Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possibly Related To Msserver/explorer.exe/unknown Dll


  • This topic is locked This topic is locked
4 replies to this topic

#1 jjake1

jjake1

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:46 AM

Posted 15 June 2008 - 10:55 PM

Hi, First time I've used HJT/DSS. Will do my best to describe the circumstances.

I received a file containing a keygen.exe ( ..I know- how stupid of me..)
I opened that file and the exe immediately disappeared from the folder view.

New PC and I immediately ran updates for Norton 360 and windows defender.
Scanned with those and nothing detected.

My hard drive has begun working constantly and from Process Explorer it seems to be
C:\Windows\Explorer.EXE that is doing the work.

In sysinternals autoruns I seemed to have a new entry for:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
MSServer c:\users\admin\appdata\local\temp\mljgvsmm.dll

in that local/temp folder, the last 2 files to be modified(same time on each) were:
mljgvsmm.dll
and *.bat file called something like ****removal.bat

I renamed the bat file to *.bat.question
and attempted to rename the mljgvsmm.dll but it was in use.

The hard drive was whirring away constantly.
I ran a temp file cleaner, then removed MSServer from the autoruns list and rebooted.


The MSServer entry reappeared in autoruns(and continues to do so with after removal) with this info:
c:\users\admin\appdata\local\temp\qomdexxy.dll

I downloaded AntiVira Free and ran a scan- nothing detected.
Ran another scan an online scan from Panda. Nothing but cookies shown in that one.

Funnily enough, AntiVira keeps detecting Panda files as infections, which I tell it to ignore.

I'm currently running a Kapersky scan. Not yet complete but will leave that on over night.

In sysinternal Process Explorer it seems that C:\Windows\Explorer.EXE is very active now.

Can't tell you much more than that at the moment.
Not sure what wrong, just seems that my hard drive is working overtime and I'm concerned
about what happened with the keygen.exe and these MSServer startup entries.

Hope you can help and thanks in advance if you can take a look.


________________________________________________________________________________

(DSS extra.txt attached)

Deckard's System Scanner v20071014.68
Run by Admin on 2008-06-16 03:46:18
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- Last 5 Restore Point(s) --
15: 2008-06-16 00:22:03 UTC - RP61 - Avira AntiVir Personal - 16/06/2008 01:21
14: 2008-06-15 01:54:57 UTC - RP59 - Installed Microsoft Office Excel Viewer 2003
13: 2008-06-14 18:05:09 UTC - RP58 - Scheduled Checkpoint
12: 2008-06-13 12:32:06 UTC - RP57 - Windows Update
11: 2008-06-13 01:08:17 UTC - RP56 - Windows Update


-- First Restore Point --
1: 2008-06-05 15:39:10 UTC - RP45 - Windows Vista Service Pack 1


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Admin.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 03:47:27, on 16/06/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Belgium Identity Card\beidsystemtray.exe
C:\Program Files\CyberLink\MagicSports\Kernel\MagicSports\MSPMirage.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Windows\System32\mobsync.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Program Files\SysInternals\Process Explorer\procexp.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Admin\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Admin.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://format.packardbell.com/cgi-bin/redi...amp;key=IESTART
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://format.packardbell.com/cgi-bin/redi...amp;key=IESTART
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Google\Google_BAE\BAE.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [beidsystemtray] C:\Program Files\Belgium Identity Card\beidsystemtray.exe
O4 - HKLM\..\Run: [MSPService] C:\Program Files\CyberLink\MagicSports\Kernel\MagicSports\MSPMirage.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\Admin\AppData\Local\Temp\qoMdExxY.dll,#1
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O13 - Gopher Prefix:
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1213492825412
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1212924180677
O23 - Service: Avira AntiVir Personal Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ccEvtMgr - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ccSetMgr - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: eID CRL Service - Zetes - C:\Windows\system32\beidservicecrl.exe
O23 - Service: eID Privacy Service - Zetes - C:\Windows\system32\beidservicepcsc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

--
End of file - 7425 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

All drivers whitelisted.


