Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware Infection: Xp Security Center


  • This topic is locked This topic is locked
33 replies to this topic

#1 Ogriels

Ogriels

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:06:48 AM

Posted 22 June 2008 - 01:59 PM

Good afternoon,

The night before this occurred I installed SP3 for XP from the microsoft update server. But I don't think this is related.

A few days ago IE7 indicated a "program not responding error" while my wife was surfing. When she accepted to close the window the prompt said thank you and installed XP Security Center. This program immediately scanned the hard disk for malware, reported 34 infected files and then asked to register which was cancelled. Several persistent pop-ups during web browsing and then starte redirecting web pages. At this point my wife shut the computer down.

My research through Goolge etc indicates that it is indeed malware. So
1) I booted from CDROM repair disks and deleted all files associated with the XP Security Center install I could find.
2) Ran Stinger 3.9.9 V1000 (Virus defs 22 Apr 08) Clean.
3) Ran Adware 1.06r (Virus defs SE1R210 27 Dec 07) Clean.
4) Ran Windows Defender Windows Defender Version: 1.1.1593.0 Engine Version: 1.1.3604.0
Definition Version: 1.35.563.0) which found TEIntFile, XPSecurity Centre and Renos infections that it successfully removed.
5) Using Defender SW Explorer found instance of XP Security centre running in startup. Deleted it.
6) Ran Symantec Antivirsus 9.0.2.1000 (Virus defs 20 Jen 08 rev3). Clean.
7) Used Cleanmgr in both profiles to cleanse temp, internet files etc.
8) Ran Deckard's system scan. Logs enclosed.
9) Ran Kaspersky scan three times. Always aborted. Error screen enclosed.

Two suspect directories found in the C:\drive...
A)dee0f590ac88c7193291c9542dc0f6
:thumbsup: ok, the other has disappeared now.

That is the best description I can provide right now and the best I know how to do on my own...

I would appreciate some help cleaning off the last vestiges of any remianing infections.
I hate malware....

Thank you,
Bill

Attached Files



BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,704 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:48 PM

Posted 16 July 2008 - 02:17 PM

Hello Ogriels,


Apologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.
If you have since resolved the original problem you were having would appreciate you letting us know If not please perform the following below so I can have a look at the current condition of your machine.

Thanks and again sorry for the delay.

Please remove dss.exe from your desktop if you have downloaded it before and still have it on your desktop.

Download Deckard's System Scanner (DSS) and save to your Desktop.
alternate download site

DSS will do the following:
  • Create a new System Restore point in Windows XP and Vista.
  • Clean your Temporary Files, Downloaded Program Files, Internet Cache Files, and empty the Recycle Bin on all drives.
  • Check some important areas of your system and produce a report for an analyst to review.
  • Automatically run HijackThis. It will also install and place a shortcut to HijackThis on your desktop if you do not already have it installed. So if HijackThis is not installed and DSS prompts you to download it, please answer yes.
You must be logged onto an account with administrator privileges when using.
  • Close all applications and windows.
  • Double-click on dss.exe to run it and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not
    malicious.
  • When the scan is complete, two text files will open in Notepad:
    • main.txt <- this one will be maximized
    • extra.txt <- this one will be minimized
  • If not, they both can be found in the C:\Deckard\System Scanner folder.
  • Please copy (Ctrl+C) and paste (Ctrl+V) the contents of main.txt and extra.txt in your next reply.
-- When running DSS, some firewalls may warn that it is trying to access the Internet especially if your asked to download the most current version of HijackThis. Please ensure that you allow it permission to do so.
-- If you get a warning from your anti-virus while DSS is scanning, please allow DSS to continue as the scan is not harmful.



Next
Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


#3 Ogriels

Ogriels
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:06:48 AM

Posted 16 July 2008 - 09:45 PM

Good evening,

Understood. I will complete the tasks again and repost the results.

I thought I had gotten rid of everything since my computer was running normally lately.... but yesterday I did get a pop-up asking me to scan with XP Security. I did not acknolwedge but immediately used Ctrl-Alt-Del to kill the process.

Cheers.,
Bill

#4 Ogriels

Ogriels
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:06:48 AM

Posted 18 July 2008 - 08:30 PM

Good evening,

Sorry it took so long but I was adamantly trying to get the programs to work.

Here is the Main.txt file that was created from DSS:

Deckard staunchly refused to produce an Extra.txt file this time though. I have no idea why.

Here is the report that I could get from Kaspersky on-line:

Like before Kaspersky will not complete a scan on my computer it keeps crashing. This time I did manage to get a print of the results on screen before it closed though.

All of this despite having turns off, Defender, Symantec Antivirus and the Firewall prior to runnning both programs.

Bill

Attached Files



#5 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,704 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:48 PM

Posted 20 July 2008 - 07:24 AM

Hi again,

Please copy and paste the logs instead of attaching them.


Your log shows that you have been infected before. The current log does not show apparent or active infection. We have to check if there is hidden infection.
  • We need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.
    • Open Windows Defender.
    • Click on Tools, General Settings.
    • Scroll down and uncheck Turn on real-time protection (recommended).
    • After you uncheck this, click on the Save button and close Windows Defender.
    After all of the fixes are complete it is very important that you enable Real-time Protection again.

  • Tell me if you have followed the instruction to save the Kasperskey log. If not please run the scan once more and save the log. Copy and paste the log in your reply.
    Kasperskey have found 4 e-mail viruses, the path is not readable but I suspect they are e-mail attachemnts in your mailbox . I recommend you not to open any e-mail attachments at this stage until we track the path.

  • Please make sure that you can view all hidden files. Instructions on how to do this can be found here: How to see hidden files in Windows

    Click on this link--> virustotal

    Click the browse button and navigate to the file below in bold, then click Send File.

    <C:\WINDOWS\system32\SonyIEx.exe

    Please copy and paste the results of the scan in your next post.

  • We are going to take a look at the following file. Click on this link: http://www.bleepingcomputer.com/submit-mal....php?channel=20
    • Fill in the current topic link.
    • Press Browse... then show the path to the file in bold: C:\WINDOWS\system32\SonyIEx.exe
    • In the comment section fill in: Unknown Service file to examine.
    • Click on Send File.
  • Please download ATF Cleaner by Atribune. (This program is for XP and Windows 2000 only)
    • Double-click ATF-Cleaner.exe to run the program.
    • Under Main "Select Files to Delete" choose: Select All.
    • Click the Empty Selected button.
    • Click Exit on the Main menu to close the program.

  • Please download Malwarebytes' Anti-Malware from MajorGeeks
    • Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the entire report in your next reply.
    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


  • Download gmer.zip and save to your desktop.
    alternate download site 1
    alternate download site 2
    • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
    • When you have done this, disconnect from the Internet and close all running programs.
      There is a small chance this application may crash your computer so save any work you have open.
    • Double-click on Gmer.exe to start the program.
    • Allow the gmer.sys driver to load if asked.
    • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
    • Click on "Settings", then check the first five settings:
      *System Protection and Tracing
      *Processes
      *Save created processes to the log
      *Drivers
      *Save loaded drivers to the log
    • You will be prompted to restart your computer. Please do so.

