Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected By Antivirus Xp/malware Xp 2008 - Trojans Keep Getting Found...


  • This topic is locked This topic is locked
20 replies to this topic

#1 stiahhh

stiahhh

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:51 PM

Posted 08 July 2008 - 05:15 PM

Here is a link to my previous posts (pre DSS) so you can get an idea of what's happening to my system:

http://www.bleepingcomputer.com/forums/t/156344/i-have-the-same-hijacked-system-problems-as-neo147-need-help-w-combofix-logsplease/

also noticed that the infection seems to have taken control of my desktop settings. when you right click on the desktop to get the settings window (with the image menu, screen saver menu, etc) it's different from prior to the infection. i no longer have tabs for some things to click on in this menu now. this has to be related somehow to the background screen image going back to the "Your computer is infected with..." at reboot. very weird.

anyhow, here is the "main" DSS logfile, followed by the "extra" one:



"main"
Deckard's System Scanner v20071014.68
Run by Jeff on 2008-07-08 17:58:14
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
7: 2008-07-08 21:58:26 UTC - RP8 - Deckard's System Scanner Restore Point
6: 2008-07-08 02:10:27 UTC - RP7 - Software Distribution Service 3.0
5: 2008-07-08 02:02:54 UTC - RP6 - Software Distribution Service 3.0
4: 2008-07-08 02:01:47 UTC - RP5 - before spack3
3: 2008-07-08 01:59:22 UTC - RP4 - Software Distribution Service 3.0


-- First Restore Point --
1: 2008-07-07 15:50:39 UTC - RP2 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-07-08 18:02:31
Platform: Windows XP Service Pack 3 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Intel Application Accelerator\IAAnotif.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\CDProxyServ.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Sony\sHotKey\SHOTKEY.exe
C:\Program Files\Intel\Intel Application Accelerator\IAANTmon.exe
C:\Program Files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe
C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtWLan.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jeff\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [sHotKey] "C:\Program Files\SONY\sHotKey\sHotKey.exe"
O4 - HKLM\..\Run: [VAIO Update 2] "C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" /Stationary
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [VAIO Recovery] "C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TotalRecorderScheduler] "C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [lphc354j0evbn] C:\WINDOWS\system32\lphc354j0evbn.exe
O4 - HKLM\..\Run: [SMrhc754j0evbn] C:\Program Files\rhc754j0evbn\rhc754j0evbn.exe
O4 - HKLM\..\Run: [SMshc554j0evbn] C:\Program Files\shc554j0evbn\shc554j0evbn.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} (WaveTab Control) - file://J:\setup\RiffLick.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\system32\WRLogonNTF.dll (file missing)
O23 - Service: Plug and Play Device Manager ($sys$DRMServer) - Unknown owner - C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - C:\WINDOWS\CDProxyServ.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\IAANTmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: M-Audio CMIDI Installer (MA_CMIDI_InstallerService) - Unknown owner - C:\Program Files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe
O23 - Service: SonicStageMonitoring - Sony Corporation - C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
O23 - Service: Sony TV Tuner Controller - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\halsv.exe
O23 - Service: Sony TV Tuner Manager - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe
O23 - Service: Sony TVTA Manager - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VAIO Entertainment Aggregation and Control Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
O23 - Service: VAIO Entertainment File Import Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe


--
End of file - 12582 bytes

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 $sys$cor - c:\windows\system32\drivers\$sys$cor.sys
R1 $sys$crater - c:\windows\system32\$sys$filesystem\crater.sys
R1 SbcpHid - c:\windows\system32\drivers\sbcphid.sys
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys
R3 SjyPkt - c:\windows\system32\drivers\sjypkt.sys

S1 InCDPass - c:\windows\system32\drivers\incdpass.sys (file missing)
S1 InCDRm (InCD Reader) - c:\windows\system32\drivers\incdrm.sys (file missing)
S2 PfModNT - c:\windows\system32\pfmodnt.sys (file missing)
S3 $sys$lim - c:\windows\system32\$sys$filesystem\lim.sys
S3 cxwibu (Team H2O WIBU Driver) - c:\program files\wibukey\h2o\cxwibu.sys (file missing)
S3 EVOLUSB (%EVOL_USB_SvcDesc%) - c:\windows\system32\drivers\evolusb.sys (file missing)
S3 jswmidin - c:\docume~1\jeff\locals~1\temp\jswmidin.sys (file missing)
S3 KLIF - c:\progra~1\pctool~1\klif.sys (file missing)
S3 MA_CMIDI (%EVOL_USB.SvcDesc%) - c:\windows\system32\drivers\ma_cmidi.sys
S3 Pcouffin (VSO Software pcouffin) - c:\windows\system32\drivers\pcouffin.sys
S3 sdcplh - c:\windows\system32\drivers\sdcplh.sys
S3 TSP - c:\progra~1\pctool~1\klif.sys (file missing)
S3 USBAAPL (Apple Mobile USB Driver) - c:\windows\system32\drivers\usbaapl.sys (file missing)
S4 InCDFs (InCD File System) - c:\windows\system32\drivers\incdfs.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe"
R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe"
R2 CD_Proxy (XCP CD Proxy) - c:\windows\cdproxyserv.exe
R2 MA_CMIDI_InstallerService (M-Audio CMIDI Installer) - c:\program files\m-audio ma_cmidi\ma_cmidi_inst.exe