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 AntiVirScheduler (Avira AntiVir Personal Free Antivirus Scheduler) - "c:\program files\avira\antivir personaledition classic\sched.exe" <Not Verified; Avira GmbH; AntiVir Workstation>
R2 eID CRL Service - c:\windows\system32\beidservicecrl.exe <Not Verified; Zetes; .be eID Software>
R2 eID Privacy Service - c:\windows\system32\beidservicepcsc.exe <Not Verified; Zetes; .be eID Software>
R2 RichVideo (Cyberlink RichVideo Service(CRVS)) - "c:\program files\cyberlink\shared files\richvideo.exe" <Not Verified; ; RichVideo Module>
R2 x10nets (X10 Device Network Service) - c:\progra~1\common~1\x10\common\x10nets.exe <Not Verified; X10; x10 Module>

S3 stllssvr - "c:\program files\common files\surething shared\stllssvr.exe" <Not Verified; MicroVision Development, Inc.; SureThing CD Labeler>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-06-16 03:29:59 334 --a------ C:\Windows\Tasks\Recovery DVD Creator.job
2008-06-04 09:16:05 418 --ah----- C:\Windows\Tasks\User_Feed_Synchronization-{101A39A4-65F7-4763-915C-3E201419476C}.job


-- Files created between 2008-05-16 and 2008-06-16 -----------------------------

2008-06-16 03:17:40 0 d-------- C:\Program Files\Trend Micro
2008-06-16 01:42:51 0 d-------- C:\Program Files\Panda Security
2008-06-16 01:23:07 0 d-------- C:\Users\All Users\Avira
2008-06-16 01:23:07 0 d-------- C:\Program Files\Avira
2008-06-15 02:54:45 0 dr-h----- C:\MSOCache
2008-06-08 23:28:06 0 d-------- C:\Windows\Sun
2008-06-06 19:07:17 0 d-------- C:\Program Files\Full Tilt Poker
2008-06-05 21:03:28 0 d-------- C:\Program Files\Aida32
2008-06-05 19:17:33 0 d-------- C:\PerfLogs
2008-06-05 14:15:03 0 d-------- C:\Program Files\PokerStove
2008-06-04 22:13:19 0 d-------- C:\Program Files\7-Zip
2008-06-04 11:29:35 0 --a------ C:\Windows\nsreg.dat
2008-06-04 11:29:24 0 d-------- C:\Program Files\Mozilla Thunderbird
2008-06-04 10:10:16 0 d-------- C:\Program Files\Packard Bell ImageWriter
2008-06-04 10:01:24 6656 --a------ C:\Windows\system32\SiSApi.dll <Not Verified; Silicon Integrated Systems Corporation; SiS ® VGA Install API>
2008-06-04 10:01:24 0 d-------- C:\Program Files\SiS VGA Utilities
2008-06-02 21:59:26 0 d-------- C:\Program Files\Poker Clients
2008-06-02 20:53:12 0 d-------- C:\Program Files\IrfanView
2008-06-02 20:10:27 0 d-------- C:\Program Files\SysInternals
2008-06-02 20:09:45 0 d-------- C:\Program Files\CCleaner
2008-06-02 19:55:55 0 d-------- C:\Program Files\Java
2008-06-02 19:33:17 0 d-------- C:\Program Files\Common Files\Adobe
2008-06-02 17:39:46 0 --a------ C:\Windows\system32\AleUpdt.bin
2008-05-30 00:35:33 0 d-------- C:\Program Files\UltimateBet
2008-05-30 00:05:25 0 d-------- C:\UKquizmirc
2008-05-29 23:55:05 0 d-------- C:\Program Files\Common Files\Java
2008-05-29 23:47:57 0 d-------- C:\Program Files\Common Files\Adobe(5)
2008-05-29 23:47:57 0 d-------- C:\Program Files\Adobe(4)
2008-05-29 23:08:00 0 d-------- C:\Windows\PCHEALTH
2008-05-29 23:03:19 0 d------c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-05-29 23:03:12 0 d-------- C:\Program Files\Windows Live
2008-05-29 22:29:13 0 d-------- C:\Users\All Users\WLInstaller
2008-05-29 22:06:53 0 d-------- C:\Program Files\MSXML 4.0
2008-05-29 20:48:06 0 d-------- C:\Program Files\PokerStars
2008-05-29 16:26:57 0 dr------- C:\Users\Admin\Searches
2008-05-29 16:26:47 0 dr------- C:\Users\Admin\Contacts
2008-05-29 16:26:39 0 d--hs---- C:\Users\Admin\Templates
2008-05-29 16:26:39 0 d--hs---- C:\Users\Admin\Start Menu
2008-05-29 16:26:39 0 d--hs---- C:\Users\Admin\SendTo
2008-05-29 16:26:39 0 d--hs---- C:\Users\Admin\Recent
2008-05-29 16:26:39 0 d--hs---- C:\Users\Admin\PrintHood
2008-05-29 16:26:39 0 d--hs---- C:\Users\Admin\NetHood
2008-05-29 16:26:39 0 d--hs---- C:\Users\Admin\My Documents
2008-05-29 16:26:39 0 d--hs---- C:\Users\Admin\Local Settings
2008-05-29 16:26:39 0 d--hs---- C:\Users\Admin\Cookies
2008-05-29 16:26:39 0 d--hs---- C:\Users\Admin\Application Data
2008-05-29 16:26:38 0 dr------- C:\Users\Admin\Videos
2008-05-29 16:26:38 0 dr------- C:\Users\Admin\Saved Games
2008-05-29 16:26:38 0 dr------- C:\Users\Admin\Pictures
2008-05-29 16:26:38 1048576 --ahs---- C:\Users\Admin\ntuser.dat
2008-05-29 16:26:38 0 dr------- C:\Users\Admin\Music
2008-05-29 16:26:38 0 dr------- C:\Users\Admin\Links
2008-05-29 16:26:38 0 dr------- C:\Users\Admin\Favorites
2008-05-29 16:26:38 0 dr------- C:\Users\Admin\Downloads
2008-05-29 16:26:38 0 dr------- C:\Users\Admin\Documents
2008-05-29 16:26:38 0 dr------- C:\Users\Admin\Desktop
2008-05-29 16:26:38 0 d--h----- C:\Users\Admin\AppData