    Run Gmer again and click on the Rootkit tab.
    • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
    • Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
    • Click on the "Scan" and wait for the scan to finish.
      Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
    • When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
    • Note: If you have any problems, try running GMER in SAFE MODE"
    Important! Please do not select the "Show all" checkbox during the scan..

  • Tell me if you removed your dss.exe first, then downloaded and run the fresh dss.exe, if yes an extra.txt should have been produced located at C:\Deckard\System Scanner.
    • Click Start and then Run to bring up the Run box.
    • Copy and paste the contents of this quote box into the run box:

      "%userprofile%\desktop\dss.exe" /config

    • Close all other open windows.
    • Click OK.
    • A window will now open. Click Check All and then click Scan!.
    • When the scan is complete, two text files will open in Notepad:
    • main.txt <- this one will be maximized
    • extra.txt <- this one will be minimized
  • If not, they both can be found in the C:\Deckard\System Scanner folder.
  • Please copy (Ctrl+C) and paste (Ctrl+V) the contents of main.txt and extra.txt in your next reply.

In your next reply:
The Kasperskey log.
The MBAM log.
The GMER log.
The Dss logs.



#6 Ogriels

Ogriels
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:06:48 AM

Posted 20 July 2008 - 11:40 PM

Good evening,

The story so far:

1. Done.

2. Not completed.
Disabled everything I have running.... but Kaspersky absolutely refuses to run on my machine. It always crashes somewhere in the scan. I tried five times and after 3 to 12 minutes in crashed at verious points in the scan. (ie. while scanning in different directories each time.)
I followed the instructions for running Kaspersky fomr the Malware forum to the letter. It crashes before a scan is completed. Sometimes I can get to the scan report, as I did last time and took a screen shot. However, even in that particular case the "Save Scan Report" button was greyed out and unsuable.

3. Done.

File SonyIEx.exe received on 07.21.2008 04:25:29 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 0/33 (0%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact
Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Top of Form

Email:



Bottom of Form
Antivirus
Version
Last Update
Result
AhnLab-V3
2008.7.17.0
2008.07.18
-
AntiVir
7.8.1.11
2008.07.20
-
Authentium
5.1.0.4
2008.07.20
-
Avast
4.8.1195.0
2008.07.20
-
AVG
8.0.0.130
2008.07.20
-
BitDefender
7.2
2008.07.21
-
CAT-QuickHeal
9.50
2008.07.18
-
ClamAV
0.93.1
2008.07.20
-
DrWeb
4.44.0.09170
2008.07.20
-
eSafe
7.0.17.0
2008.07.20
-
eTrust-Vet
31.6.5966
2008.07.18
-
Ewido
4.0
2008.07.20
-
F-Prot
4.4.4.56
2008.07.20
-
F-Secure
7.60.13501.0
2008.07.21
-
Fortinet
3.14.0.0
2008.07.21
-
GData
2.0.7306.1023
2008.07.21
-
Ikarus
T3.1.1.34.0
2008.07.21
-
Kaspersky
7.0.0.125
2008.07.21
-
McAfee
5342
2008.07.18
-
Microsoft
1.3704
2008.07.21
-
NOD32v2
3282
2008.07.19
-
Norman
5.80.02
2008.07.18
-
Panda
9.0.0.4
2008.07.20
-
Prevx1
V2
2008.07.21
-
Rising
20.53.62.00
2008.07.20
-
Sophos
4.31.0
2008.07.21
-
Sunbelt
3.1.1536.1
2008.07.18
-
Symantec
10
2008.07.21
-
TheHacker
6.2.96.385
2008.07.20
-
TrendMicro
8.700.0.1004
2008.07.18
-
VBA32
3.12.8.1
2008.07.20
-
VirusBuster
4.5.11.0
2008.07.20
-
Webwasher-Gateway
6.6.2
2008.07.20
-

Additional information
File size: 126976 bytes
MD5...: b1e44a0976038b5227f07475043a0c38
SHA1..: 40273c9da98cf2b677074eeac1725688016e4529
SHA256: 9b919d394bb61363ffcb8b25d826e48878bc116e1b59a08c44d57d963d6c7c2c
SHA512: 9951dd34d400ab71bd1c9bf7dc0da98bae0e08d6a7839c64d19271a32b1b6041
ddc9ff51cf96f5d35469a8be59b2a97f7d19e5cce88605e27d8ec11f025cefb7
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x40679c
timedatestamp.....: 0x429a7103 (Mon May 30 01:48:51 2005)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x14743 0x15000 6.52 c396cf2b76122489719f6908776c9811
.rdata 0x16000 0x57b2 0x6000 4.77 ef7166e394011ce952e74dab6b1119b7
.data 0x1c000 0x4fc4 0x2000 3.33 603b5f16954355b1bd16c9c02a71c7e3
.rsrc 0x21000 0x1c8 0x1000 0.76 83e2e5c1b1857481705f79df67fec2e9

( 7 imports )
> KERNEL32.dll: HeapAlloc, HeapFree, VirtualProtect, VirtualAlloc, GetSystemInfo, VirtualQuery, RtlUnwind, GetCommandLineA, ExitProcess, HeapReAlloc, HeapSize, TerminateProcess, HeapDestroy, HeapCreate, VirtualFree, IsBadWritePtr, LCMapStringA, LCMapStringW, GetStdHandle, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, SetHandleCount, GetFileType, GetStartupInfoA, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, SetUnhandledExceptionFilter, GetStringTypeA, GetStringTypeW, IsBadReadPtr, IsBadCodePtr, SetStdHandle, GetCurrentProcess, FlushFileBuffers, SetFilePointer, WriteFile, GetOEMCP, GetCPInfo, GlobalGetAtomNameA, GlobalAddAtomA, GlobalFindAtomA, GlobalDeleteAtom, LoadLibraryA, FreeLibrary, lstrcmpW, GetModuleHandleA, GetProcAddress, GlobalFlags, lstrcmpA, TlsFree, LocalReAlloc, TlsSetValue, TlsAlloc, TlsGetValue, EnterCriticalSection, GlobalHandle, GlobalReAlloc, LeaveCriticalSection, InterlockedIncrement, InterlockedDecrement, DeleteCriticalSection, InitializeCriticalSection, RaiseException, SetLastError, GlobalFree, FindResourceA, LoadResource, LockResource, SizeofResource, GlobalAlloc, GlobalLock, GlobalUnlock, lstrcpynA, FormatMessageA, SleepEx, GetCurrentThreadId, OutputDebugStringA, GetModuleFileNameA, GetWindowsDirectoryA, lstrcatA, GetSystemDirectoryA, GetDriveTypeA, lstrcpyA, lstrlenA, lstrcmpiA, GetVersion, LocalAlloc, LocalFree, GetLastError, CloseHandle, WideCharToMultiByte, MultiByteToWideChar, GetVersionExA, GetThreadLocale, GetLocaleInfoA, GetACP, InterlockedExchange, UnhandledExceptionFilter, Sleep
> USER32.dll: GrayStringA, DrawTextExA, DrawTextA, TabbedTextOutA, RegisterWindowMessageA, WinHelpA, GetCapture, CreateWindowExA, GetClassLongA, GetClassInfoExA, SetPropA, GetPropA, RemovePropA, GetForegroundWindow, GetTopWindow, DestroyWindow, GetMessageTime, GetMessagePos, LoadIconA, MapWindowPoints, SetForegroundWindow, GetClientRect, GetMenu, PostMessageA, AdjustWindowRectEx, GetClassInfoA, RegisterClassA, DefWindowProcA, CallWindowProcA, SystemParametersInfoA, IsIconic, GetWindowPlacement, CopyRect, SetMenuItemBitmaps, ModifyMenuA, EnableMenuItem, CheckMenuItem, GetMenuCheckMarkDimensions, LoadBitmapA, SetWindowPos, RegisterDeviceNotificationA, GetSubMenu, GetMenuItemCount, SetWindowLongA, GetDlgItem, SetWindowsHookExA, CallNextHookEx, DispatchMessageA, GetKeyState, PeekMessageA, DestroyMenu, PostQuitMessage, ValidateRect, ClientToScreen, GetMenuItemID, GetMenuState, UnregisterClassA, GetSysColorBrush, GetSysColor, ReleaseDC, GetDC, GetSystemMetrics, LoadCursorA, UnhookWindowsHookEx, EnableWindow, IsWindowEnabled, GetLastActivePopup, GetWindowLongA, GetParent, GetWindow, GetDlgCtrlID, GetWindowRect, PtInRect, GetFocus, SetWindowTextA, GetClassNameA, GetWindowTextA, SendMessageA, MessageBoxA
> GDI32.dll: TextOutA, GetStockObject, DeleteDC, ScaleWindowExtEx, SetWindowExtEx, ScaleViewportExtEx, SetViewportExtEx, OffsetViewportOrgEx, SetViewportOrgEx, SelectObject, Escape, DeleteObject, RectVisible, PtVisible, SetMapMode, RestoreDC, SaveDC, SetBkColor, SetTextColor, GetClipBox, CreateBitmap, GetDeviceCaps, ExtTextOutA
> WINSPOOL.DRV: OpenPrinterA, DocumentPropertiesA, ClosePrinter
> ADVAPI32.dll: DeregisterEventSource, StartServiceCtrlDispatcherA, RegisterServiceCtrlHandlerExA, SetServiceStatus, ControlService, QueryServiceStatus, DeleteService, CreateServiceA, RegCreateKeyA, RegCloseKey, RegisterEventSourceA, ReportEventA, OpenSCManagerA, OpenServiceA, CloseServiceHandle, RegOpenKeyExA, RegQueryValueExA, RegDeleteKeyA, RegSetValueExA, RegEnumKeyExA, RegCreateKeyExA
> COMCTL32.dll: -
> OLEAUT32.dll: -, -, -

