Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware/trojan Posting System Popups When Opening Folders


  • This topic is locked This topic is locked
2 replies to this topic

#1 ardeay

ardeay

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:49 PM

Posted 29 June 2008 - 11:13 PM

Hello all,


Stupidly I ran into this and new instantly i was hit, tried spysweeper, it failed. Search the string of text, Attention, Some dangerous trojan horse have infected your system..... The result was run combo fix. After running it the problem wasnt fixed.

I have good knowledge and know how with computers, I run windows xp pro

Here is the DSS log

Deckard's System Scanner v20071014.68
Run by Administrator on 2008-06-30 00:17:56
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 3 Restore Point(s) --
3: 2008-06-30 04:18:01 UTC - RP3 - Deckard's System Scanner Restore Point
2: 2008-06-30 03:53:30 UTC - RP2 - ComboFix created restore point
1: 2008-06-30 03:53:10 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:20:09 AM, on 6/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
E:\WINXPSP2\System32\smss.exe
E:\WINXPSP2\system32\winlogon.exe
E:\WINXPSP2\system32\services.exe
E:\WINXPSP2\system32\lsass.exe
E:\WINXPSP2\system32\svchost.exe
E:\WINXPSP2\System32\svchost.exe
E:\WINXPSP2\system32\svchost.exe
E:\WINXPSP2\system32\spoolsv.exe
E:\Program Files\Bonjour\mDNSResponder.exe
E:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
E:\Program Files\Common Files\LightScribe\LSSrvc.exe
E:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
E:\WINXPSP2\system32\nvsvc32.exe
E:\WINXPSP2\system32\PnkBstrA.exe
E:\WINXPSP2\system32\PnkBstrB.exe
E:\WINXPSP2\system32\svchost.exe
E:\Program Files\Synergy\synergyc.exe
E:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
E:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
E:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
E:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
E:\Program Files\Razer\DeathAdder\razerhid.exe
E:\WINXPSP2\system32\RUNDLL32.EXE
E:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
E:\Program Files\Razer\DeathAdder\razerofa.exe
E:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
E:\WINXPSP2\system32\notepad.exe
E:\WINXPSP2\explorer.exe
E:\Documents and Settings\Administrator\Desktop\dss.exe
E:\PROGRA~1\TRENDM~1\HIJACK~1\Administrator.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - E:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: WinView plugin - {8AE578E0-6DF5-41E0-869F-F65A32D2F6BD} - E:\WINXPSP2\system32\domwin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - E:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [IgfxTray] E:\WINXPSP2\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] E:\WINXPSP2\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] E:\WINXPSP2\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [IntelAudioStudio] "E:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" BOOT
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] E:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "E:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "E:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINXPSP2\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" E:\WINXPSP2\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [DeathAdder] "E:\Program Files\Razer\DeathAdder\razerhid.exe"
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" E:\WINXPSP2\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] E:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKCU\..\Run: [SsAAD.exe] E:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "E:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [Skype] "E:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide3] cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide1] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide2] cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,L,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide3] cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-343818398-1500820517-725345543-1005\..\RunOnce: [nltide3] cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'postgres')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide3] cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide3] cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: FastStone Capture.lnk = E:\Program Files\FastStone Capture\FSCapture.exe
O4 - Startup: RescueTime.lnk = E:\Program Files\RescueTime\RescueTime.exe
O4 - Global Startup: ColorVisionStartup.lnk = E:\Program Files\ColorVision\Utility\ColorVisionStartup.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: Append to existing PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1165819372343
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwa...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8D962CCB-AAA4-4101-8ED5-2977649E2927}: NameServer = 68.87.71.226,68.87.73.242
O23 - Service: Adobe LM Service - Adobe Systems - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - E:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - E:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - E:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DefWatch - Symantec Corporation - E:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - E:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - E:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MSCSPTISRV - Sony Corporation - E:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - E:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINXPSP2\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - E:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PostgreSQL Database Server 8.3 (pgsql-8.3) - PostgreSQL Global Development Group - E:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe
O23 - Service: PnkBstrA - Unknown owner - E:\WINXPSP2\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - E:\WINXPSP2\system32\PnkBstrB.exe
O23 - Service: SuperTV Pro Remote Control Service (RemoteControlService) - Unknown owner - E:\Program Files\SuperTV Pro\RemoteService\RS.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - E:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - E:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Synergy Client - Unknown owner - E:\Program Files\Synergy\synergyc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - E:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 11256 bytes