-- Find3M Report ---------------------------------------------------------------

2008-06-12 03:05:32 0 d-------- C:\Program Files\Windows Mail
2008-06-11 15:26:47 0 d-------- C:\Program Files\Google
2008-06-08 14:32:19 0 d-------- C:\Users\Admin\AppData\Roaming\Symantec
2008-06-08 12:20:57 0 d-------- C:\Users\Admin\AppData\Roaming\InstallShield
2008-06-08 12:15:39 0 d-------- C:\Program Files\Common Files
2008-06-08 12:15:30 0 d-------- C:\Users\Admin\AppData\Roaming\Skype
2008-06-07 21:54:31 0 d-------- C:\Users\Admin\AppData\Roaming\Adobe
2008-06-06 19:07:16 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-05 19:27:51 174 --ahs---- C:\Program Files\desktop.ini
2008-06-05 19:20:19 0 d-------- C:\Program Files\Windows Calendar
2008-06-05 19:20:18 0 d-------- C:\Program Files\Windows Sidebar
2008-06-05 19:20:18 0 d-------- C:\Program Files\Movie Maker
2008-06-05 19:20:14 0 d-------- C:\Program Files\Windows Journal
2008-06-05 19:20:14 0 d-------- C:\Program Files\Windows Collaboration
2008-06-05 19:20:13 0 d-------- C:\Program Files\Windows Photo Gallery
2008-06-05 19:20:07 0 d-------- C:\Program Files\Windows Defender
2008-06-04 11:29:35 0 d-------- C:\Users\Admin\AppData\Roaming\Mozilla
2008-06-04 11:29:34 0 d-------- C:\Users\Admin\AppData\Roaming\Thunderbird
2008-06-03 21:58:46 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-06-03 13:28:53 0 d-------- C:\Program Files\Seagate
2008-06-02 20:26:35 78 --a------ C:\Users\Admin\AppData\Roaming\wklnhst.dat
2008-06-02 20:25:07 0 d-------- C:\Users\Admin\AppData\Roaming\Template
2008-06-02 17:29:22 0 d-------- C:\Users\Admin\AppData\Roaming\Packard Bell
2008-06-02 12:38:37 0 d-------- C:\Program Files\Symantec
2008-06-02 12:38:36 0 d-------- C:\Program Files\Norton 360
2008-05-29 20:45:23 0 d-------- C:\Users\Admin\AppData\Roaming\Macromedia
2008-05-29 20:35:27 0 d-------- C:\Users\Admin\AppData\Roaming\Talkback
2008-05-29 16:48:30 0 d-------- C:\Users\Admin\AppData\Roaming\Roxio
2008-05-29 16:27:48 0 d-------- C:\Users\Admin\AppData\Roaming\CyberLink
2008-05-29 16:26:49 0 d-------- C:\Users\Admin\AppData\Roaming\Identities
2008-05-12 11:17:19 0 d-------- C:\Program Files\Microsoft Works
2008-05-12 11:16:37 0 d-------- C:\Program Files\Packard Bell
2008-05-12 11:12:18 0 d-------- C:\Program Files\CyberLink
2008-05-12 11:12:03 0 d-------- C:\Program Files\Common Files\InstallShield
2008-05-12 11:10:38 0 d-------- C:\Program Files\Belgium Identity Card
2008-05-12 11:09:57 0 d-------- C:\Program Files\Common Files\SureThing Shared
2008-05-12 11:09:56 0 d-------- C:\Program Files\Roxio
2008-05-12 11:09:44 0 d-------- C:\Program Files\Common Files\Sonic Shared
2008-05-12 11:09:44 0 d-------- C:\Program Files\Common Files\Roxio Shared
2008-05-12 11:06:00 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-12 11:02:32 0 d-------- C:\Program Files\X10 Hardware
2008-05-12 11:02:00 0 d-------- C:\Program Files\Common Files\X10
2008-05-12 11:01:08 0 d-------- C:\Program Files\Realtek
2008-05-12 11:00:57 315392 --a------ C:\Windows\HideWin.exe <Not Verified; Realtek Semiconductor Corp.; HD Audio Hide windows program>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [19/01/2008 08:38]
"RtHDVCpl"="RtHDVCpl.exe" [10/05/2007 16:10 C:\Windows\RtHDVCpl.exe]
"Skytel"="Skytel.exe" [07/05/2007 17:51 C:\Windows\SkyTel.exe]
"@"="" []
"beidsystemtray"="C:\Program Files\Belgium Identity Card\beidsystemtray.exe" [21/06/2006 09:47]
"MSPService"="C:\Program Files\CyberLink\MagicSports\Kernel\MagicSports\MSPMirage.exe" [12/06/2007 23:36]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [18/05/2007 14:21]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [25/03/2008 04:28]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [16/10/2007 21:21]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [16/10/2007 21:21]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [16/10/2007 21:21]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [12/02/2008 10:06]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [19/01/2008 08:33]
"WindowsWelcomeCenter"="oobefldr.dll,ShowWelcomeCenter" []
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [19/01/2008 08:33]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [11/09/2006 04:40]
"MSServer"="C:\Users\Admin\AppData\Local\Temp\qoMdExxY.dll,#1" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableUIADesktopToggle"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiSTray]
C:\Program Files\SiS VGA Utilities\SiSTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE Mcx2Svc WebClient SstpSvc
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum

*Newly Created Service* - AVGIO
*Newly Created Service* - AVGNTFLT
*Newly Created Service* - AVIPBB
*Newly Created Service* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-06-16 03:50:06 ------------


___________________________________________________________________________________________


Attached File  extra.txt   15.18KB   29 downloads

BC AdBot (Login to Remove)

 


#2 jjake1

jjake1
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:46 AM

Posted 16 June 2008 - 12:19 PM

Some more info.



Some more info:
I Uninstalled Norton 360 and Antivira.
Installed Kaspersky Internet Security 7
Updated and did a full scan:


16/06/2008 15:57:47 File: C:\Users\Admin\AppData\Local\Temp\opnnmkHW.dll detected: Trojan program 'Trojan.Win32.Agent.ruh'

Infected: Trojan program Trojan.Win32.Agent.ruh
c:\deckard\system scanner\backup\users\admin\appdata\local\temp\tmp0000931a 24.5 KB
Infected: Trojan program Trojan.Win32.Agent.ruh

c:\users\admin\appdata\local\temp\tmp000083bf 24.5 KB
Infected: Trojan program Trojan.Win32.Agent.ruh
C:\Users\Admin\AppData\Local\Temp\opnnmkHW.dll 24.5 KB

Infected: Trojan program Trojan.Win32.Agent.ruh
c:\users\admin\appdata\local\temp\tmp0000a8db 24.5 KB

Infected: Trojan program Trojan.Win32.Agent.ruh
c:\users\admin\appdata\local\temp\tmp0000abe7 24.5 KB

Infected: Trojan program Trojan.Win32.Agent.ruh
c:\users\admin\appdata\local\temp\tmp00006b4f 24.5 KB

------------------------------------------------------------------------------

All the above files removed to backup.