( 0 exports )


4. Done.

5. Done.

6. Done.
Malware Bytes found an instance of "Rogue.XPSecurity" in the registry that it deleted.

Malwarebytes' Anti-Malware 1.22
Database version: 972
Windows 5.1.2600 Service Pack 3

10:59:42 PM 7/20/2008
mbam-log-7-20-2008 (22-59-42).txt

Scan type: Quick Scan
Objects scanned: 43082
Time elapsed: 3 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\XP_SecurityCenter (Rogue.XPSecurityCenter) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSMGR (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


7. Done.

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-07-21 00:15:21
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT E24C1390 ZwConnectPort
SSDT sptd.sys ZwCreateKey [0xF750BB3A]
SSDT sptd.sys ZwEnumerateKey [0xF750BC7E]
SSDT sptd.sys ZwEnumerateValueKey [0xF750BFF6]
SSDT sptd.sys ZwOpenKey [0xF750BA18]
SSDT sptd.sys ZwQueryKey [0xF750C0C0]
SSDT sptd.sys ZwQueryValueKey [0xF750BF58]
SSDT sptd.sys ZwSetValueKey [0xF750C148]
SSDT \??\C:\WINDOWS\system32\Drivers\uphcleanhlp.sys ZwUnloadKey [0xA70C16D0]

---- Kernel code sections - GMER 1.0.14 ----

? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
? C:\WINDOWS\System32\Drivers\SPTD4157.SYS The process cannot access the file because it is being used by another process.
.text vaxscsi.sys!A0DB34FC6FE35D429A28ADDE5467D4D7 B9E804D0 16 Bytes [ A6, 3F, 78, F7, 6C, E5, DE, ... ]
.text vaxscsi.sys!A0DB34FC6FE35D429A28ADDE5467D4D7 + 11 B9E804E1 27 Bytes [ F0, E7, B9, 29, 3C, 30, FC, ... ]
.text vaxscsi.sys!A0DB34FC6FE35D429A28ADDE5467D4D7 + 2D B9E804FD 3 Bytes [ 44, B5, 15 ]
? C:\WINDOWS\System32\Drivers\vaxscsi.sys The process cannot access the file because it is being used by another process.
? C:\WINDOWS\system32\Drivers\uphcleanhlp.sys The system cannot find the file specified. !

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F7514DB2] sptd.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F752A71E] sptd.sys
IAT ftdisk.sys[ntoskrnl.exe!IoGetAttachedDeviceReference] [F75153B2] sptd.sys
IAT ftdisk.sys[ntoskrnl.exe!IoGetDeviceObjectPointer] [F75152B6] sptd.sys
IAT ftdisk.sys[ntoskrnl.exe!IofCallDriver] [F7515482] sptd.sys
IAT dmio.sys[ntoskrnl.exe!IofCallDriver] [F7515482] sptd.sys
IAT dmio.sys[ntoskrnl.exe!IoGetAttachedDeviceReference] [F75153B2] sptd.sys
IAT dmio.sys[ntoskrnl.exe!IoGetDeviceObjectPointer] [F75152B6] sptd.sys
IAT PartMgr.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F752A032] sptd.sys
IAT PartMgr.sys[ntoskrnl.exe!IoDetachDevice] [F7514F6E] sptd.sys
IAT atapi.sys[ntoskrnl.exe!IofCompleteRequest] [F7529C76] sptd.sys
IAT atapi.sys[ntoskrnl.exe!IoConnectInterrupt] [F7514E06] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F7507A32] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F7507B6E] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F7507AF6] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F75086CC] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F75085A2] sptd.sys
IAT disk.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F752A864] sptd.sys
IAT \WINDOWS\system32\DRIVERS\CLASSPNP.SYS[ntoskrnl.exe!IoDetachDevice] [F7519F78] sptd.sys
IAT \SystemRoot\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!IofCompleteRequest] [F7529C76] sptd.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F7529C82] sptd.sys
IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F752A864] sptd.sys
IAT \SystemRoot\system32\DRIVERS\rdbss.sys[ntoskrnl.exe!IofCallDriver] [F7507020] sptd.sys
IAT \SystemRoot\system32\DRIVERS\mrxsmb.sys[ntoskrnl.exe!IofCallDriver] [F7507020] sptd.sys

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 8A745BF8

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\NetBT \Device\NetBT_Tcpip_{A09C6DEE-EF0B-414B-A295-0BF0ACD780A5} 8A601CF8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A7902B8
Device \Driver\dmio \Device\DmControl\DmConfig 8A7902B8
Device \Driver\dmio \Device\DmControl\DmPnP 8A7902B8
Device \Driver\dmio \Device\DmControl\DmInfo 8A7902B8

AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\Ftdisk \Device\HarddiskVolume1 8A7904F0
Device \Driver\Ftdisk \Device\HarddiskVolume2 8A7904F0
Device \Driver\Cdrom \Device\CdRom0 8A3DA978
Device \FileSystem\Rdbss \Device\FsWrap 8A4509D0
Device \Driver\Cdrom \Device\CdRom1 8A3DA978
Device \Driver\Cdrom \Device\CdRom2 8A3DA978
Device \Driver\USBSTOR \Device\00000075 89CDE0E8
Device \Driver\USBSTOR \Device\00000077 89CDE0E8
Device \Driver\NetBT \Device\NetBt_Wins_Export 8A601CF8
Device \Driver\USBSTOR \Device\00000078 89CDE0E8
Device \FileSystem\InCDfs \Device\InCDfsComm 8A45D8F8
Device \Driver\00000059 \Device\0000004b sptd.sys
Device \Driver\USBSTOR \Device\00000079 89CDE0E8
Device \Driver\NetBT \Device\NetbiosSmb 8A601CF8

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\Disk \Device\Harddisk0\DR0 8A745EB0
Device \Driver\Disk \Device\Harddisk1\DR1 8A745EB0
Device \Driver\Disk \Device\Harddisk2\DR4 8A745EB0
Device \Driver\Disk \Device\Harddisk2\DP(1)0-0+8 8A745EB0
Device \Driver\Disk \Device\Harddisk3\DR5 8A745EB0
Device \Driver\Disk \Device\Harddisk3\DP(1)0-0+9 8A745EB0
Device \Driver\USBSTOR \Device\0000007a 89CDE0E8
Device \Driver\Disk \Device\Harddisk4\DP(1)0-0+a 8A745EB0
Device \Driver\Disk \Device\Harddisk4\DR6 8A745EB0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8A4A04C0
Device \Driver\Disk \Device\Harddisk5\DP(1)0-0+b 8A745EB0
Device \Driver\Disk \Device\Harddisk5\DR7 8A745EB0
Device \FileSystem\MRxSmb \Device\LanmanRedirector 8A4A04C0
Device \FileSystem\Npfs \Device\NamedPipe 8A373610
Device \Driver\Ftdisk \Device\FtControl 8A7904F0
Device \FileSystem\Msfs \Device\Mailslot 8A5F30E8
Device \Driver\vaxscsi \Device\Scsi\vaxscsi1 8A44F520
Device \Driver\vaxscsi \Device\Scsi\vaxscsi1Port4Path0Target0Lun0 8A44F520
Device \FileSystem\InCDfs \GLOBAL??\BsUDF 8A45D8F8
Device \FileSystem\Cdfs \Cdfs 8A455698

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s0 2046282850
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 1129813795
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 191080622
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol 120\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x66 0x26 0x09 0x66 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x20 0xA6 0x32 0xF9 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x9B 0x1A 0x74 0x55 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x66 0x26 0x09 0x66 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x20 0xA6 0x32 0xF9 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x9B 0x1A 0x74 0x55 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x66 0x26 0x09 0x66 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x20 0xA6 0x32 0xF9 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x9B 0x1A 0x74 0x55 ...

---- EOF - GMER 1.0.14 ----

8. Not Succesful.
I erased previous versions of DSS from my system and re-downloaded the file. Once again it would only produce a Main.txt and would not create an Extra.txt.... it simply isn't there. It is not minimised. It is not saved. I searched the whole drive. (The first time I ran it is the only time it created the extra file. That one is posted with my initial submission to this forum.)

Deckard's System Scanner v20071014.68
Run by William on 2008-07-21 00:24:34
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as William.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:24:41 AM, on 7/21/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC Powerchute\mainserv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\SonyIEx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\umonit.exe
C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\APC Powerchute\apcsystray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\hpcoretech\comp\hpdarc.exe
C:\Program Files\Symantec AntiVirus\vptray.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Anti-Spyware\Deckard\dss_new.exe
C:\PROGRA~1\ANTI-S~1\HIJACK~1\William.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=488
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [UMonit] C:\WINDOWS\system32\umonit.exe
O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\\vptray.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://zone.msn.com
O16 - DPF: {01118A01-3E00-11D2-8470-0060089874ED} (SupportSoft Script Runner Class) - https://password.bellsouth.net/sdccommon/do...oad/tgctlsr.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1147927423109
O16 - DPF: {64D01C7F-810D-446E-A07E-16C764235644} (AtlAtomadersCtlAttrib Class) - http://zone.msn.com/bingame/amad/default/atomaders.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1147927412671
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://sympatico.zone.msn.com/bingame/amun...mjolauncher.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games Texas Holdem Poker) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab60096.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A09C6DEE-EF0B-414B-A295-0BF0ACD780A5}: NameServer = 192.168.1.254,192.168.1.253
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC Powerchute\mainserv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SonyIEx - Unknown owner - C:\WINDOWS\system32\SonyIEx.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 8470 bytes

-- Files created between 2008-06-21 and 2008-07-21 -----------------------------

2008-07-20 22:54:18 0 d-------- C:\Documents and Settings\William_2\Application Data\Malwarebytes
2008-07-20 22:54:16 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-19 00:14:11 0 d-------- C:\WINDOWS\Prefetch
2008-07-19 00:07:49 0 d-------- C:\Program Files\Messenger
2008-07-19 00:07:33 0 d-------- C:\WINDOWS\system32\scripting
2008-07-19 00:07:33 0 d-------- C:\WINDOWS\l2schemas
2008-07-19 00:07:32 0 d-------- C:\WINDOWS\system32\en
2008-07-19 00:07:32 0 d-------- C:\WINDOWS\system32\bits
2008-07-19 00:05:12 0 d-------- C:\WINDOWS\ServicePackFiles


-- Find3M Report ---------------------------------------------------------------

2008-07-21 00:23:52 0 d-------- C:\Program Files\Symantec AntiVirus
2008-07-21 00:18:17 0 d-------- C:\Program Files\Anti-Spyware
2008-07-19 21:15:28 0 d-------- C:\Program Files\MSN Messenger
2008-07-19 00:07:32 0 d-------- C:\Program Files\Movie Maker
2008-07-13 18:37:40 0 d-------- C:\Program Files\APC Powerchute
2008-06-16 13:11:04 15345 --a------ C:\WINDOWS\wyvimyzura.pif
2008-06-16 13:11:04 14418 --a------ C:\WINDOWS\system32\ucyfywylu.dat
2008-06-16 13:11:04 14355 --a------ C:\WINDOWS\system32\buxi.vbs
2008-06-16 13:11:04 14806 --a------ C:\WINDOWS\roxa.pif
2008-06-16 13:11:04 0 d-------- C:\Program Files\Common Files
2008-06-16 13:11:04 15959 --a------ C:\Program Files\Common Files\bihywu._dl
2008-06-04 21:22:11 0 d-------- C:\Program Files\Yahoo!
2008-05-26 08:44:40 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-11 05:10:51 68 --a------ C:\WINDOWS\E


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [06/09/2004 10:31 PM]
"UMonit"="C:\WINDOWS\system32\umonit.exe" [04/21/2003 01:23 PM]
"Speed racer"="C:\Program Files\Creative\PlayCenter\CTSRReg.exe" [11/16/1999 03:00 AM]
"AudioHQ"="C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE" [11/30/1999 03:00 AM]
"UpdReg"="C:\WINDOWS\Updreg.exe" [11/12/1999 03:00 AM]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [01/12/2005 04:54 PM]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 09:20 PM]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [03/15/2005 05:46 AM]
"vptray"="C:\PROGRA~1\SYMANT~1\\vptray.exe" [10/06/2004 07:56 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [06/01/2006 03:32 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [4/23/2008 3:38:16 AM]
APC UPS Status.lnk - C:\Program Files\APC Powerchute\Display.exe [7/27/2007 9:28:48 PM]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [9/16/2003 7:19:24 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc




-- End of Deckard's System Scanner: finished at 2008-07-21 00:25:25 ------------

The battle continues !