-- File Associations -----------------------------------------------------------

.js - jsfile - DefaultIcon - "E:\Program Files\Adobe\Adobe Dreamweaver CS3\Dreamweaver.exe",7
.js - jsfile - shell\open\command - "E:\Program Files\Adobe\Adobe Dreamweaver CS3\Dreamweaver.exe","%1"


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 Cap7134 (713x_3 TV Card Capture) - e:\winxpsp2\system32\drivers\cap7134.sys <Not Verified; Philips Semiconductors; Philips cap7134>
R3 PhTVTune (SuperTV Pro WDM TVTuner (FM1216ME)) - e:\winxpsp2\system32\drivers\phtvtune.sys <Not Verified; Philips Semiconductors; Philips TVTuner WDM Driver>

S1 InCDPass - e:\winxpsp2\system32\drivers\incdpass.sys (file missing)
S1 InCDRm (InCD Reader) - e:\winxpsp2\system32\drivers\incdrm.sys (file missing)
S3 DSDrv4 - e:\program files\supertv pro\remoteservice\dsdrv4.sys
S3 GMSIPCI - x:\install\gmsipci.sys (file missing)
S3 NAL (Nal Service ) - e:\winxpsp2\system32\drivers\iqvw32.sys <Not Verified; Intel Corporation; Intel® iQVW32.SYS>
S3 RimUsb (BlackBerry Device) - e:\winxpsp2\system32\drivers\rimusb.sys (file missing)
S4 InCDFs (InCD File System) - e:\winxpsp2\system32\drivers\incdfs.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Bonjour Service (##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##) - "e:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Computer, Inc.; Bonjour>
R2 pgsql-8.3 (PostgreSQL Database Server 8.3) - "e:\program files\postgresql\8.3\bin\pg_ctl.exe" runservice -w -n "pgsql-8.3" -d "e:\program files\postgresql\8.3\data\" <Not Verified; PostgreSQL Global Development Group; PostgreSQL>
R2 Synergy Client - e:\program files\synergy\synergyc.exe
R3 FLEXnet Licensing Service - "e:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>

S2 RemoteControlService (SuperTV Pro Remote Control Service) - e:\program files\supertv pro\remoteservice\rs.exe <Not Verified; ; RS Application>
S2 RoxLiveShare9 (LiveShare P2P Server 9) - "e:\program files\common files\roxio shared\9.0\sharedcom\roxliveshare9.exe" (file missing)
S3 Adobe Version Cue CS2 - "e:\program files\adobe\adobe version cue cs2\bin\versioncuecs2.exe" -win32service <Not Verified; Adobe Systems Incorporated; Adobe Version Cue CS2>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-06-29 20:57:09 1562 --a------ E:\WINXPSP2\Tasks\wrSpySweeperTrialSweep.job
2008-06-29 00:41:00 480 --a------ E:\WINXPSP2\Tasks\SyncToy.job