S2 $sys$DRMServer (Plug and Play Device Manager) - c:\windows\system32\$sys$filesystem\$sys$drmserver.exe (file missing)


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Intel® PRO/1000 MT Network Connection
Device ID: PCI\VEN_8086&DEV_1076&SUBSYS_81A2104D&REV_00\4&23C0B1C&0&30F0
Manufacturer: Intel
Name: Intel® PRO/1000 MT Network Connection
PNP Device ID: PCI\VEN_8086&DEV_1076&SUBSYS_81A2104D&REV_00\4&23C0B1C&0&30F0
Service: E1000


-- Scheduled Tasks -------------------------------------------------------------

2005-01-08 08:23:03 428 --a------ C:\WINDOWS\Tasks\Symantec NetDetect.job


-- Files created between 2008-06-08 and 2008-07-08 -----------------------------

2008-07-08 00:09:05 0 d-------- C:\Program Files\Panda Security
2008-07-08 00:09:03 0 d-------- C:\WINDOWS\LastGood
2008-07-07 22:35:13 0 d-------- C:\WINDOWS\Prefetch
2008-07-07 22:26:26 0 d-------- C:\WINDOWS\system32\scripting
2008-07-07 22:26:25 0 d-------- C:\WINDOWS\l2schemas
2008-07-07 22:26:24 0 d-------- C:\WINDOWS\system32\en
2008-07-07 22:26:24 0 d-------- C:\WINDOWS\system32\bits
2008-07-07 22:24:13 0 d-------- C:\WINDOWS\ServicePackFiles
2008-07-07 22:21:23 0 d-------- C:\WINDOWS\network diagnostic
2008-07-07 21:15:54 0 d-------- C:\Documents and Settings\Jeff\Application Data\shc554j0evbn
2008-07-07 12:27:53 388608 --a------ C:\WINDOWS\system32\CF19702.exe
2008-07-06 22:44:55 0 d-------- C:\Documents and Settings\Jeff\Application Data\rhc754j0evbn
2008-07-06 22:44:03 60928 -----n--- C:\WINDOWS\system32\blphc354j0evbn.scr
2008-07-06 22:44:00 109056 --a------ C:\WINDOWS\system32\lphc354j0evbn.exe
2008-07-04 00:56:03 0 d-------- C:\Program Files\iTunes
2008-07-04 00:55:18 0 d-------- C:\Program Files\Bonjour
2008-07-04 00:54:30 0 d-------- C:\Program Files\QuickTime
2008-07-04 00:52:37 0 d-------- C:\Program Files\Apple Software Update
2008-07-04 00:52:12 0 d-------- C:\Program Files\Common Files\Apple
2008-07-04 00:52:11 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-06-20 23:14:15 0 d-------- C:\Program Files\NCH Software
2008-06-20 23:13:24 0 d-------- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2008-06-20 23:13:16 0 d-------- C:\Program Files\NCH Swift Sound
2008-06-20 23:13:16 0 d-------- C:\Documents and Settings\Jeff\Application Data\NCH Swift Sound
2008-06-20 23:05:06 0 d-------- C:\Documents and Settings\Jeff\Application Data\FairStars Audio Converter


-- Find3M Report ---------------------------------------------------------------

2008-07-07 22:26:51 0 d-------- C:\Program Files\Messenger
2008-07-07 22:26:24 0 d-------- C:\Program Files\Movie Maker
2008-07-07 22:23:49 0 d-------- C:\Program Files\Windows NT
2008-07-04 00:56:08 0 d-------- C:\Program Files\iPod
2008-07-04 00:52:12 0 d-------- C:\Program Files\Common Files
2008-06-30 02:37:36 0 d-------- C:\Program Files\PLUG INS
2008-06-26 22:07:29 0 d-------- C:\Documents and Settings\Jeff\Application Data\AVG7
2008-06-07 19:34:22 0 d-------- C:\Program Files\SlySoft
2008-05-18 12:18:32 0 d-------- C:\Program Files\BitComet
2008-05-12 01:39:04 0 d-------- C:\Documents and Settings\Jeff\Application Data\AdobeUM