Rebooted and now have two new start menu entries:
cmds c:\users\admin\appdata\local\temp\gebsropn.dll
fab5efce c:\users\admin\appdata\local\temp\ppaqvhrr.dll

Hard drive still clicking away constantly. PC now running slow - difficult to type in here.
rundll32.exe and explorer.exe seem to be the programs in constant use.

#3 jjake1

jjake1
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:46 AM

Posted 16 June 2008 - 05:34 PM

Apologies if this is unecessary or confuses matters more. here's another DDS log. After installing kaspersky.

Deckard's System Scanner v20071014.68
Run by Admin on 2008-06-16 23:24:53
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Admin.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:24:56, on 16/06/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Belgium Identity Card\beidsystemtray.exe
C:\Program Files\CyberLink\MagicSports\Kernel\MagicSports\MSPMirage.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\rundll32.exe
C:\Users\Admin\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Admin.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://format.packardbell.com/cgi-bin/redi...amp;key=IESTART
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://format.packardbell.com/cgi-bin/redi...amp;key=IESTART
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Google\Google_BAE\BAE.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [beidsystemtray] C:\Program Files\Belgium Identity Card\beidsystemtray.exe
O4 - HKLM\..\Run: [MSPService] C:\Program Files\CyberLink\MagicSports\Kernel\MagicSports\MSPMirage.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\Admin\AppData\Local\Temp\geBsropN.dll,c
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O13 - Gopher Prefix:
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1213492825412
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1212924180677
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\r3hook.dll,C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: eID CRL Service - Zetes - C:\Windows\system32\beidservicecrl.exe
O23 - Service: eID Privacy Service - Zetes - C:\Windows\system32\beidservicepcsc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