-- Files created between 2008-05-30 and 2008-06-30 -----------------------------

2008-06-30 00:19:59 0 d-------- E:\Program Files\Trend Micro
2008-06-29 23:53:01 68096 --a------ E:\WINXPSP2\zip.exe
2008-06-29 23:53:01 49152 --a------ E:\WINXPSP2\VFind.exe
2008-06-29 23:53:01 212480 --a------ E:\WINXPSP2\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-06-29 23:53:01 136704 --a------ E:\WINXPSP2\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-06-29 23:53:01 161792 --a------ E:\WINXPSP2\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-06-29 23:53:01 98816 --a------ E:\WINXPSP2\sed.exe
2008-06-29 23:53:01 80412 --a------ E:\WINXPSP2\grep.exe
2008-06-29 23:53:01 89504 --a------ E:\WINXPSP2\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-29 21:00:36 0 d-------- E:\Documents and Settings\postgres\Application Data\Webroot
2008-06-29 20:57:11 0 d-------- E:\Documents and Settings\LocalService\Application Data\Webroot
2008-06-29 20:57:02 0 d-------- E:\Program Files\Webroot
2008-06-29 20:57:02 0 d-------- E:\Documents and Settings\All Users\Application Data\Webroot
2008-06-29 20:57:02 0 d-------- E:\Documents and Settings\Administrator\Application Data\Webroot
2008-06-29 20:56:14 164 --a------ E:\install.dat
2008-06-19 03:54:24 0 d-------- E:\Program Files\CrossFnt
2008-06-19 03:50:50 26624 --a------ E:\WINXPSP2\system32\domwin.dll
2008-06-08 20:44:06 0 d-------- E:\Documents and Settings\Administrator\Application Data\TeamViewer
2008-06-08 20:43:44 0 d-------- E:\Program Files\TeamViewer3
2008-06-08 20:38:59 0 d-------- E:\Documents and Settings\Administrator\temp
2008-06-04 17:50:10 0 d-------- E:\Program Files\AutoHotkey
2008-06-04 17:44:50 0 d-------- E:\Program Files\PokerAce Hud
2008-06-04 17:33:19 0 d--h----- E:\Documents and Settings\postgres\Templates
2008-06-04 17:33:19 0 dr------- E:\Documents and Settings\postgres\Start Menu
2008-06-04 17:33:19 0 dr-h----- E:\Documents and Settings\postgres\SendTo
2008-06-04 17:33:19 0 d--h----- E:\Documents and Settings\postgres\Recent
2008-06-04 17:33:19 0 d--h----- E:\Documents and Settings\postgres\PrintHood
2008-06-04 17:33:19 229376 --ah----- E:\Documents and Settings\postgres\NTUSER.DAT
2008-06-04 17:33:19 0 d--h----- E:\Documents and Settings\postgres\NetHood
2008-06-04 17:33:19 0 d-------- E:\Documents and Settings\postgres\My Documents
2008-06-04 17:33:19 0 d--h----- E:\Documents and Settings\postgres\Local Settings
2008-06-04 17:33:19 0 d-------- E:\Documents and Settings\postgres\Favorites
2008-06-04 17:33:19 0 d-------- E:\Documents and Settings\postgres\Desktop
2008-06-04 17:33:19 0 d---s---- E:\Documents and Settings\postgres\Cookies
2008-06-04 17:33:19 0 dr-h----- E:\Documents and Settings\postgres\Application Data
2008-06-04 17:33:19 0 d---s---- E:\Documents and Settings\postgres\Application Data\Microsoft
2008-06-04 17:33:19 0 d-------- E:\Documents and Settings\postgres\Application Data\Macromedia
2008-06-04 17:31:31 0 d-------- E:\Program Files\PostgreSQL
2008-06-04 17:28:50 0 d-a------ E:\Documents and Settings\All Users\Application Data\TEMP
2008-06-04 17:27:57 0 d-------- E:\Program Files\PokerTracker 3


-- Find3M Report ---------------------------------------------------------------

2008-06-29 23:55:31 0 d-------- E:\Documents and Settings\Administrator\Application Data\Skype
2008-06-29 22:08:28 0 d-------- E:\Program Files\Mozilla Thunderbird
2008-06-29 16:40:48 0 d-------- E:\Program Files\PokerStars
2008-06-19 04:23:45 0 d-------- E:\Documents and Settings\Administrator\Application Data\uTorrent
2008-06-05 16:01:24 0 d-------- E:\Documents and Settings\Administrator\Application Data\Adobe
2008-05-20 15:22:33 0 d-------- E:\Program Files\RescueTime
2008-05-16 12:03:51 0 d-------- E:\Program Files\Opera
2008-05-15 14:46:32 0 d-------- E:\Program Files\Common Files\Adobe
2008-05-15 14:42:38 0 d-------- E:\Program Files\Common Files
2008-05-15 14:42:38 0 d-------- E:\Program Files\Common Files\Control Panels
2008-05-15 14:05:07 0 d-------- E:\Program Files\Bonjour