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [08/05/2005 02:56 PM]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [09/10/2004 12:10 AM]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [03/17/2004 06:10 PM C:\WINDOWS\system32\Hdaudpropshortcut.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"IAAnotif"="C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe" [03/23/2004 03:16 PM]
"SoundMan"="SOUNDMAN.EXE" [07/28/2004 08:40 PM C:\WINDOWS\SOUNDMAN.EXE]
"sHotKey"="C:\Program Files\SONY\sHotKey\sHotKey.exe" [08/22/2003 12:22 PM]
"VAIO Update 2"="C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" [01/17/2004 06:36 AM]
"AlcWzrd"="ALCWZRD.EXE" [07/28/2004 09:34 PM C:\WINDOWS\ALCWZRD.EXE]
"Alcmtr"="ALCMTR.EXE" [07/20/2004 01:22 PM C:\WINDOWS\ALCMTR.EXE]
"VAIO Recovery"="C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe" [04/20/2003 01:08 AM]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 11:50 AM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [04/15/2008 08:06 AM]
"TotalRecorderScheduler"="C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe" [05/12/2006 02:32 AM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [03/28/2008 09:17 AM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [05/27/2008 10:50 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [06/02/2008 11:13 AM]
"lphc354j0evbn"="C:\WINDOWS\system32\lphc354j0evbn.exe" [07/06/2008 10:44 PM]
"SMrhc754j0evbn"="C:\Program Files\rhc754j0evbn\rhc754j0evbn.exe" []
"SMshc554j0evbn"="C:\Program Files\shc554j0evbn\shc554j0evbn.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sonic RecordNow!"="" []
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [03/30/2006 04:45 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [11/2/2005 4:58:26 PM]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 10:05:26 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"=1 (0x1)
"NoDispScrSavPage"=1 (0x1)
"disableregistrytools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
AutoRun\command- F:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{858bdf90-3b28-11dd-a8cd-000fb5c1fa9f}]
AutoRun\command- F:\wd_windows_tools\WDSetup.exe




-- End of Deckard's System Scanner: finished at 2008-07-08 18:04:50 ------------


"extra":
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 3.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 3.20GHz
Percentage of Memory in Use: 38%
Physical Memory (total/avail): 1023.36 MiB / 624.84 MiB
Pagefile Memory (total/avail): 2461.52 MiB / 2112.01 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1917.35 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 180.3 GiB total, 79.79 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)
G: is Removable (No Media)
H: is Removable (No Media)
I: is Removable (No Media)
J: is Removable (No Media)

\\.\PHYSICALDRIVE0 - WDC WD2000JD-98HBB0 - 186.31 GiB - 2 partitions
\PARTITION0 - Unknown - 6.01 GiB
\PARTITION1 (bootable) - Installable File System - 180.3 GiB - C:

\\.\PHYSICALDRIVE2 - Sony UMH-U HS-CF USB Device

\\.\PHYSICALDRIVE1 - Sony UMH-U HS-MS USB Device

\\.\PHYSICALDRIVE4 - Sony UMH-U HS-SD/MMC USB Device

\\.\PHYSICALDRIVE3 - Sony UMH-U HS-XD USB Device



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Jeff\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=YOUR-13E050B673
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Jeff
LOGONSERVER=\\YOUR-13E050B673
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\QuickTime\QTSystem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 3 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0304
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Jeff\LOCALS~1\Temp
TMP=C:\DOCUME~1\Jeff\LOCALS~1\Temp
USERDOMAIN=YOUR-13E050B673
USERNAME=Jeff
USERPROFILE=C:\Documents and Settings\Jeff
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Jeff (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

Panda ActiveScan 2.0 --> C:\Program Files\Panda Security\ActiveScan 2.0\as2uninst.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type12097 / Warning
Event Submitted/Written: 07/07/2008 10:40:29 PM
Event ID/Source: 5603 / WinMgmt
Event Description:
A provider, Rsop Planning Mode Provider, has been registered in the WMI namespace, root\RSOP, but did not specify the HostingModel property. This provider will be run using the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests. Ensure that provider has been reviewed for security behavior and update the HostingModel property of the provider registration to an account with the least privileges possible for the required functionality.

Event Record #/Type12096 / Warning
Event Submitted/Written: 07/07/2008 10:40:29 PM
Event ID/Source: 5603 / WinMgmt
Event Description:
A provider, Rsop Planning Mode Provider, has been registered in the WMI namespace, root\RSOP, but did not specify the HostingModel property. This provider will be run using the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests. Ensure that provider has been reviewed for security behavior and update the HostingModel property of the provider registration to an account with the least privileges possible for the required functionality.

Event Record #/Type12093 / Success
Event Submitted/Written: 07/07/2008 10:39:29 PM
Event ID/Source: 1 / Media Center Receiver
Event Description:
Service registration successful.

Event Record #/Type12076 / Warning
Event Submitted/Written: 07/07/2008 10:27:26 PM
Event ID/Source: 63 / WinMgmt
Event Description:
A provider, HiPerfCooker_v1, has been registered in the WMI namespace, Root\WMI, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

Event Record #/Type12075 / Error
Event Submitted/Written: 07/07/2008 09:47:49 PM
Event ID/Source: 1001 / Application Hang
Event Description:
Fault bucket 126637809.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type46296 / Error
Event Submitted/Written: 07/08/2008 06:07:01 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The KLIF service failed to start due to the following error:
%%2

Event Record #/Type46295 / Error
Event Submitted/Written: 07/08/2008 06:07:01 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The KLIF service failed to start due to the following error:
%%2

Event Record #/Type46294 / Error
Event Submitted/Written: 07/08/2008 06:07:00 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The TSP service failed to start due to the following error:
%%2

Event Record #/Type46293 / Error
Event Submitted/Written: 07/08/2008 06:07:00 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The TSP service failed to start due to the following error:
%%2

Event Record #/Type46292 / Error
Event Submitted/Written: 07/08/2008 06:07:00 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The KLIF service failed to start due to the following error:
%%2



-- End of Deckard's System Scanner: finished at 2008-07-08 18:04:50 ------------





Thanks for looking at my problem BC staff!

