDF : 7.0.4.120 2206720 Bytes 6/1/2008 22:30:12
ANTIVIR3.VDF : 7.0.4.127 41472 Bytes 6/2/2008 22:30:14
Engineversion : 8.1.0.51
AEVDF.DLL : 8.1.0.5 102772 Bytes 2/25/2008 15:58:21
AESCRIPT.DLL : 8.1.0.37 270715 Bytes 6/2/2008 22:30:40
AESCN.DLL : 8.1.0.20 119157 Bytes 6/2/2008 22:30:38
AERDL.DLL : 8.1.0.20 418165 Bytes 6/2/2008 22:30:37
AEPACK.DLL : 8.1.1.5 364918 Bytes 6/2/2008 22:30:35
AEOFFICE.DLL : 8.1.0.18 192890 Bytes 6/2/2008 22:30:32
AEHEUR.DLL : 8.1.0.29 1253750 Bytes 6/2/2008 22:30:30
AEHELP.DLL : 8.1.0.15 115063 Bytes 6/2/2008 22:30:22
AEGEN.DLL : 8.1.0.25 307573 Bytes 6/2/2008 22:30:21
AEEMU.DLL : 8.1.0.6 430451 Bytes 6/2/2008 22:30:18
AECORE.DLL : 8.1.0.30 168311 Bytes 6/2/2008 22:30:16
AVWINLL.DLL : 1.0.0.7 14593 Bytes 1/23/2008 23:07:53
AVPREF.DLL : 8.0.0.1 25857 Bytes 2/18/2008 16:37:50
AVREP.DLL : 7.0.0.1 155688 Bytes 4/16/2007 19:26:47
AVREG.DLL : 8.0.0.0 30977 Bytes 1/23/2008 23:07:49
AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 14:29:23
AVEVTLOG.DLL : 8.0.0.11 114945 Bytes 2/28/2008 14:31:31
SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/22/2008 23:28:02
SMTPLIB.DLL : 1.2.0.19 28929 Bytes 1/23/2008 23:08:39
NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 18:05:10
RCIMAGE.DLL : 8.0.0.35 2371841 Bytes 3/10/2008 20:37:25
RCTEXT.DLL : 8.0.32.0 86273 Bytes 3/6/2008 18:02:11

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:, D:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Monday, June 02, 2008 18:35

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'VSSVC.exe' - '1' Module(s) have been scanned
Scan process 'taskeng.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'infocard.exe' - '1' Module(s) have been scanned
Scan process 'iexplore.exe' - '1' Module(s) have been scanned
Scan process 'ieuser.exe' - '1' Module(s) have been scanned
Scan process 'DisplayLinkUI.exe' - '1' Module(s) have been scanned
Scan process 'DisplayLinkManager.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'dwm.exe' - '1' Module(s) have been scanned
Scan process 'taskeng.exe' - '1' Module(s) have been scanned
Scan process 'taskeng.exe' - '1' Module(s) have been scanned
Scan process 'SearchIndexer.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'LSSrvc.exe' - '1' Module(s) have been scanned
Scan process 'a2service.exe' - '1' Module(s) have been scanned
Scan process 'a2service.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'DisplayLinkService.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'SLsvc.exe' - '1' Module(s) have been scanned
Scan process 'audiodg.exe' - '0' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsm.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'wininit.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
45 processes with 45 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!

Starting to scan the registry.
The registry was scanned ( '3' files ).


Starting the file scan:

Begin scan in 'C:\' <COMPAQ>
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Users\PC-LAW\Desktop\SmitfraudFix.exe
[DETECTION] Contains detection pattern of the dropper DR/Tool.Reboot.F.8
[NOTE] The file was moved to '48ad7930.qua'!
Begin scan in 'D:\' <RECOVERY>


End of the scan: Monday, June 02, 2008 19:01
Used time: 25:47 min

The scan has been done completely.

9464 Scanning directories
134378 Files were scanned
1 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
0 files were deleted
0 files were repaired
1 files were moved to quarantine
0 files were renamed
1 Files cannot be scanned
134377 Files not concerned
803 Archives were scanned
1 Warnings
1 Notes

#7 Jacee

Jacee

    Bleeping around


  • Malware Response Team
  • 3,714 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:27 AM

Posted 03 June 2008 - 10:20 AM

I would not recommend using a 'public' computer to change your passwords for personal, identity accounts!

Please post a fresh HJT log.

MS_MVP.gif
MS MVP Windows-Security 2006-2016
Member of UNITE, the Unified Network of Instructors and Trusted Eliminators

Admin PC Pitstop


#8 indireneedofhelp

indireneedofhelp
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:27 AM

Posted 03 June 2008 - 04:55 PM

how do i make my computer private? they are teh only ones i have?