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8AE578E0-6DF5-41E0-869F-F65A32D2F6BD}]
06/19/2008 03:50 AM 26624 --a------ E:\WINXPSP2\system32\domwin.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="E:\WINXPSP2\system32\igfxtray.exe" [06/23/2006 12:41 AM]
"HotKeysCmds"="E:\WINXPSP2\system32\hkcmd.exe" [06/23/2006 12:44 AM]
"Persistence"="E:\WINXPSP2\system32\igfxpers.exe" [06/23/2006 12:40 AM]
"SigmatelSysTrayApp"="sttray.exe" []
"IntelAudioStudio"="E:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" [09/21/2006 11:36 AM]
"TVTray"="" []
"QuickTime Task"="E:\Program Files\QuickTime\qttask.exe" [09/01/2006 04:57 PM]
"vptray"="E:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [07/30/2002 12:35 PM]
"SunJavaUpdateSched"="E:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"Adobe Version Cue CS2"="E:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [04/04/2005 07:58 PM]
"Acrobat Assistant 8.0"="E:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [01/11/2008 08:54 PM]
"NeroFilterCheck"="E:\WINXPSP2\system32\NeroCheck.exe" [07/09/2001 11:50 AM]
"NvCplDaemon"="RUNDLL32.exe" [08/04/2004 12:56 AM E:\WINXPSP2\system32\rundll32.exe]
"nwiz"="nwiz.exe" [12/05/2007 02:41 AM E:\WINXPSP2\system32\nwiz.exe]
"DeathAdder"="E:\Program Files\Razer\DeathAdder\razerhid.exe" [09/07/2007 04:54 PM]
"NvMediaCenter"="RUNDLL32.exe" [08/04/2004 12:56 AM E:\WINXPSP2\system32\rundll32.exe]
"Adobe Reader Speed Launcher"="E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 11:16 PM]
"Adobe_ID0EYTHM"="E:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [03/20/2007 04:40 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SsAAD.exe"="E:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [11/02/2006 02:43 PM]
"NVIDIA nTune"="E:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" []
"Skype"="E:\Program Files\Skype\Phone\Skype.exe" [02/01/2008 06:22 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"nltide3"=cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N

E:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
FastStone Capture.lnk - E:\Program Files\FastStone Capture\FSCapture.exe [1/16/2007 12:48:40 AM]
RescueTime.lnk - E:\Program Files\RescueTime\RescueTime.exe [3/19/2008 12:26:08 PM]

E:\Documents and Settings\All Users\Start Menu\Programs\Startup\
ColorVisionStartup.lnk - E:\Program Files\ColorVision\Utility\ColorVisionStartup.exe [1/31/2006 1:23:15 PM]
Microsoft Office.lnk - E:\Program Files\Microsoft Office\Office10\OSA.EXE [2/12/2001 9:01:04 PM]
Microsoft Works Calendar Reminders.lnk - E:\WINXPSP2\Installer\{0CD3BB5C-BBCA-11D2-8C20-00C04FBBCFF9}\A94AAB13.exe [8/24/2007 1:32:07 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"=1 (0x1)
"NoLowDiskSpaceChecks"=1 (0x1)
"NoStartBanner"=1 (0x1)
"NoSMHelp"=1 (0x1)
"ForceStartMenuLogoff"=0 (0x0)
"NoStartMenuPinnedList"=1 (0x1)
"NoSMConfigurePrograms"=1 (0x1)
"NoUserNameInStartMenu"=1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"=1 (0x1)
"NoLowDiskSpaceChecks"=1 (0x1)
"NoStartBanner"=1 (0x1)
"NoSMHelp"=1 (0x1)
"StartMenuLogoff"=1 (0x1)
"ForceStartMenuLogoff"=0 (0x0)
"NoStartMenuPinnedList"=1 (0x1)
"NoSMConfigurePrograms"=1 (0x1)
"NoUserNameInStartMenu"=1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{518d3a00-fc52-11dc-ae48-0019d1052d0a}]
AutoRun\command- wd_windows_tools\WDEULA.exe

*Newly Created Service* - CATCHME



-- End of Deckard's System Scanner: finished at 2008-06-30 00:20:38 ------------

Edited by ardeay, 29 June 2008 - 11:39 PM.


BC AdBot (Login to Remove)

 


#2 ardeay

ardeay
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:49 PM

Posted 30 June 2008 - 04:03 AM

This was the fix if need for future reference

http://www.malwareteks.com/downloads11.html

#3 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Members
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:01:49 PM

Posted 30 June 2008 - 07:54 AM

Thanks for informing us of what you have done.

Should you find other problems, please start a new topic.

This thread is closed.
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users