Edited by stiahhh, 08 July 2008 - 06:23 PM.


BC AdBot (Login to Remove)

 


#2 Guest_White Warrior_*

Guest_White Warrior_*

  • Guests
  • OFFLINE
  •  

Posted 18 July 2008 - 07:39 AM

Hello stiahhh,

I will be handling your log to help you get cleaned up. Please give me some time to look it over and I will get back to you as soon as possible.


White Warrior

#3 stiahhh

stiahhh
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  

Posted 20 July 2008 - 04:06 PM

Thanks WWarrior...will do.

#4 Guest_White Warrior_*

Guest_White Warrior_*

  • Guests
  • OFFLINE
  •  

Posted 20 July 2008 - 09:04 PM

Hello stiahhh. Welcome to Bleeping Computer.

First of all, please save these instructions in Notepad to your Desktop, or print them, for easy reference. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.

Please download Malwarebytes' Anti-Malware to your Desktop
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a location you will remember.
  • Copy and Paste that log into your next reply.
Please download ComboFix.exe. Visit this webpage for download links, and instructions for running the tool: http://www.bleepingcomputer.com/combofix/how-to-use-combofix
  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall


Please Post:

Malwarebytes Report
ComboFix log
A new HijackThis log



White Warrior

#5 stiahhh

stiahhh
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:51 PM

Posted 21 July 2008 - 11:23 PM

I ran Malwarebyte's Anti-Malware and was about to move on to the Combofix part of the process when I checked my desktop settings and noticed that I have control of my settings (picture, screen saver, etc) again! It appears that whatever had control of that is now removed...

Should I continue to the Combofix process now? Things seem ok for the moment... (I'm just wondering because it seems like a pretty serious program that you should only run if you need to.)

here's the log from that scan:

Malwarebytes' Anti-Malware 1.22
Database version: 977
Windows 5.1.2600 Service Pack 3

11:29:37 PM 7/21/2008
mbam-log-7-21-2008 (23-29-37).txt

Scan type: Full Scan (C:\|)
Objects scanned: 172234
Time elapsed: 1 hour(s), 44 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 5
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\rhc754j0evbn (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\shc554j0evbn (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lphc354j0evbn (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smrhc754j0evbn (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smshc554j0evbn (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.
C:\Deckard\System Scanner\backup\DOCUME~1\Jeff\LOCALS~1\Temp\GLKB.tmp (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
C:\Program Files\PLUG INS\hurdy gurdy\HurdyGurdy\license_tool.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\PLUG INS\hurdy gurdy\HurdyGurdyLE\license_tool.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\phc354j0evbn.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jeff\Local Settings\Temp\.tt1.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jeff\Local Settings\Temp\.tt8.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.

Edited by stiahhh, 21 July 2008 - 11:24 PM.


#6 Guest_White Warrior_*

Guest_White Warrior_*

  • Guests
  • OFFLINE
  •  

Posted 22 July 2008 - 06:44 AM

Hello stiahhh

Yes, please proceed with running ComboFix.

There will be files, folders and possibly registry entries leftover from the infection which must be deleted or the infection will regenerate.



White Warrior

#7 stiahhh

stiahhh
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  

Posted 26 July 2008 - 07:50 PM

Sorry it took me a few days to get the Combofix log posted...Crazy week. Anyway, here it is:



ComboFix 08-07-26.1 - Jeff 2008-07-26 20:36:12.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.501 [GMT -4:00]
Running from: C:\Documents and Settings\Jeff\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jeff\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Jeff\Application Data\inst.exe
C:\Documents and Settings\Jeff\Application Data\macromedia\Flash Player\#SharedObjects\V2BVR6V6\interclick.com
C:\Documents and Settings\Jeff\Application Data\macromedia\Flash Player\#SharedObjects\V2BVR6V6\interclick.com\ud.sol
C:\Documents and Settings\Jeff\Application Data\macromedia\Flash Player\#SharedObjects\V2BVR6V6\www.broadcaster.com
C:\Documents and Settings\Jeff\Application Data\macromedia\Flash Player\#SharedObjects\V2BVR6V6\www.broadcaster.com\played_list.sol
C:\Documents and Settings\Jeff\Application Data\macromedia\Flash Player\#SharedObjects\V2BVR6V6\www.broadcaster.com\video_queue.sol
C:\Documents and Settings\Jeff\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Jeff\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Jeff\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Jeff\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\WINDOWS\setup.exe

.
((((((((((((((((((((((((( Files Created from 2008-06-27 to 2008-07-27 )))))))))))))))))))))))))))))))
.