#9 indireneedofhelp

indireneedofhelp
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:27 AM

Posted 03 June 2008 - 05:16 PM

Deckard's System Scanner v20071014.68
Run by PC-LAW on 2008-06-03 18:12:11
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 82% (more than 75%).
Total Physical Memory: 503 MiB (1024 MiB recommended).


-- HijackThis (run as PC-LAW.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:13:12, on 6/3/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wuauclt.exe
C:\Users\PC-LAW\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4YLVTN0R\dss[1].exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\PC-LAW.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [Uniblue SpyEraser] "C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O23 - Service: a-squared Anti-Dialer Service (a2AntiDialer) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Dialer\a2service.exe
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: DisplayLink Service (DisplayLinkService) - DisplayLink Corp. - C:\Program Files\DisplayLink Core Software\DisplayLinkService.exe
O23 - Service: ECPOGMZIDF - Unknown owner - C:\Users\PC-LAW\AppData\Local\Temp\ECPOGMZIDF.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: VZDWKYLIQ - Unknown owner - C:\Users\PC-LAW\AppData\Local\Temp\VZDWKYLIQ.exe (file missing)

--
End of file - 3935 bytes

-- Files created between 2008-05-03 and 2008-06-03 -----------------------------

2008-06-02 19:02:24 0 d-------- C:\Users\All Users\Uniblue
2008-06-02 19:02:05 0 d-------- C:\Program Files\Uniblue
2008-06-02 18:36:44 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-02 18:26:32 0 d-------- C:\Users\All Users\Avira
2008-06-02 18:26:31 0 d-------- C:\Program Files\Avira
2008-06-01 19:03:36 0 d-------- C:\System Volume Information
2008-05-31 01:18:12 0 d-------- C:\Windows\system32\Kaspersky Lab
2008-05-30 02:45:15 0 d-------- C:\Program Files\Trend Micro
2008-05-30 02:23:27 0 d-------- C:\Program Files\a-squared HiJackFree
2008-05-30 02:12:40 0 d-------- C:\Program Files\a-squared Free
2008-05-30 02:02:57 0 d-------- C:\Program Files\a-squared Anti-Dialer
2008-05-29 07:20:22 0 d-------- C:\Program Files\RootKit Hook Analyzer
2008-05-29 06:37:53 1524224 --a------ C:\Windows\system32\wucltux.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-05-29 06:32:21 0 d-------- C:\Program Files\Sophos
2008-05-29 05:08:43 1680 --a------ C:\Windows\system32\tmp.reg
2008-05-29 05:08:24 25600 --a------ C:\Windows\system32\WS2Fix.exe
2008-05-29 05:08:24 289144 --a------ C:\Windows\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-05-29 05:08:24 86528 --a------ C:\Windows\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-05-29 05:08:24 288417 --a------ C:\Windows\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-05-29 05:08:24 53248 --a------ C:\Windows\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-05-29 05:08:24 82944 --a------ C:\Windows\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-05-29 05:08:24 51200 --a------ C:\Windows\system32\dumphive.exe
2008-05-29 05:08:24 82944 --a------ C:\Windows\system32\404Fix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-05-29 03:30:42 0 d-------- C:\Windows\system32\URTTemp
2008-05-29 03:30:25 0 d-------- C:\Program Files\SuperAdBlocker.com
2008-05-29 03:22:40 0 d-------- C:\Users\All Users\PrevxCSI
2008-05-29 01:48:42 0 d-------- C:\perflogs
2008-05-29 01:33:03 0 d--hs---- C:\found.000
2008-05-29 01:27:42 0 d-------- C:\Windows\SoftwareDistribution
2008-05-29 01:25:48 0 dr------- C:\Users\DBW-LAW\Searches
2008-05-29 01:25:33 0 dr------- C:\Users\DBW-LAW\Contacts
2008-05-29 01:25:21 0 d--hs---- C:\Users\DBW-LAW\Templates
2008-05-29 01:25:21 0 d--hs---- C:\Users\DBW-LAW\Local Settings
2008-05-29 01:25:20 0 d--hs---- C:\Users\DBW-LAW\Start Menu