Cheers, Bill

Attached Files



#7 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,704 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:48 PM

Posted 21 July 2008 - 06:37 PM

Hi Bill,

Sorry for the delay.

Your log(s) show that you are using so called peer-to-peer or file-sharing programs (in your case Azureus). These programs allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organizations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."


Removal Instructions

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.
  • Please disable your Windows Defender Real-time Protection again. It is OK not to run it again until we finish with the job completely.

  • Please remove all the downloaded files from Azureus download folder and refrain from using it at this stage.

  • I see from the earlier log the Windows firewall is turned off. Have you turned off the windows firewall yourself?

  • I see Alcohol 120 has been installed on your computer and its drivers are still running. But I don't see the application on the program list. Tell me if you are using or uninstalled the application.

  • Click on this link--> virustotal

    Click the browse button and navigate to the file below in bold, then click Send File.

    C:\WINDOWS\wyvimyzura.pif
    C:\WINDOWS\system32\buxi.vbs
    C:\Program Files\Common Files\bihywu._dl

    Please copy and paste the results of the scan in your next post.

  • Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

    Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

    Scan with DrWeb-CureIt as follows:
    • Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
    • Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
    • Once the short scan has finished, Click Options > Change settings
    • Choose the "Scan tab" and UNcheck "Heuristic analysis"
    • Back at the main window, click "Custom Scan", then Select drives (a red dot will show which drives have been chosen).
    • Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
    • When done, a message will be displayed at the bottom advising if any viruses were found.
    • Click "Yes to all" if it asks if you want to cure/move the file.
    • When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
      (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
    • Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
    • Save the DrWeb.csv report to your desktop.
    • Exit Dr.Web Cureit when done.
    • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
    • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
  • Please download SDFix by AndyManchesta and save it to your desktop.
    When using this tool, you must use the Administrator's account or an account with "Administrative rights"
    • Double click SDFix.exe and it will extract the files to %systemdrive%
    • (this is the drive that contains the Windows Directory, typically C:\SDFix).
    • DO NOT use it just yet.
    Reboot your computer into Safe Mode by using the F8 method.

    Open the SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
    • Copy and paste the contents of the results file Report.txt in your next reply.

    In your next reply:

    The DrWeb log.
    The SDFix log.
    A fresh Dss log.



#8 Ogriels

Ogriels
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:06:48 AM

Posted 27 July 2008 - 09:05 PM

Good evening,

I have been away for the week and haven't been able to address your instructions. :thumbsup:

Here are the Virsutotal scans:

File wyvimyzura.pif received on 07.28.2008 03:59:15 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/34 (0%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2008.7.26.0 2008.07.27 -
AntiVir 7.8.1.12 2008.07.26 -
Authentium 5.1.0.4 2008.07.28 -
Avast 4.8.1195.0 2008.07.27 -
AVG 8.0.0.130 2008.07.27 -
BitDefender 7.2 2008.07.28 -
CAT-QuickHeal 9.50 2008.07.25 -
ClamAV 0.93.1 2008.07.28 -
DrWeb 4.44.0.09170 2008.07.27 -
eSafe 7.0.17.0 2008.07.27 -
eTrust-Vet 31.6.5983 2008.07.26 -
Ewido 4.0 2008.07.27 -
F-Prot 4.4.4.56 2008.07.28 -
Fortinet 3.14.0.0 2008.07.26 -
GData 2.0.7306.1023 2008.07.28 -
Ikarus T3.1.1.34.0 2008.07.28 -
Kaspersky 7.0.0.125 2008.07.28 -
McAfee 5347 2008.07.25 -
Microsoft 1.3704 2008.07.28 -
NOD32v2 3301 2008.07.27 -
Norman 5.80.02 2008.07.25 -
Panda 9.0.0.4 2008.07.27 -
PCTools 4.4.2.0 2008.07.27 -
Prevx1 V2 2008.07.28 -
Rising 20.54.62.00 2008.07.27 -
Sophos 4.31.0 2008.07.27 -
Sunbelt 3.1.1536.1 2008.07.25 -
Symantec 10 2008.07.28 -
TheHacker 6.2.96.389 2008.07.25 -
TrendMicro 8.700.0.1004 2008.07.26 -
VBA32 3.12.8.1 2008.07.27 -
ViRobot 2008.7.26.1311 2008.07.26 -
VirusBuster 4.5.11.0 2008.07.27 -
Webwasher-Gateway 6.6.2 2008.07.28 -
Additional information
File size: 15345 bytes
MD5...: 039d3b05000faa625573f465684c88e7
SHA1..: 307880ad8ff9efa31936b716feee6f0f3ac668a8
SHA256: f111cea37f5241b985c6b0d4285ef5c8e4e131043ae6884bdcae187c1129ec18
SHA512: ddf105b917888b8f0469d1243e73e3d21caa6e9b9acd70d6bb32ff2de067a81f
2af0700df0a226fdee57aee492e05243ef01780e40d0a6bbc308957dcf001dbe
PEiD..: -
PEInfo: -

File buxi.vbs received on 07.28.2008 04:01:25 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/34 (0%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 40 and 58 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2008.7.26.0 2008.07.27 -
AntiVir 7.8.1.12 2008.07.26 -
Authentium 5.1.0.4 2008.07.28 -
Avast 4.8.1195.0 2008.07.27 -
AVG 8.0.0.130 2008.07.27 -
BitDefender 7.2 2008.07.28 -
CAT-QuickHeal 9.50 2008.07.25 -
ClamAV 0.93.1 2008.07.28 -
DrWeb 4.44.0.09170 2008.07.27 -
eSafe 7.0.17.0 2008.07.27 -
eTrust-Vet 31.6.5983 2008.07.26 -
Ewido 4.0 2008.07.27 -
F-Prot 4.4.4.56 2008.07.28 -
Fortinet 3.14.0.0 2008.07.26 -
GData 2.0.7306.1023 2008.07.28 -
Ikarus T3.1.1.34.0 2008.07.28 -
Kaspersky 7.0.0.125 2008.07.28 -
McAfee 5347 2008.07.25 -
Microsoft 1.3704 2008.07.28 -
NOD32v2 3301 2008.07.27 -
Norman 5.80.02 2008.07.25 -
Panda 9.0.0.4 2008.07.27 -
PCTools 4.4.2.0 2008.07.27 -
Prevx1 V2 2008.07.28 -
Rising 20.54.62.00 2008.07.27 -
Sophos 4.31.0 2008.07.27 -
Sunbelt 3.1.1536.1 2008.07.25 -
Symantec 10 2008.07.28 -
TheHacker 6.2.96.389 2008.07.25 -
TrendMicro 8.700.0.1004 2008.07.26 -
VBA32 3.12.8.1 2008.07.27 -
ViRobot 2008.7.26.1311 2008.07.26 -
VirusBuster 4.5.11.0 2008.07.27 -
Webwasher-Gateway 6.6.2 2008.07.28 -
Additional information
File size: 14355 bytes
MD5...: cec07c2bd1daa23e6a4d982593b761d2
SHA1..: 1ff69ef511276b683e5b53a21afcb905c57e7129
SHA256: fcb60a782a5fe3f749a0384538e549d1f8b490f54cc4f9cb3daab4cb6fab9898
SHA512: b9750143e4f466fc544bf5d012ad2ed8b5d6cd21fff54c47cf158f75914727f3
3ab8d0cbcc93284fe85d75d9706c21d561dfb09fe08cdd766e5b5c8b9b623b23
PEiD..: -
PEInfo: -