2008-07-21 21:29 . 2008-07-26 19:24 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-21 21:29 . 2008-07-21 21:29 <DIR> d-------- C:\Documents and Settings\Jeff\Application Data\Malwarebytes
2008-07-21 21:29 . 2008-07-21 21:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-21 21:29 . 2008-07-23 20:09 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-21 21:29 . 2008-07-23 20:09 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-12 01:42 . 2008-07-12 01:42 <DIR> d-------- C:\Program Files\Lavasoft
2008-07-12 01:41 . 2008-07-12 01:41 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-08 21:36 . 2008-07-08 21:37 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-07-08 21:36 . 2008-07-12 17:26 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-08 17:57 . 2008-07-08 17:57 <DIR> d-------- C:\Deckard
2008-07-07 22:24 . 2008-07-07 22:24 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-07-07 22:19 . 2006-12-29 00:31 19,569 --a------ C:\WINDOWS\003340_.tmp
2008-07-04 00:56 . 2008-07-04 00:56 <DIR> d-------- C:\Program Files\iTunes
2008-07-04 00:55 . 2008-07-04 00:55 <DIR> d-------- C:\Program Files\Bonjour
2008-07-04 00:54 . 2008-07-04 00:54 <DIR> d-------- C:\Program Files\QuickTime
2008-07-04 00:52 . 2008-07-04 00:52 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-07-04 00:52 . 2008-07-04 00:52 <DIR> d-------- C:\Program Files\Apple Software Update
2008-07-04 00:52 . 2008-07-04 00:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-21 00:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-07-20 05:40 --------- d-----w C:\Program Files\Java
2008-07-12 21:50 --------- d-----w C:\Program Files\Vstplugins
2008-07-08 23:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-08 22:31 --------- d-----w C:\Documents and Settings\Jeff\Application Data\AVG7
2008-07-04 04:56 --------- d-----w C:\Program Files\iPod
2008-06-30 06:37 --------- d-----w C:\Program Files\PLUG INS
2008-06-26 02:08 --------- d-----w C:\Program Files\NCH Swift Sound
2008-06-21 03:14 --------- d-----w C:\Program Files\NCH Software
2008-06-21 03:13 --------- d-----w C:\Documents and Settings\Jeff\Application Data\NCH Swift Sound
2008-06-21 03:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2008-06-21 03:05 --------- d-----w C:\Documents and Settings\Jeff\Application Data\FairStars Audio Converter
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 11:05 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-07 23:34 --------- d-----w C:\Program Files\SlySoft
2008-05-16 15:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-09 10:53 90,112 ----a-w C:\WINDOWS\system32\wshext.dll
2008-05-09 10:53 430,080 ----a-w C:\WINDOWS\system32\vbscript.dll
2008-05-09 10:53 180,224 ----a-w C:\WINDOWS\system32\scrobj.dll
2008-05-09 10:53 172,032 ----a-w C:\WINDOWS\system32\scrrun.dll
2008-05-08 11:24 155,648 ----a-w C:\WINDOWS\system32\wscript.exe
2008-05-07 09:07 135,168 ----a-w C:\WINDOWS\system32\cscript.exe
2008-05-07 05:12 1,288,192 ------w C:\WINDOWS\system32\quartz.dll
2008-02-18 18:23 47,360 ----a-w C:\Documents and Settings\Jeff\Application Data\pcouffin.sys
2006-03-20 08:01 18 ----a-w C:\Documents and Settings\Jeff\ambt.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 14:56 64512]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-09-10 00:10 344064]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"IAAnotif"="C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-03-23 15:16 135168]
"sHotKey"="C:\Program Files\SONY\sHotKey\sHotKey.exe" [2003-08-22 12:22 45056]
"VAIO Update 2"="C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" [2004-01-17 06:36 135168]
"VAIO Recovery"="C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 01:08 28672]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-15 08:06 579584]
"TotalRecorderScheduler"="C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe" [2006-05-12 02:32 86016]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-03-28 09:17 185896]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-05-27 10:50 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-06-02 11:13 267048]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 18:10 61952 C:\WINDOWS\system32\Hdaudpropshortcut.exe]
"SoundMan"="SOUNDMAN.EXE" [2004-07-28 20:40 77824 C:\WINDOWS\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2004-07-28 21:34 2551808 C:\WINDOWS\ALCWZRD.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-26 08:06 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-11-02 16:58:26 113664]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.dvsd"= C:\PROGRA~1\COMMON~1\SONYSH~1\VideoLib\sonydv.dll
"mixer"= DrvTrNTm.dll
"wave"= DrvTrNTm.dll
"Midi1"= ma_cmidn.dll
"midi3"= ma_cmidn.dll
"midi2"= ma_cmidn.dll
"midi5"= ma_cmidn.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\BitComet\\BitComet.exe"=
"C:\\Program Files\\NETGEAR\\WG111v2 Configuration Utility\\RtWLan.exe"=
"C:\\Program Files\\Sony\\Click to DVD 2\\CtoDvd.exe"=
"C:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"17684:TCP"= 17684:TCP:BitComet 17684 TCP
"17684:UDP"= 17684:UDP:BitComet 17684 UDP