2008-05-29 01:25:20 0 d--hs---- C:\Users\DBW-LAW\SendTo
2008-05-29 01:25:20 0 d--hs---- C:\Users\DBW-LAW\Recent
2008-05-29 01:25:20 0 d--hs---- C:\Users\DBW-LAW\PrintHood
2008-05-29 01:25:20 0 d--hs---- C:\Users\DBW-LAW\NetHood
2008-05-29 01:25:20 0 d--hs---- C:\Users\DBW-LAW\My Documents
2008-05-29 01:25:20 0 d--hs---- C:\Users\DBW-LAW\Cookies
2008-05-29 01:25:20 0 d--hs---- C:\Users\DBW-LAW\Application Data
2008-05-29 01:25:19 0 dr------- C:\Users\DBW-LAW\Videos
2008-05-29 01:25:19 0 dr------- C:\Users\DBW-LAW\Saved Games
2008-05-29 01:25:19 0 dr------- C:\Users\DBW-LAW\Pictures
2008-05-29 01:25:19 0 dr------- C:\Users\DBW-LAW\Music
2008-05-29 01:25:19 0 dr------- C:\Users\DBW-LAW\Links
2008-05-29 01:25:19 0 dr------- C:\Users\DBW-LAW\Favorites
2008-05-29 01:25:19 0 dr------- C:\Users\DBW-LAW\Downloads
2008-05-29 01:25:19 0 dr------- C:\Users\DBW-LAW\Documents
2008-05-29 01:25:19 0 dr------- C:\Users\DBW-LAW\Desktop
2008-05-29 01:25:19 0 d--h----- C:\Users\DBW-LAW\AppData
2008-05-29 01:25:18 786432 --ahs---- C:\Users\DBW-LAW\NTUSER.DAT
2008-05-29 01:11:50 417792 --a------ C:\Windows\system32\Cmeau106.exe <Not Verified; C-MEDIA; CmeAu Application>
2008-05-29 01:11:22 65536 --a------ C:\Windows\VMix.dll
2008-05-29 01:11:04 0 d-------- C:\Program Files\TOSHIBA Video Dock
2008-05-29 01:10:17 0 d-------- C:\Program Files\DisplayLink Core Software
2008-05-29 01:09:14 0 d-------- C:\Program Files\TOSHIBA
2008-05-28 22:50:20 0 dr------- C:\Users\PC-LAW\Searches
2008-05-28 22:50:07 0 dr------- C:\Users\PC-LAW\Contacts
2008-05-28 22:48:20 44 --a------ C:\Windows\system\hpsysdrv.dat
2008-05-28 22:44:45 0 d--hs---- C:\Users\PC-LAW\Templates
2008-05-28 22:44:45 0 d--hs---- C:\Users\PC-LAW\Start Menu
2008-05-28 22:44:45 0 d--hs---- C:\Users\PC-LAW\SendTo
2008-05-28 22:44:45 0 d--hs---- C:\Users\PC-LAW\Recent
2008-05-28 22:44:45 0 d--hs---- C:\Users\PC-LAW\PrintHood
2008-05-28 22:44:45 0 d--hs---- C:\Users\PC-LAW\NetHood
2008-05-28 22:44:45 0 d--hs---- C:\Users\PC-LAW\My Documents
2008-05-28 22:44:45 0 d--hs---- C:\Users\PC-LAW\Local Settings
2008-05-28 22:44:45 0 d--hs---- C:\Users\PC-LAW\Cookies
2008-05-28 22:44:45 0 d--hs---- C:\Users\PC-LAW\Application Data
2008-05-28 22:44:44 0 dr------- C:\Users\PC-LAW\Videos
2008-05-28 22:44:44 0 dr------- C:\Users\PC-LAW\Saved Games
2008-05-28 22:44:44 0 dr------- C:\Users\PC-LAW\Pictures
2008-05-28 22:44:44 1048576 --ahs---- C:\Users\PC-LAW\NTUSER.DAT
2008-05-28 22:44:44 0 dr------- C:\Users\PC-LAW\Music
2008-05-28 22:44:44 0 dr------- C:\Users\PC-LAW\Links
2008-05-28 22:44:44 0 dr------- C:\Users\PC-LAW\Favorites
2008-05-28 22:44:44 0 dr------- C:\Users\PC-LAW\Downloads
2008-05-28 22:44:44 0 dr------- C:\Users\PC-LAW\Documents
2008-05-28 22:44:44 0 dr------- C:\Users\PC-LAW\Desktop
2008-05-28 22:44:44 0 d--h----- C:\Users\PC-LAW\AppData
2008-05-28 22:37:34 0 d--hs---- C:\Users\Default\Templates
2008-05-28 22:37:34 0 d--hs---- C:\Users\Default\Start Menu
2008-05-28 22:37:34 0 d--hs---- C:\Users\Default\SendTo
2008-05-28 22:37:34 0 d--hs---- C:\Users\Default\Recent
2008-05-28 22:37:34 0 d--hs---- C:\Users\Default\PrintHood
2008-05-28 22:37:34 0 d--hs---- C:\Users\Default\NetHood
2008-05-28 22:37:34 0 d--hs---- C:\Users\Default\Local Settings
2008-05-28 22:37:34 0 d--hs---- C:\Users\Default\Cookies
2008-05-28 22:37:34 0 d--hs---- C:\Users\All Users\Templates
2008-05-28 22:37:34 0 d--hs---- C:\Users\All Users\Start Menu
2008-05-28 22:37:34 0 d--hs---- C:\Users\All Users\Favorites
2008-05-28 22:37:34 0 d--hs---- C:\Users\All Users\Documents
2008-05-28 22:37:34 0 d--hs---- C:\Users\All Users\Desktop
2008-05-28 22:37:34 0 d--hs---- C:\Users\All Users\Application Data
2008-05-28 22:37:34 0 d--hs---- C:\Documents and Settings
2008-05-28 22:37:33 0 d--hs---- C:\Users\Default\My Documents
2008-05-28 22:37:33 0 d--hs---- C:\Users\Default\Application Data