File bihywu._dl received on 07.28.2008 04:03:11 (CET)

Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/34 (0%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2008.7.26.0 2008.07.27 -
AntiVir 7.8.1.12 2008.07.26 -
Authentium 5.1.0.4 2008.07.28 -
Avast 4.8.1195.0 2008.07.27 -
AVG 8.0.0.130 2008.07.27 -
BitDefender 7.2 2008.07.28 -
CAT-QuickHeal 9.50 2008.07.25 -
ClamAV 0.93.1 2008.07.28 -
DrWeb 4.44.0.09170 2008.07.27 -
eSafe 7.0.17.0 2008.07.27 -
eTrust-Vet 31.6.5983 2008.07.26 -
Ewido 4.0 2008.07.27 -
F-Prot 4.4.4.56 2008.07.28 -
Fortinet 3.14.0.0 2008.07.26 -
GData 2.0.7306.1023 2008.07.28 -
Ikarus T3.1.1.34.0 2008.07.28 -
Kaspersky 7.0.0.125 2008.07.28 -
McAfee 5347 2008.07.25 -
Microsoft 1.3704 2008.07.28 -
NOD32v2 3301 2008.07.27 -
Norman 5.80.02 2008.07.25 -
Panda 9.0.0.4 2008.07.27 -
PCTools 4.4.2.0 2008.07.27 -
Prevx1 V2 2008.07.28 -
Rising 20.54.62.00 2008.07.27 -
Sophos 4.31.0 2008.07.27 -
Sunbelt 3.1.1536.1 2008.07.25 -
Symantec 10 2008.07.28 -
TheHacker 6.2.96.389 2008.07.25 -
TrendMicro 8.700.0.1004 2008.07.26 -
VBA32 3.12.8.1 2008.07.27 -
ViRobot 2008.7.26.1311 2008.07.26 -
VirusBuster 4.5.11.0 2008.07.27 -
Webwasher-Gateway 6.6.2 2008.07.28 -
Additional information
File size: 15959 bytes
MD5...: c3caa4ebf2548b654e0bcfe3f5cd0be6
SHA1..: a96b14611038efeab3e148d6a4470292f92a7f9d
SHA256: 226680a743a2be444b1fdba053c55567100b642a06714c58d272051c1d375f8e
SHA512: 347d3237d70093867761caf086892aa6796866ade210bb9444676b01a0e73c98
025a81ea92ce49f1a1d85f612b850b18497e774e2a8be4fc08ab74dbcd6a2002
PEiD..: -
PEInfo: -


I will be able to conduct the other items in the list tomorrow night.

Thanks,
Bill

#9 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,704 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:48 PM

Posted 27 July 2008 - 11:39 PM

Thanks for letting me know. Take your time and post the rest when ready.

#10 Ogriels

Ogriels
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:06:48 AM

Posted 28 July 2008 - 07:47 PM

Ok, dumb question.... my old PS2 keyboard wore out. So I have replaced it with a Micorsoft Natural USB Keyboard. Now I can not get into safe mode! Is it because it is a USB keyboard and the drivers aren't loaded when I am trying to indicate it select safe mode? I have tried various function keys to no effect :thumbsup:

I will try to borrow a PS2 keyboard tomorrow. (The main keyboard port on my motherboard is PS2.)

Bill

#11 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,704 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:48 PM

Posted 28 July 2008 - 09:28 PM

The USB port is probably not read at early boot:

1. If you can get to BIOS set up, eventually with PS/2 keyboard, make sure "USB controller" is On. It could be under On board Devices. If there is an option named "USB Legacy Support" it should be enabled. In some systems it is found under "Advanced", but depending on your system you may have to look around for those settings.

2. If you could not find the settings you may try a USB to PS/2 converter and connect the keyboard to PS/2 port.

#12 Ogriels

Ogriels
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:06:48 AM

Posted 30 July 2008 - 08:39 PM

Good evening,

Found the BIOS setting for the USB keyboard, thanks.

Good evening,

1. Done.

2. Done. Azureus download folder was empty. I don't use the program very often at all, and then mostly to transfer files with friends as opposed to surfing for torrents.

3. Windows firewall was turned off when I was trying to get Kapersky to run, guess I forgot to turn it back on.

4. Alcohol 120 is not currently running for anything applikcation wise and I was not aware that any drivers were running. Yes it is installed on my computre.

5. Virustotal done previously in other post.

6. DrWeb-CureIt done. Reported a virus in the SDFix folder.

SDFix.exe\SDFix\apps\Process.exe;C:\Documents and Settings\William_2\Desktop\SDFix.exe;Tool.Prockill;;
SDFix.exe;C:\Documents and Settings\William_2\Desktop;Archive contains infected objects;;


7. SDFix done, nothing report during the process.
One trojan file noted in the report.


SDFix: Version 1.209
Run by William on Wed 07/30/2008 at 06:58 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\PROGRA~1\ANTI-S~1\SDFix\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\tmp13.tmp - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-30 19:57:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s0"=dword:79f7cc62
"s1"=dword:43579723
"s2"=dword:0b63a8ae
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Program Files\Alcohol 120\"
"h0"=dword:00000000
"ujdew"=hex:66,26,09,66,5a,62,75,f9,0b,d9,25,a5,0e,05,b1,3f,43,71,16,99,23,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Program Files\Alcohol 120\"
"h0"=dword:00000000
"ujdew"=hex:66,26,09,66,5a,62,75,f9,0b,d9,25,a5,0e,05,b1,3f,43,71,16,99,23,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Program Files\Alcohol 120\"
"h0"=dword:00000000
"ujdew"=hex:66,26,09,66,5a,62,75,f9,0b,d9,25,a5,0e,05,b1,3f,43,71,16,99,23,..