R0 $sys$cor;$sys$cor;C:\WINDOWS\system32\Drivers\$sys$cor.sys [2005-07-04 08:52]
R1 $sys$crater;$sys$crater;C:\WINDOWS\system32\$sys$filesystem\crater.sys [2005-07-04 06:51]
R2 CD_Proxy;XCP CD Proxy;C:\WINDOWS\CDProxyServ.exe [2004-10-07 10:42]
R2 EAPPkt;Realtek EAPPkt Protocol;C:\WINDOWS\system32\DRIVERS\EAPPkt.sys [2005-04-01 10:42]
R2 VAIO Entertainment File Import Service;VAIO Entertainment File Import Service;C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe [2004-07-09 00:26]
R3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\wg111v2.sys [2005-04-21 13:33]
R3 SjyPkt;SjyPkt;C:\WINDOWS\System32\Drivers\SjyPkt.sys [2002-10-02 08:57]
S2 $sys$DRMServer;Plug and Play Device Manager;C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe []
S3 $sys$lim;$sys$lim;C:\WINDOWS\system32\$sys$filesystem\lim.sys [2005-07-14 05:51]
S3 cxwibu;Team H2O WIBU Driver;C:\Program Files\WIBUKEY\H2O\cxwibu.sys []
S3 EVOLUSB;%EVOL_USB_SvcDesc%;C:\WINDOWS\system32\drivers\evolusb.sys []
S3 jswmidin;jswmidin;C:\DOCUME~1\Jeff\LOCALS~1\Temp\jswmidin.sys []
S3 MA_CMIDI;%EVOL_USB.SvcDesc%;C:\WINDOWS\system32\drivers\ma_cmidi.sys [2005-06-14 13:44]
S3 VAIO Entertainment UPnP Client Adapter;VAIO Entertainment UPnP Client Adapter;C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe [2004-07-09 00:17]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{858bdf90-3b28-11dd-a8cd-000fb5c1fa9f}]
\Shell\AutoRun\command - F:\wd_windows_tools\WDSetup.exe

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
2005-01-08 C:\WINDOWS\Tasks\Symantec NetDetect.job - C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE [2003-08-13 21:38]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Sonic RecordNow! - (no file)


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.yahoo.com/
R1 -: HKCU-Internet Settings,ProxyOverride = *.local
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/keyword/%s
O8 -: &D&ownload &with BitComet - C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 -: &D&ownload all video with BitComet - C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 -: &D&ownload all with BitComet - C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O16 -: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} - file://J:\setup\RiffLick.cab
C:\WINDOWS\Downloaded Program Files\RiffLick.inf
C:\WINDOWS\Downloaded Program Files\wavetab.ocx


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-26 20:40:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 2008-07-26 20:47:18
ComboFix-quarantined-files.txt 2008-07-27 00:46:15

Pre-Run: 76,717,535,232 bytes free
Post-Run: 77,513,498,624 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

190 --- E O F --- 2008-07-09 03:20:29

#8 Guest_White Warrior_*

Guest_White Warrior_*

  • Guests
  • OFFLINE
  •  

Posted 28 July 2008 - 08:23 AM

Hello stiahhh

That’s looking better, but we have more to do yet.

Could you please tell me if you have uninstalled your Symantec Security Suite program as there appear to be remnants in your log.

First of all, please save these instructions in Notepad to your Desktop, or print them, for easy reference. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.

Now:

1. Close any open browsers.

2. Open Notepad and Copy/Paste the text in the quotebox below into it:


KILLALL::
File::
C:\WINDOWS\003340_.tmp

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\StubInstaller.exe" =-


Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick ComboFix's window whilst it's running. That may cause it to stall


Please reboot the computer (if ComboFix did not ask for a reboot)

Next:

Make sure DSS.exe is on your Desktop
Next press Start->Run,
Copy/Paste the following command into the box and press OK:

"%userprofile%\desktop\dss.exe" /daft

Press OK to the disclaimer(s) and then press Scan
Place checkmarks in all the boxes that appear and press Fix
Then close Deckard's System Scanner

Please reboot the computer.

Please post:

ComboFix log.
A new DSS log.
And let me know how the computer is running now.


White Warrior

#9 stiahhh

stiahhh
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:51 PM

Posted 28 July 2008 - 11:38 AM

Ok, ran both Combofix and DSS, system seems to be running ok.

I have noticed one problem since the first launch of Combofix...My Netflix Instant Player is not working. Looks like it isn't recognizing that I have Windows Service Pack 2 or newer (i have 3). Everything else is up to date, can't figure it out, happened immediately after Combofix...weird.

I've never used that Symantec program, so perhaps it was preloaded on my computer. I also don't remember uninstalling it. The only programs I use are AVG and Windows firewall.