-- Find3M Report ---------------------------------------------------------------

2008-06-02 19:02:22 0 d-------- C:\Users\PC-LAW\AppData\Roaming\Uniblue
2008-06-02 18:36:44 0 d-------- C:\Program Files\Common Files
2008-05-30 21:45:41 0 d-------- C:\Program Files\Windows Mail
2008-05-30 21:45:29 0 d-------- C:\Program Files\Windows Sidebar
2008-05-30 02:09:07 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-29 05:51:51 35 --a------ C:\Users\PC-LAW\AppData\Roaming\SetValue.bat
2008-05-29 05:51:51 691 --a------ C:\Users\PC-LAW\AppData\Roaming\GetValue.vbs
2008-05-29 05:35:38 0 d-------- C:\Users\PC-LAW\AppData\Roaming\Adobe
2008-05-29 03:31:52 0 d-------- C:\Users\PC-LAW\AppData\Roaming\SuperAdBlocker.com
2008-05-29 02:58:31 98 --a------ C:\Users\PC-LAW\AppData\Roaming\wklnhst.dat
2008-05-29 02:19:45 0 d-------- C:\Users\PC-LAW\AppData\Roaming\Template
2008-05-28 23:30:41 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-05-28 23:30:40 0 d-------- C:\Program Files\Compaq Connections
2008-05-28 23:20:25 0 d-------- C:\Program Files\Hewlett-Packard
2008-05-28 23:18:33 0 d-------- C:\Program Files\Common Files\InstallShield
2008-05-28 23:18:18 0 d-------- C:\Program Files\HP
2008-05-28 23:11:47 0 d-------- C:\Program Files\Yahoo!
2008-05-28 23:11:04 0 d-------- C:\Program Files\Common Files\Real
2008-05-28 23:11:03 0 d-------- C:\Program Files\Real
2008-05-28 23:10:59 0 d-------- C:\Users\PC-LAW\AppData\Roaming\Real
2008-05-28 22:52:29 0 d-------- C:\Users\PC-LAW\AppData\Roaming\Hewlett-Packard
2008-05-28 22:50:10 0 d-------- C:\Users\PC-LAW\AppData\Roaming\Identities
2008-05-28 22:48:13 0 d-------- C:\Users\PC-LAW\AppData\Roaming\Macromedia


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [02/12/2008 10:06]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Uniblue SpyEraser"="C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" [04/02/2008 09:50]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE WebClient
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc wlansvc EMDMgmt TabletInputService WPDBusEnum
LocalServiceNoNetwork PLA DPS BFE mpssvc

*Newly Created Service* - SSMDRV

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-06-03 18:14:42 ------------

#10 Jacee

Jacee

    Bleeping around


  • Malware Response Team
  • 3,714 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:27 AM

Posted 03 June 2008 - 07:46 PM

You didn't tell me what Firewall you have. Are you running Windows Vista Firewall?!! You need a software program as well as your router's built in firewall.

Rescan with HJT, check these items:

O23 - Service: ECPOGMZIDF - Unknown owner - C:\Users\PC-LAW\AppData\Local\Temp\ECPOGMZIDF.exe (file missing)
O23 - Service: VZDWKYLIQ - Unknown owner - C:\Users\PC-LAW\AppData\Local\Temp\VZDWKYLIQ.exe (file missing)


Close all windows except HJT, then click 'fix checked'. Exit HJT...

Next, let's see if we can get rid of the Smitfraudfix leftovers.