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Game Files\\Dawn of War\\W40k.exe"="C:\\Game Files\\Dawn of War\\W40k.exe:*:Enabled:W40k"
"C:\\WINDOWS\\system32\\mshta.exe"="C:\\WINDOWS\\system32\\mshta.exe:*:Enabled:Microsoft ® HTML Application host"
"C:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"="C:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe:*:Enabled:HP Software Update Client"
"C:\\WINDOWS\\system32\\dpnsvr.exe"="C:\\WINDOWS\\system32\\dpnsvr.exe:*:Enabled:Microsoft DirectPlay8 Server"
"C:\\Program Files\\NetMeeting\\conf.exe"="C:\\Program Files\\NetMeeting\\conf.exe:*:Enabled:Windowsr NetMeetingr"
"C:\\Game Files\\Civilization 4\\Civilization4.exe"="C:\\Game Files\\Civilization 4\\Civilization4.exe:*:Enabled:Sid Meier's Civilization 4"
"C:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"="C:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe:*:Enabled:Nero Home"
"C:\\Game Files\\Stronghold\\Stronghold2.exe"="C:\\Game Files\\Stronghold\\Stronghold2.exe:*:Enabled:Stronghold 2"
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"
"C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"C:\\Game Files\\Lord of the Rings\\game.dat"="C:\\Game Files\\Lord of the Rings\\game.dat:*:Enabled:The Battle for Middle-earth™ II"
"C:\\Game Files\\Dawn of War\\W40kWA.exe"="C:\\Game Files\\Dawn of War\\W40kWA.exe:*:Enabled:W40kWA"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Game Files\\Dawn of War\\Crusade\\DarkCrusade\\DarkCrusade.exe"="C:\\Game Files\\Dawn of War\\Crusade\\DarkCrusade\\DarkCrusade.exe:*:Enabled:DarkCrusade"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files :


File Backups: - C:\PROGRA~1\ANTI-S~1\SDFix\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sun 13 Apr 2008 60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"
Tue 6 Jun 2006 804,495,360 A.SH. --- "C:\RECYCLER\S-1-5-18\Dd1.sys"
Fri 11 Aug 2006 317,782 ..SH. --- "C:\WINDOWS\system32\mnnmp.tmp"
Sat 29 Jul 2006 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Tue 26 Apr 2005 20,992 A..H. --- "C:\Documents and Settings\All Users\Documents\Official Stuff\$WRL1512.TMP"
Tue 26 Apr 2005 22,016 A..H. --- "C:\Documents and Settings\All Users\Documents\Official Stuff\~WRL1602.tmp"
Tue 26 Apr 2005 20,992 A..H. --- "C:\Documents and Settings\All Users\Documents\Official Stuff\~WRL2127.tmp"
Tue 26 Apr 2005 20,480 A..H. --- "C:\Documents and Settings\All Users\Documents\Official Stuff\~WRL2563.tmp"
Mon 23 Apr 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Wed 27 Apr 2005 19,968 A..H. --- "C:\Documents and Settings\All Users\Documents\Official Stuff\Business Letters\$WRL0001.TMP"
Mon 2 May 2005 21,504 A..H. --- "C:\Documents and Settings\All Users\Documents\Official Stuff\Business Letters\~WRL0003.tmp"
Mon 22 Nov 2004 30,720 A..H. --- "C:\Documents and Settings\All Users\Documents\Official Stuff\Military Related\~WRL1097.tmp"
Sat 20 Nov 2004 28,672 A..H. --- "C:\Documents and Settings\All Users\Documents\Official Stuff\Military Related\~WRL2505.tmp"
Sat 29 Jan 2005 99,328 A..H. --- "C:\Documents and Settings\All Users\Documents\Taeg's Stuff\Sign Language\~WRL2174.tmp"
Sat 29 Jan 2005 23,552 A..H. --- "C:\Documents and Settings\All Users\Documents\Taeg's Stuff\Sign Language\~WRL3475.tmp"
Thu 1 Jul 2004 32,768 A..H. --- "C:\Documents and Settings\All Users\Documents\Amanda's Stuff\Books\Undiscovered\~WRL0466.tmp"
Fri 2 Apr 2004 17,217 A..H. --- "C:\Documents and Settings\All Users\Documents\Amanda's Stuff\Books\Undiscovered\~WRL3603.tmp"
Fri 27 May 2005 3,232 A..H. --- "C:\Documents and Settings\All Users\Documents\Amanda's Stuff\Recipes\Tested\~WRL0002.tmp"
Wed 16 Mar 2005 2,500 A..H. --- "C:\Documents and Settings\All Users\Documents\Amanda's Stuff\Books\Undiscovered\Books\$WRL3278.TMP"
Wed 16 Mar 2005 7,916 A..H. --- "C:\Documents and Settings\All Users\Documents\Amanda's Stuff\Books\Undiscovered\Books\~WRL0175.tmp"
Tue 17 May 2005 12,595 A..H. --- "C:\Documents and Settings\All Users\Documents\Amanda's Stuff\Books\Undiscovered\Writing\~WRL3648.tmp"

Finished!



8. DSS done.

Deckard's System Scanner v20071014.68
Run by William on 2008-07-30 21:29:36
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as William.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:29:41 PM, on 7/30/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC Powerchute\mainserv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\SonyIEx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\umonit.exe
C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\APC Powerchute\apcsystray.exe
C:\Program Files\Symantec AntiVirus\vptray.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Anti-Spyware\Deckard\dss_new.exe
C:\PROGRA~1\ANTI-S~1\HIJACK~1\William.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=488
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [UMonit] C:\WINDOWS\system32\umonit.exe
O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\\vptray.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://zone.msn.com
O16 - DPF: {01118A01-3E00-11D2-8470-0060089874ED} (SupportSoft Script Runner Class) - https://password.bellsouth.net/sdccommon/do...oad/tgctlsr.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1147927423109
O16 - DPF: {64D01C7F-810D-446E-A07E-16C764235644} (AtlAtomadersCtlAttrib Class) - http://zone.msn.com/bingame/amad/default/atomaders.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1147927412671
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://sympatico.zone.msn.com/bingame/amun...mjolauncher.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games Texas Holdem Poker) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab60096.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A09C6DEE-EF0B-414B-A295-0BF0ACD780A5}: NameServer = 192.168.1.254,192.168.1.253
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC Powerchute\mainserv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SonyIEx - Unknown owner - C:\WINDOWS\system32\SonyIEx.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 8282 bytes

-- Files created between 2008-06-30 and 2008-07-30 -----------------------------

2008-07-30 21:03:42 0 d-------- C:\WINDOWS\LastGood
2008-07-30 06:53:50 0 d-------- C:\WINDOWS\ERUNT
2008-07-30 06:52:03 0 d-------- C:\Program Files\New Folder (2)
2008-07-29 20:51:09 0 d-------- C:\Documents and Settings\William_2\DoctorWeb
2008-07-20 22:54:18 0 d-------- C:\Documents and Settings\William_2\Application Data\Malwarebytes
2008-07-20 22:54:16 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-19 00:14:11 0 d-------- C:\WINDOWS\Prefetch
2008-07-19 00:07:49 0 d-------- C:\Program Files\Messenger
2008-07-19 00:07:33 0 d-------- C:\WINDOWS\system32\scripting
2008-07-19 00:07:33 0 d-------- C:\WINDOWS\l2schemas
2008-07-19 00:07:32 0 d-------- C:\WINDOWS\system32\en
2008-07-19 00:07:32 0 d-------- C:\WINDOWS\system32\bits
2008-07-19 00:05:12 0 d-------- C:\WINDOWS\ServicePackFiles