When I ran DSS, it didn't seem to do much of anything. There were two files to be checked, which I did, and then a window popped up saying "All associations okay!". Anyway, here are the logs from both:


Combofix log:

ComboFix 08-07-26.1 - Jeff 2008-07-28 11:55:48.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.617 [GMT -4:00]
Running from: C:\Documents and Settings\Jeff\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jeff\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\003340_.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Jeff\Application Data\macromedia\Flash Player\#SharedObjects\V2BVR6V6\interclick.com
C:\Documents and Settings\Jeff\Application Data\macromedia\Flash Player\#SharedObjects\V2BVR6V6\interclick.com\ud.sol
C:\Documents and Settings\Jeff\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Jeff\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\WINDOWS\003340_.tmp

.
((((((((((((((((((((((((( Files Created from 2008-06-28 to 2008-07-28 )))))))))))))))))))))))))))))))
.

2008-07-21 21:29 . 2008-07-26 19:24 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-21 21:29 . 2008-07-21 21:29 <DIR> d-------- C:\Documents and Settings\Jeff\Application Data\Malwarebytes
2008-07-21 21:29 . 2008-07-21 21:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-21 21:29 . 2008-07-23 20:09 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-21 21:29 . 2008-07-23 20:09 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-12 01:42 . 2008-07-12 01:42 <DIR> d-------- C:\Program Files\Lavasoft
2008-07-12 01:41 . 2008-07-12 01:41 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-08 21:36 . 2008-07-08 21:37 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-07-08 21:36 . 2008-07-26 20:48 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-08 17:57 . 2008-07-08 17:57 <DIR> d-------- C:\Deckard
2008-07-07 22:24 . 2008-07-07 22:24 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-07-04 00:56 . 2008-07-04 00:56 <DIR> d-------- C:\Program Files\iTunes
2008-07-04 00:55 . 2008-07-04 00:55 <DIR> d-------- C:\Program Files\Bonjour
2008-07-04 00:54 . 2008-07-04 00:54 <DIR> d-------- C:\Program Files\QuickTime
2008-07-04 00:52 . 2008-07-04 00:52 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-07-04 00:52 . 2008-07-04 00:52 <DIR> d-------- C:\Program Files\Apple Software Update
2008-07-04 00:52 . 2008-07-04 00:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-21 00:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-07-20 05:40 --------- d-----w C:\Program Files\Java
2008-07-12 21:50 --------- d-----w C:\Program Files\Vstplugins
2008-07-08 23:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-08 22:31 --------- d-----w C:\Documents and Settings\Jeff\Application Data\AVG7
2008-07-04 04:56 --------- d-----w C:\Program Files\iPod
2008-06-30 06:37 --------- d-----w C:\Program Files\PLUG INS
2008-06-26 02:08 --------- d-----w C:\Program Files\NCH Swift Sound
2008-06-21 03:14 --------- d-----w C:\Program Files\NCH Software
2008-06-21 03:13 --------- d-----w C:\Documents and Settings\Jeff\Application Data\NCH Swift Sound
2008-06-21 03:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2008-06-21 03:05 --------- d-----w C:\Documents and Settings\Jeff\Application Data\FairStars Audio Converter
2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 11:05 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-07 23:34 --------- d-----w C:\Program Files\SlySoft
2008-02-18 18:23 47,360 ----a-w C:\Documents and Settings\Jeff\Application Data\pcouffin.sys
2006-03-20 08:01 18 ----a-w C:\Documents and Settings\Jeff\ambt.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 14:56 64512]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-09-10 00:10 344064]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"IAAnotif"="C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-03-23 15:16 135168]
"sHotKey"="C:\Program Files\SONY\sHotKey\sHotKey.exe" [2003-08-22 12:22 45056]
"VAIO Update 2"="C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" [2004-01-17 06:36 135168]
"VAIO Recovery"="C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 01:08 28672]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-15 08:06 579584]
"TotalRecorderScheduler"="C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe" [2006-05-12 02:32 86016]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-03-28 09:17 185896]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-05-27 10:50 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-06-02 11:13 267048]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 18:10 61952 C:\WINDOWS\system32\Hdaudpropshortcut.exe]
"SoundMan"="SOUNDMAN.EXE" [2004-07-28 20:40 77824 C:\WINDOWS\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2004-07-28 21:34 2551808 C:\WINDOWS\ALCWZRD.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-26 08:06 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-11-02 16:58:26 113664]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.dvsd"= C:\PROGRA~1\COMMON~1\SONYSH~1\VideoLib\sonydv.dll
"mixer"= DrvTrNTm.dll
"wave"= DrvTrNTm.dll
"Midi1"= ma_cmidn.dll
"midi3"= ma_cmidn.dll
"midi2"= ma_cmidn.dll
"midi5"= ma_cmidn.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\BitComet\\BitComet.exe"=
"C:\\Program Files\\NETGEAR\\WG111v2 Configuration Utility\\RtWLan.exe"=
"C:\\Program Files\\Sony\\Click to DVD 2\\CtoDvd.exe"=
"C:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"17684:TCP"= 17684:TCP:BitComet 17684 TCP
"17684:UDP"= 17684:UDP:BitComet 17684 UDP