Copy the following text inside the code box to a new notepad file (not wordpad)
Save it to the desktop with file name cleanit.bat as file types: All files (*)

del C:\Windows\system32\tmp.reg
del C:\Windows\system32\WS2Fix.exe
del C:\Windows\system32\VCCLSID.exe
del C:\Windows\system32\VACFix.exe 
del C:\Windows\system32\SrchSTS.exe 
del C:\Windows\system32\Process.exe 
del C:\Windows\system32\dumphive.exe
del C:\Windows\system32\404Fix.exe 
del C:\Windows\system32\IEDFix.exe
del C:\Windows\system32\dumphive.exe 
del C:\Utilities\SmitfraudFix.exe

When you see it saved on your desktop, double click it and let it run.
You will see a black "dos box" pop up & you will see several commands run.
Don't worry if you see several "file cannot be found" or similar messages.

Once done you will be prompted to "press any key" and the "dos" window should close.

Please reboot/ restart your computer normally.

Try to run SuperAntiSpyware now, as I instructed above.
Post the log and a fresh HJT log.

Also, tell me what your machine is doing now....

Edited by Jacee, 03 June 2008 - 07:48 PM.

MS_MVP.gif
MS MVP Windows-Security 2006-2016
Member of UNITE, the Unified Network of Instructors and Trusted Eliminators

Admin PC Pitstop


#11 indireneedofhelp

indireneedofhelp
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:27 AM

Posted 05 June 2008 - 06:48 PM

1st and foremost i have windows vista basic and i have the firewall on, blocking all incoming connections. However, if I go to the rules part of the firewall in advanced firewall settings there are many rules there that I didnt make, some with hosts, others with TCIP and so on.

I ran hijack this and it gave me an error saying i had to run the program as the admin (even though i was logged on as teh admin), so i did just that

Next I ran the command you gave me and a dos screen came up very fast and dissappeared without me even having to press any key. the latest HJT scan is below..

I also have a few ?'s if thats ok. How do i make my computer private? As i mentioned earlier i have a mac and I seem to be having problems with it as well. I use a flash drive to transfer information back and forth between the two computers and whn i plugged it into my desktop to save the hijackthislogfile there are 9 ghosted files and 4 ghosted (hidden) folders. The folders are called .fseventsd, .Spotlight-V100, _.TemporaryItems and _.Trashes and the files are called ._.Trashes, one called, ._.TemporaryItems, and the rest are word documents that are my notes from school. Should I delete these Ghosted (hidden) items?

When i try to run Superantispyware on my system the error message i recieve is:
The Windows Installer Service could not be accessed. This can occur if the Windows Installer is not correctly installed. Contact your support personel for assistance.

Thanks again for the help its very much appreciated.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:31:35, on 6/5/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [Uniblue SpyEraser] "C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O23 - Service: a-squared Anti-Dialer Service (a2AntiDialer) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Dialer\a2service.exe
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Avira AntiVir Personal � Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal � Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: DisplayLink Service (DisplayLinkService) - DisplayLink Corp. - C:\Program Files\DisplayLink Core Software\DisplayLinkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 3487 bytes

DW

Edited by indireneedofhelp, 05 June 2008 - 06:58 PM.


#12 Jacee

Jacee

    Bleeping around


  • Malware Response Team
  • 3,714 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:27 AM

Posted 06 June 2008 - 10:09 AM

If you feel your Mac is infected, then you are infecting your Vista computer by transferring files with the flash drive.
Scan your USB device with Flash_Disinfector

1. Download Flash_Disinfector:
http://www.techsupportforum.com/sectools/s...Disinfector.exe
Next:
turn off the Autorun feature in Windows
http://www.howtogeek.com/howto/windows/dis...and-usb-drives/
Now:
Scan your USB device


2. Download SilentRunners... let's see what it reveals

http://www.silentrunners.org/Silent%20Runners.zip

1. Unzip/extract the file to its own folder:
C:\Silent Runners.
3. Double-click the SilentRunners.vbs inside the folder or on your desktop
to start.
4. A message box will appear asking if you want to skip the supplemental
searches.
5. Press "Yes" to skip [default] or "No" to include them.
6. Another message box will appear saying: "Silent Runners has started. A
message box like this will appear when its done." The tool will scan your
system and create a log by default, in the same directory as the script or
one your desktop. The log is named "Startup Programs (ComputerName)
date/timestamp.txt".
7. When finished, the next message to appear will say: "All Done! the
results are in the file..." (it will provide the full path location of the
log.
8. Copy & paste the log in your next reply.

***Note: If you have a script blocking program you may get a warning asking if
you want to allow the script to run. Some will say "malicious script
warning" or something to that effect. There is nothing malicious about this
script, you can click to allow it to execute.