-- Find3M Report ---------------------------------------------------------------

2008-07-30 21:22:21 0 d-------- C:\Program Files\Symantec AntiVirus
2008-07-30 06:52:23 0 d-------- C:\Program Files\Anti-Spyware
2008-07-19 21:15:28 0 d-------- C:\Program Files\MSN Messenger
2008-07-19 00:07:32 0 d-------- C:\Program Files\Movie Maker
2008-07-13 18:37:40 0 d-------- C:\Program Files\APC Powerchute
2008-06-16 13:11:04 15345 --a------ C:\WINDOWS\wyvimyzura.pif
2008-06-16 13:11:04 14418 --a------ C:\WINDOWS\system32\ucyfywylu.dat
2008-06-16 13:11:04 14355 --a------ C:\WINDOWS\system32\buxi.vbs
2008-06-16 13:11:04 14806 --a------ C:\WINDOWS\roxa.pif
2008-06-16 13:11:04 0 d-------- C:\Program Files\Common Files
2008-06-16 13:11:04 15959 --a------ C:\Program Files\Common Files\bihywu._dl
2008-06-04 21:22:11 0 d-------- C:\Program Files\Yahoo!
2008-05-11 05:10:51 68 --a------ C:\WINDOWS\E


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [06/09/2004 10:31 PM]
"UMonit"="C:\WINDOWS\system32\umonit.exe" [04/21/2003 01:23 PM]
"Speed racer"="C:\Program Files\Creative\PlayCenter\CTSRReg.exe" [11/16/1999 03:00 AM]
"AudioHQ"="C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE" [11/30/1999 03:00 AM]
"UpdReg"="C:\WINDOWS\Updreg.exe" [11/12/1999 03:00 AM]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [01/12/2005 04:54 PM]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 09:20 PM]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [03/15/2005 05:46 AM]
"vptray"="C:\PROGRA~1\SYMANT~1\\vptray.exe" [10/06/2004 07:56 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [06/01/2006 03:32 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [4/23/2008 3:38:16 AM]
APC UPS Status.lnk - C:\Program Files\APC Powerchute\Display.exe [7/27/2007 9:28:48 PM]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [9/16/2003 7:19:24 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc




-- End of Deckard's System Scanner: finished at 2008-07-30 21:30:24 ------------

Cheers,
Bill

#13 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,704 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:48 PM

Posted 01 August 2008 - 02:17 AM

Hi Bill,

Well done.

We have to dig a little dipper.
  • We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    Please ensure you read this guide carefully.

    You have to install the Recovery Console before running the tool because Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.


    Instruction to install Recovery Console :

    Go to Microsoft's website => http://support.microsoft.com/kb/310994

    Select the download that's appropriate for your Operating System


    Posted Image


    Download the file & save it as it's originally named, next to ComboFix.exe.


    Posted Image


    Now close all open windows and programs, including all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Drag the setup package onto ComboFix.exe and drop it.
    • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
    • At the next prompt, click 'Yes' to run the full ComboFix scan.

      Posted Image
    • When the tool is finished, it will produce a report for you.
    Please copy and paste the content of C:\ComboFix.txt for further review.


  • Download regsearch.zip by Bobbi Flekman and Save it to your desktop.
    • Extract it to your desktop.
    • Click regsearch.exe to start the program.
    • Type dd1.sys in the upper window.
    • Click "OK" and Registry Search will search the Registry and report what it finds.
    • Copy and paste the result into your next reply.
    Note: The search takes a while. If you get notifications of access violation click OK as many times as it needed.

  • Please copy and paste a fresh Hijackthis log to your reply.


    In your next reply:
    • The Combofix log.
    • The regsearch result.
    • A fresh Hijackthis log.


#14 Ogriels

Ogriels
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:06:48 AM

Posted 03 August 2008 - 05:39 PM

Good day,

1. ComboFix.exe not completed.
The program would not run on this computer. I disactivated every program that I normally have running and all antivirus/malware but it did not function. The first time it froze on stage 44 and the next at 12 then 12 again. When I say froze, I allowed the program to run for an hour each time but no activity was noted. So, there is no log I can provide.

Computer seems to have booted properly after shutdown. (the only means to recover from a frozen combofix....)

2. Regsearch conducted.

Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman 2005
; Version: 2.0.5.0

; Results at 2008-08-03 17:23:08 for strings:
; 'dd1.sys'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


; End Of The Log...

3. HijackThis log created.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:33, on 2008-08-03
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC Powerchute\mainserv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\SonyIEx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\umonit.exe
C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\APC Powerchute\apcsystray.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\Anti-Spyware\HiJackTHis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=488
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [UMonit] C:\WINDOWS\system32\umonit.exe
O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://zone.msn.com
O16 - DPF: {01118A01-3E00-11D2-8470-0060089874ED} (SupportSoft Script Runner Class) - https://password.bellsouth.net/sdccommon/do...oad/tgctlsr.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1147927423109
O16 - DPF: {64D01C7F-810D-446E-A07E-16C764235644} (AtlAtomadersCtlAttrib Class) - http://zone.msn.com/bingame/amad/default/atomaders.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1147927412671
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://sympatico.zone.msn.com/bingame/amun...mjolauncher.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games Texas Holdem Poker) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab60096.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A09C6DEE-EF0B-414B-A295-0BF0ACD780A5}: NameServer = 192.168.1.254,192.168.1.253
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC Powerchute\mainserv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SonyIEx - Unknown owner - C:\WINDOWS\system32\SonyIEx.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 8173 bytes


Cheers,
Bill

#15 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,704 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:48 PM

Posted 06 August 2008 - 01:22 AM

Hi Bill,
  • I see Windows defender is running again. Please follow the instructions in the Post#5 to turn it off. It is OK to have it turned off until we are finished with the cleaning.

  • Please download the OTMoveIt2 by OldTimer.
    • Save it to your desktop.
    • Please double-click OTMoveIt2.exe to run it.
    • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      C:\WINDOWS\system32\mnnmp.bak1
      C:\WINDOWS\system32\mnnmp.bak2
      C:\WINDOWS\system32\mnnmp.ini
      C:\WINDOWS\system32\mnnmp.ini2
      C:\WINDOWS\system32\mnnmp.tmp
      C:\WINDOWS\system32\pmnnm.dll
      C:\RECYCLER\S-1-5-18\Dd1.sys
      C:\Documents and Settings\All Users\Application Data\Viewpoint
    • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the yellow bar) and choose Paste.
    • Click the red Moveit! button.
    • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
    • Close OTMoveIt2
    Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

  • Please delete your copy of Combofix then download a fresh copy of Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    Link 1
    Link 2
    Link 3


    **Note: It is important that it is saved directly to your desktop**

  • Start in Safe Mode Using the F8 key:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
    • Use the arrow keys to select the Safe Mode menu item.
    • Press the Enter key.
  • Once in the Safe Mode double click on combofix.exe & follow the prompts.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt" for further review.

      Note:
      Do not mouseclick combofix's window while it's running. That may cause it to stall
  • Please download mbr.exe from the following link and save it to your desktop: http://www2.gmer.net/mbr/mbr.exe
    • Double click mbr.exe to run it. You will see a very flash of a "dos" box then disappears. This is normal.
    • The tool creates a log (mbr.log) on your desktop. Copy and paste the content of that log to your reply.
  • Please copy and paste a fresh Hijackthis log to your reply.

To your reply:
  • The OTMoveIt2 log.
  • The Combofix log.
  • The mbr.log.
  • A fresh HiJackThis log.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users