--
End of file - 6504 bytes

-- Files created between 2008-05-16 and 2008-06-16 -----------------------------

2008-06-16 15:37:57 96966 --a------ C:\Windows\system32\drivers\klin.dat
2008-06-16 15:37:57 88774 --a------ C:\Windows\system32\drivers\klick.dat
2008-06-16 15:35:52 15626272 --ahs---- C:\Windows\system32\drivers\fidbox.dat
2008-06-16 15:35:51 0 d-------- C:\Users\All Users\Kaspersky Lab
2008-06-16 15:35:51 0 d-------- C:\Program Files\Kaspersky Lab
2008-06-16 15:09:49 0 d-------- C:\Users\All Users\Kaspersky Lab Setup Files
2008-06-16 03:17:40 0 d-------- C:\Program Files\Trend Micro
2008-06-16 01:42:51 0 d-------- C:\Program Files\Panda Security
2008-06-16 01:23:07 0 d-------- C:\Users\All Users\Avira
2008-06-15 02:54:45 0 dr-h----- C:\MSOCache
2008-06-08 23:28:06 0 d-------- C:\Windows\Sun
2008-06-06 19:07:17 0 d-------- C:\Program Files\Full Tilt Poker
2008-06-05 21:03:28 0 d-------- C:\Program Files\Aida32
2008-06-05 19:17:33 0 d-------- C:\PerfLogs
2008-06-05 14:15:03 0 d-------- C:\Program Files\PokerStove
2008-06-04 22:13:19 0 d-------- C:\Program Files\7-Zip
2008-06-04 11:29:35 0 --a------ C:\Windows\nsreg.dat
2008-06-04 11:29:24 0 d-------- C:\Program Files\Mozilla Thunderbird
2008-06-04 10:10:16 0 d-------- C:\Program Files\Packard Bell ImageWriter
2008-06-04 10:01:24 6656 --a------ C:\Windows\system32\SiSApi.dll <Not Verified; Silicon Integrated Systems Corporation; SiS ® VGA Install API>
2008-06-04 10:01:24 0 d-------- C:\Program Files\SiS VGA Utilities
2008-06-02 21:59:26 0 d-------- C:\Program Files\Poker Clients
2008-06-02 20:53:12 0 d-------- C:\Program Files\IrfanView
2008-06-02 20:10:27 0 d-------- C:\Program Files\SysInternals
2008-06-02 20:09:45 0 d-------- C:\Program Files\CCleaner
2008-06-02 19:55:55 0 d-------- C:\Program Files\Java
2008-06-02 19:33:17 0 d-------- C:\Program Files\Common Files\Adobe
2008-06-02 17:39:46 0 --a------ C:\Windows\system32\AleUpdt.bin
2008-05-30 00:35:33 0 d-------- C:\Program Files\UltimateBet
2008-05-30 00:05:25 0 d-------- C:\UKquizmirc
2008-05-29 23:55:05 0 d-------- C:\Program Files\Common Files\Java
2008-05-29 23:47:57 0 d-------- C:\Program Files\Common Files\Adobe(5)
2008-05-29 23:47:57 0 d-------- C:\Program Files\Adobe(4)
2008-05-29 23:08:00 0 d-------- C:\Windows\PCHEALTH
2008-05-29 23:03:19 0 d------c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-05-29 23:03:12 0 d-------- C:\Program Files\Windows Live
2008-05-29 22:29:13 0 d-------- C:\Users\All Users\WLInstaller
2008-05-29 22:06:53 0 d-------- C:\Program Files\MSXML 4.0
2008-05-29 20:48:06 0 d-------- C:\Program Files\PokerStars
2008-05-29 16:26:57 0 dr------- C:\Users\Admin\Searches
2008-05-29 16:26:47 0 dr------- C:\Users\Admin\Contacts
2008-05-29 16:26:39 0 d--hs---- C:\Users\Admin\Templates
2008-05-29 16:26:39 0 d--hs---- C:\Users\Admin\Start Menu
2008-05-29 16:26:39 0 d--hs---- C:\Users\Admin\SendTo
2008-05-29 16:26:39 0 d--hs---- C:\Users\Admin\Recent
2008-05-29 16:26:39 0 d--hs---- C:\Users\Admin\PrintHood
2008-05-29 16:26:39 0 d--hs---- C:\Users\Admin\NetHood
2008-05-29 16:26:39 0 d--hs---- C:\Users\Admin\My Documents
2008-05-29 16:26:39 0 d--hs---- C:\Users\Admin\Local Settings
2008-05-29 16:26:39 0 d--hs---- C:\Users\Admin\Cookies
2008-05-29 16:26:39 0 d--hs---- C:\Users\Admin\Application Data
2008-05-29 16:26:38 0 dr------- C:\Users\Admin\Videos
2008-05-29 16:26:38 0 dr------- C:\Users\Admin\Saved Games
2008-05-29 16:26:38 0 dr------- C:\Users\Admin\Pictures
2008-05-29 16:26:38 1048576 --ahs---- C:\Users\Admin\ntuser.dat
2008-05-29 16:26:38 0 dr------- C:\Users\Admin\Music
2008-05-29 16:26:38 0 dr------- C:\Users\Admin\Links
2008-05-29 16:26:38 0 dr------- C:\Users\Admin\Favorites
2008-05-29 16:26:38 0 dr------- C:\Users\Admin\Downloads
2008-05-29 16:26:38 0 dr------- C:\Users\Admin\Documents
2008-05-29 16:26:38 0 dr------- C:\Users\Admin\Desktop
2008-05-29 16:26:38 0 d--h----- C:\Users\Admin\AppData