WMI corruption
--------------

Silent Runners relies heavily on WMI to get information about the
registry, files and folders. It tests for WMI installation very early
in its execution, but it assumed that if WMI could be instantiated, it
was running correctly. However, a corrupt WMI installation could cause
the script to abort with an error at a specific location.

The error will now be trapped and users will be given the option of
downloading a Microsoft utility, WMIDiag.vbs, to troubleshoot their
WMI installation.

FYI, WMIDiag.vbs can be downloaded here:
http://go.microsoft.com/fwlink/?LinkId=62562

MS_MVP.gif
MS MVP Windows-Security 2006-2016
Member of UNITE, the Unified Network of Instructors and Trusted Eliminators

Admin PC Pitstop


#13 indireneedofhelp

indireneedofhelp
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:27 AM

Posted 08 June 2008 - 12:57 AM

OK, to make a long story short. My computer started freezing up, so I went to the system restore application to restore it to an earlier point in time; However, all the restore points were windows updates from today and yesterday … around 6-8 each day. (not sure if that’s good or bad but ti thought I would inform you) Moreover after the system restore utility I went back through all of your previous instructions and encounterd some difficulty reinstalling avira antivirus on my PC (the program wouldnt install after it was downloaded-error “Not responding” ) Therefore, I installed Mcafee, which Comcast gave me a free license to when I contacted to pay them for the use of a high speed internet connection over a year.

NEXT I ran flash disinfector, it looked as if everything was running smoothly however, to my surprise, after it said done, I received an error and when I checked the flashdrive all the hidden/ghosted files were still there.

The error I received stated:

If this program didnt install correctly, try reinstalling using settings that are compatible with this version of windows

Program: Unknown Program
Publisher Unknown Publisher
Location: c:\Users\Pc-Law\Desktop\Flash_Disinfector.exe

I am using windows vista basic and the program you gave me is correct (in regard to the compatibility w/ my system).... I checked! Do I reinstall using the suggested settings?

Furthermore I have also ran silent runners and I had a lot of trouble finding the log file but after 2 hrs of searching I figured it out ☺ Thanks again for the help, it is very much appreciated!

DW

"Silent Runners.vbs", revision 58, http://www.silentrunners.org/
Operating System: Windows Vista
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"Uniblue SpyEraser" = ""C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m" ["Uniblue Software"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"(Default)" = "(empty string)" [file not found]
"mcagent_exe" = "C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey" ["McAfee, Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{7DB2D5A0-7241-4E79-B68D-6309F01C5231}\(Default) = "scriptproxy"
-> {HKLM...CLSID} = "scriptproxy"
\InProcServer32\(Default) = "C:\Program Files\McAfee\VirusScan\scriptsn.dll" ["McAfee, Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{5858A72C-C2B4-4dd7-B2BF-B76DB1BD9F6C}" = "Microsoft Office OneNote Namespace Extension for Windows Desktop Search"
-> {HKLM...CLSID} = "Microsoft Office OneNote Namespace Extension for Windows Desktop Search"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\ONFILTER.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\msohevi.dll" [MS]
"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"
-> {HKLM...CLSID} = "Microsoft Office Metadata Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"
-> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{7F67036B-66F1-411A-AD85-759FB9C5B0DB}" = "ShellViewRTF"
-> {HKLM...CLSID} = "ShellViewRTF"
\InProcServer32\(Default) = "C:\Windows\System32\ShellvRTF.dll" ["XSS"]
"{A155339D-CCCD-4714-85EB-3754B804C9DF}" = "a-squared Free Shell Extension"
-> {HKLM...CLSID} = "a-squared Free Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\a-squared Free\a2freecontmenu.dll" ["Emsi Software GmbH"]

HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807563E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = "Microsoft Office InfoPath XML Mime Filter"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL" [MS]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
McCtxMenu\(Default) = "{01576F39-90DE-4D6E-A068-5B20C22BAAEE}"
-> {HKLM...CLSID} = "CtxMenu Class"
\InProcServer32\(Default) = "c:\PROGRA~1\mcafee\VIRUSS~1\mcctxmnu.dll" ["McAfee, Inc."]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
a-squared Free Shell Extension\(Default) = "{A155339D-CCCD-4714-85EB-3754B804C9DF}"
-> {HKLM...CLSID} = "a-squared Free Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\a-squared Free\a2freecontmenu.dll" ["Emsi Software GmbH"]
McCtxMenu\(Default) = "{01576F39-90DE-4D6E-A068-5B20C22BAAEE}"
-> {HKLM...CLSID} = "CtxMenu Class"
\InProcServer32\(Default) = "c:\PROGRA~1\mcafee\VIRUSS~1\mcctxmnu.dll" ["McAfee, Inc."]

HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
a-squared Free Shell Extension\(Default) = "{A155339D-CCCD-4714-85EB-3754B804C9DF}"
-> {HKLM...CLSID} = "a-squared Free Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\a-squared Free\a2freecontmenu.dll" ["Emsi Software GmbH"]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"ConsentPromptBehaviorAdmin" = (REG_DWORD) dword:0x00000002
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Behavior Of The Elevation Prompt For Administrators In Admin Approval Mode}

"ConsentPromptBehaviorUser" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Behavior Of The Elevation Prompt For Standard Users}

"EnableInstallerDetection" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Detect Application Installations And Prompt For Elevation}

"EnableLUA" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Run All Administrators In Admin Approval Mode}

"EnableSecureUIAPaths" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Only elevate UIAccess applications that are installed in secure locations}

"EnableVirtualization" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Virtualize file and registry write failures to per-user locations}

"PromptOnSecureDesktop" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Switch to the secure desktop when prompting for elevation}

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}

"FilterAdministratorToken" = (REG_DWORD) dword:0x00000000
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Admin Approval Mode for the Built-in Administrator Account}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\Windows\web\Wallpaper\img24.jpg"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\Windows\system32\logon.scr" [MS]


Windows Portable Device AutoPlay Handlers
-----------------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

LightScribeOnArrivalAP\
"Provider" = "LightScribe Direct Disc Labeling"
"InvokeProgID" = "LightScribe.AutoPlayHandler"
"InvokeVerb" = "LabelLightScribeDisc"
HKLM\SOFTWARE\Classes\LightScribe.AutoPlayHandler\shell\LabelLightScribeDisc\command\(Default) = "c:\Program Files\Common Files\LightScribe\LsLauncher.exe" ["Hewlett-Packard Company"]

MediaCapture9Music\
"Provider" = "Media Import 9"
"InvokeProgID" = "RoxioMediaCapture9"
"InvokeVerb" = "Audio"
HKLM\SOFTWARE\Classes\RoxioMediaCapture9\shell\Audio\command\(Default) = "c:\Program Files\Roxio\Media Import 9\MediaCapture9.exe -audio %L" ["Sonic Solutions"]

MediaCapture9Photos\
"Provider" = "Media Import 9"
"InvokeProgID" = "RoxioMediaCapture9"
"InvokeVerb" = "Photo"
HKLM\SOFTWARE\Classes\RoxioMediaCapture9\shell\Photo\command\(Default) = "c:\Program Files\Roxio\Media Import 9\MediaCapture9.exe -photo %L" ["Sonic Solutions"]

MediaCapture9VideoCamera\
"Provider" = "Media Import 9"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = "c:\Program Files\Roxio\Media Import 9\MediaCapture9.exe"
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
-> {HKLM...CLSID} = "Shell Execute Hardware Event Handler"
\LocalServer32\(Default) = "C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

MediaCapture9Videos\
"Provider" = "Media Import 9"
"InvokeProgID" = "RoxioMediaCapture9"
"InvokeVerb" = "Video"
HKLM\SOFTWARE\Classes\RoxioMediaCapture9\shell\Video\command\(Default) = "c:\Program Files\Roxio\Media Import 9\MediaCapture9.exe -video %L" ["Sonic Solutions"]

RoxioSCAudioCDTask33\
"Provider" = "Roxio Creator Audio"
"InvokeProgID" = "Roxio.RoxioCentral33"
"InvokeVerb" = "AudioCDTask"
HKLM\SOFTWARE\Classes\Roxio.RoxioCentral33\shell\AudioCDTask\Command\(Default) = ""c:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\Main\Roxio_Central33.exe" /Launch {8E376824-EA6C-4CB7-AA05-A30CB84D359B}" [null data]

RoxioSCCopyCD33\
"Provider" = "Roxio Creator Copy"
"InvokeProgID" = "Roxio.RoxioCentral33"
"InvokeVerb" = "ExactCopyJob"
HKLM\SOFTWARE\Classes\Roxio.RoxioCentral33\shell\ExactCopyJob\Command\(Default) = ""c:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\Main\Roxio_Central33.exe" /Launch {6123D5C0-0B6A-4B67-A692-C0863AB98CDA}" [null data]

RoxioSCCopyDisc33\
"Provider" = "Roxio Creator Copy"
"InvokeProgID" = "Roxio.RoxioCentral33"
"InvokeVerb" = "ExactCopyJob"
HKLM\SOFTWARE\Classes\Roxio.RoxioCentral33\shell\ExactCopyJob\Command\(Default) = ""c:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\Main\Roxio_Central33.exe" /Launch {6123D5C0-0B6A-4B67-A692-C0863AB98CDA}" [null data]

RoxioSCDataProject33\
"Provider" = "Roxio Creator Data"
"InvokeProgID" = "Roxio.RoxioCentral33"
"InvokeVerb" = "DataGuide"
HKLM\SOFTWARE\Classes\Roxio.RoxioCentral33\shell\DataGuide\Command\(Default) = ""c:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\Main\Roxio_Central33.exe" /Launch Data" [null data]

RoxioSCDataTask33\
"Provider" = "Roxio Creator Data"
"InvokeProgID" = "Roxio.RoxioCentral33"
"InvokeVerb" = "DataTask"
HKLM\SOFTWARE\Classes\Roxio.RoxioCentral33\shell\DataTask\Command\(Default) = ""c:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\Main\Roxio_Central33.exe" /Launch {D085B12D-4D9B-49C2-8323-5053831CBD54}" [null data]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\system32\NLAapi.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\system32\napinsp.dll" [MS]
000000000005\LibraryPath = "%SystemRoot%\system32\pnrpnsp.dll" [MS]
000000000006\LibraryPath = "%SystemRoot%\system32\pnrpnsp.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 18


Toolbars, Explorer Bars, Extensions:
------------------------------------

Explorer Bars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\

HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{2670000A-7350-4F3C-8081-5663EE0C6C49}\
"ButtonText" = "Send to OneNote"
"MenuText" = "S&end to OneNote"
"CLSIDExtension" = "{48E73304-E1D6-4330-914C-F5F514E3486C}"
-> {HKLM...CLSID} = "Send to OneNote from Internet Explorer button"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll" [MS]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

a-squared Anti-Dialer Service, a2AntiDialer, ""C:\Program Files\a-squared Anti-Dialer\a2service.exe"" ["Emsi Software GmbH"]
a-squared Free Service, a2free, ""C:\Program Files\a-squared Free\a2service.exe"" ["Emsi Software GmbH"]
Computer Browser, Browser, "C:\Windows\System32\svchost.exe -k netsvcs" {"C:\Windows\System32\browser.dll" [MS]}
DisplayLink Service, DisplayLinkService, ""C:\Program Files\DisplayLink Core Software\DisplayLinkService.exe"" ["DisplayLink Corp."]
Human Interface Device Access, hidserv, "C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted" {"C:\Windows\system32\hidserv.dll" [MS]}
LightScribeService Direct Disc Labeling Service, LightScribeService, ""c:\Program Files\Common Files\LightScribe\LSSrvc.exe"" ["Hewlett-Packard Company"]
McAfee Network Agent, McNASvc, ""c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe"" ["McAfee, Inc."]
McAfee Personal Firewall Service, MpfService, ""C:\Program Files\McAfee\MPF\MPFSrv.exe"" ["McAfee, Inc."]
McAfee Proxy Service, McProxy, "c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe" ["McAfee, Inc."]
McAfee Real-time Scanner, McShield, "C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe" ["McAfee, Inc."]
McAfee Services, mcmscsvc, "C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe" ["McAfee, Inc."]
McAfee SystemGuards, McSysmon, "C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe" ["McAfee, Inc."]
Windows Driver Foundation - User-mode Driver Framework, wudfsvc, "C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted" {"C:\Windows\System32\WUDFSvc.dll" [MS]}
Windows Image Acquisition (WIA), stisvc, "C:\Windows\system32\svchost.exe -k imgsvc" {"C:\Windows\System32\wiaservc.dll" [MS]}


Print Monitors:
---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
LIDIL hpzlllhn\Driver = "hpzlllhn.dll" ["Hewlett-Packard Company"]
Send To Microsoft OneNote Monitor\Driver = "msonpmon.dll" [MS]


---------- (launch time: 2008-06-08 01:48:11)
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 165 seconds, including 18 seconds for message boxes)

#14 indireneedofhelp

indireneedofhelp
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:27 AM

Posted 13 June 2008 - 02:49 AM

HELLO?? You stilll helping me?? havent heard from you in a while???
Pls. let me know thanks

DW

#15 Jacee

Jacee

    Bleeping around


  • Malware Response Team
  • 3,714 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:27 AM

Posted 16 June 2008 - 10:47 AM

Hello indireneedofhelp, my apologies to you! I didn't receive any notification of your post on June 7th and I was away on vacation from the 12th through the 15th.
I'm still with you and will look over what you have posted....

Again, I apologize! :thumbsup:

MS_MVP.gif
MS MVP Windows-Security 2006-2016
Member of UNITE, the Unified Network of Instructors and Trusted Eliminators

Admin PC Pitstop





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users