-- Find3M Report ---------------------------------------------------------------

2008-06-16 15:29:32 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-06-16 15:28:17 0 d-------- C:\Program Files\Norton 360
2008-06-16 15:28:14 0 d-------- C:\Program Files\Symantec
2008-06-16 15:27:43 0 d-------- C:\Program Files\Common Files
2008-06-12 03:05:32 0 d-------- C:\Program Files\Windows Mail
2008-06-11 15:26:47 0 d-------- C:\Program Files\Google
2008-06-08 14:32:19 0 d-------- C:\Users\Admin\AppData\Roaming\Symantec
2008-06-08 12:20:57 0 d-------- C:\Users\Admin\AppData\Roaming\InstallShield
2008-06-08 12:15:30 0 d-------- C:\Users\Admin\AppData\Roaming\Skype
2008-06-07 21:54:31 0 d-------- C:\Users\Admin\AppData\Roaming\Adobe
2008-06-06 19:07:16 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-05 19:27:51 174 --ahs---- C:\Program Files\desktop.ini
2008-06-05 19:20:19 0 d-------- C:\Program Files\Windows Calendar
2008-06-05 19:20:18 0 d-------- C:\Program Files\Windows Sidebar
2008-06-05 19:20:18 0 d-------- C:\Program Files\Movie Maker
2008-06-05 19:20:14 0 d-------- C:\Program Files\Windows Journal
2008-06-05 19:20:14 0 d-------- C:\Program Files\Windows Collaboration
2008-06-05 19:20:13 0 d-------- C:\Program Files\Windows Photo Gallery
2008-06-05 19:20:07 0 d-------- C:\Program Files\Windows Defender
2008-06-04 11:29:35 0 d-------- C:\Users\Admin\AppData\Roaming\Mozilla
2008-06-04 11:29:34 0 d-------- C:\Users\Admin\AppData\Roaming\Thunderbird
2008-06-03 13:28:53 0 d-------- C:\Program Files\Seagate
2008-06-02 20:26:35 78 --a------ C:\Users\Admin\AppData\Roaming\wklnhst.dat
2008-06-02 20:25:07 0 d-------- C:\Users\Admin\AppData\Roaming\Template
2008-06-02 17:29:22 0 d-------- C:\Users\Admin\AppData\Roaming\Packard Bell
2008-05-29 20:45:23 0 d-------- C:\Users\Admin\AppData\Roaming\Macromedia
2008-05-29 20:35:27 0 d-------- C:\Users\Admin\AppData\Roaming\Talkback
2008-05-29 16:48:30 0 d-------- C:\Users\Admin\AppData\Roaming\Roxio
2008-05-29 16:27:48 0 d-------- C:\Users\Admin\AppData\Roaming\CyberLink
2008-05-29 16:26:49 0 d-------- C:\Users\Admin\AppData\Roaming\Identities
2008-05-12 11:17:19 0 d-------- C:\Program Files\Microsoft Works
2008-05-12 11:16:37 0 d-------- C:\Program Files\Packard Bell
2008-05-12 11:12:18 0 d-------- C:\Program Files\CyberLink
2008-05-12 11:12:03 0 d-------- C:\Program Files\Common Files\InstallShield
2008-05-12 11:10:38 0 d-------- C:\Program Files\Belgium Identity Card
2008-05-12 11:09:57 0 d-------- C:\Program Files\Common Files\SureThing Shared
2008-05-12 11:09:56 0 d-------- C:\Program Files\Roxio
2008-05-12 11:09:44 0 d-------- C:\Program Files\Common Files\Sonic Shared
2008-05-12 11:09:44 0 d-------- C:\Program Files\Common Files\Roxio Shared
2008-05-12 11:06:00 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-12 11:02:32 0 d-------- C:\Program Files\X10 Hardware
2008-05-12 11:02:00 0 d-------- C:\Program Files\Common Files\X10
2008-05-12 11:01:08 0 d-------- C:\Program Files\Realtek
2008-05-12 11:00:57 315392 --a------ C:\Windows\HideWin.exe <Not Verified; Realtek Semiconductor Corp.; HD Audio Hide windows program>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [19/01/2008 08:38]
"RtHDVCpl"="RtHDVCpl.exe" [10/05/2007 16:10 C:\Windows\RtHDVCpl.exe]
"Skytel"="Skytel.exe" [07/05/2007 17:51 C:\Windows\SkyTel.exe]
"@"="" []
"beidsystemtray"="C:\Program Files\Belgium Identity Card\beidsystemtray.exe" [21/06/2006 09:47]
"MSPService"="C:\Program Files\CyberLink\MagicSports\Kernel\MagicSports\MSPMirage.exe" [12/06/2007 23:36]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [25/03/2008 04:28]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [16/10/2007 21:21]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [16/10/2007 21:21]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [16/10/2007 21:21]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [08/02/2008 18:36]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [19/01/2008 08:33]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [19/01/2008 08:33]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [11/09/2006 04:40]
"cmds"="C:\Users\Admin\AppData\Local\Temp\geBsropN.dll,c" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableUIADesktopToggle"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\KASPER~1\KASPER~1.0\r3hook.dll,C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiSTray]
C:\Program Files\SiS VGA Utilities\SiSTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE Mcx2Svc WebClient SstpSvc
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-06-16 23:28:26 ------------

#4 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:02:46 AM

Posted 08 July 2008 - 11:01 AM

Welcome to the BleepingComputer Forums. Since it has been a few days, please post a new Deckard's System Scanner which includes the HijackThis log. Please see Preparation Guide for use before posting about your potential Malware problem. Thank you for your patience.

If you have already posted this log at another forum or if you decide to seek help at another forum, please let us know. There is a shortage of helpers and taking the time of two volunteer helpers means that someone else may not be helped.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#5 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:02:46 AM

Posted 17 July 2008 - 02:38 PM

This subject is now closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users