R0 $sys$cor;$sys$cor;C:\WINDOWS\system32\Drivers\$sys$cor.sys [2005-07-04 08:52]
R1 $sys$crater;$sys$crater;C:\WINDOWS\system32\$sys$filesystem\crater.sys [2005-07-04 06:51]
R2 CD_Proxy;XCP CD Proxy;C:\WINDOWS\CDProxyServ.exe [2004-10-07 10:42]
R2 EAPPkt;Realtek EAPPkt Protocol;C:\WINDOWS\system32\DRIVERS\EAPPkt.sys [2005-04-01 10:42]
R2 VAIO Entertainment File Import Service;VAIO Entertainment File Import Service;C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe [2004-07-09 00:26]
R3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\wg111v2.sys [2005-04-21 13:33]
S2 $sys$DRMServer;Plug and Play Device Manager;C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe []
S3 $sys$lim;$sys$lim;C:\WINDOWS\system32\$sys$filesystem\lim.sys [2005-07-14 05:51]
S3 cxwibu;Team H2O WIBU Driver;C:\Program Files\WIBUKEY\H2O\cxwibu.sys []
S3 EVOLUSB;%EVOL_USB_SvcDesc%;C:\WINDOWS\system32\drivers\evolusb.sys []
S3 jswmidin;jswmidin;C:\DOCUME~1\Jeff\LOCALS~1\Temp\jswmidin.sys []
S3 MA_CMIDI;%EVOL_USB.SvcDesc%;C:\WINDOWS\system32\drivers\ma_cmidi.sys [2005-06-14 13:44]
S3 SjyPkt;SjyPkt;C:\WINDOWS\System32\Drivers\SjyPkt.sys [2002-10-02 08:57]
S3 VAIO Entertainment UPnP Client Adapter;VAIO Entertainment UPnP Client Adapter;C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe [2004-07-09 00:17]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{858bdf90-3b28-11dd-a8cd-000fb5c1fa9f}]
\Shell\AutoRun\command - F:\wd_windows_tools\WDSetup.exe
.
Contents of the 'Scheduled Tasks' folder
2005-01-08 C:\WINDOWS\Tasks\Symantec NetDetect.job - C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE [2003-08-13 21:38]
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-28 12:03:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Intel\Intel Application Accelerator\IAANTmon.exe
C:\Program Files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe
C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe
C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-07-28 12:15:19 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-28 16:15:16
ComboFix2.txt 2008-07-27 00:47:19

Pre-Run: 77,154,754,560 bytes free
Post-Run: 77,181,730,816 bytes free

185 --- E O F --- 2008-07-09 03:20:29



DSS log:

DAFT Log saved on 2008-07-28 12:22:37
-----------------------------------------------------------------------
All associations okay!

Edited by stiahhh, 28 July 2008 - 11:49 AM.


#10 Guest_White Warrior_*

Guest_White Warrior_*

  • Guests
  • OFFLINE
  •  

Posted 31 July 2008 - 08:24 PM

Hello stiahhh

We will investigate the Netflix problem after the computer is clean. Could you please tell me can the program be uninstalled/reinstalled without causing any problems?

First of all, please save these instructions in Notepad to your Desktop, or print them, for easy reference. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.

Now, let’s clean the remnants of Symantec off the system.

To fully remove Norton AntiVirus, you should go here and download the files and print the instructions for removal, and follow them after uninstalling NAV.
How to uninstall Norton AntiVirus 2003/2004/2005/2006/2007/2008:
- Vista/XP/2000 - Click Here (Note: this removes ALL Norton 2003/2004/2005/2006/2007/2008 products from your computer)
- Me/98 - Click Here
How to uninstall Norton AntiVirus 2000/2001/2002

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your Desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE)6 Update 7...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Plattform: "Windows".
  • Select your Language: "English".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your Desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add or Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your Desktop double-click on jre-6u7-windows-i586-p.exe to install the newest version.
Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Please Post:

Kaspersky scan report.
A new HijackThis log.


White Warrior

#11 stiahhh

stiahhh
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  

Posted 01 August 2008 - 07:35 AM

The Netflix viewer works from within your internet explorer, but demands that your system have certain requirements. I've used it for almost a year with no problems till the second Combofix stopped running. I was thinking that maybe something weird happening with the registry or it doesn't recognize what service pack i have or something...not really sure.

I tried to go remove all the Java components from the add/remove programs list but it looks like the malware has altered my menu so there are no "change/remove" buttons. tried to remove them but couldn't, reinstalled the new Java anyway but with no improvements that I can see. How can I regain control of this very important menu?

Here's the logs...



--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, August 1, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, August 01, 2008 07:43:26
Records in database: 1038821
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
G:\
H:\
I:\
J:\

Scan statistics:
Files scanned: 136177
Threat name: 1
Infected objects: 2
Suspicious objects: 0
Duration of the scan: 01:52:26


File name / Threat name / Threats count
C:\Documents and Settings\Jeff\Application Data\Sun\Java\Deployment\cache\6.0\17\5a3b84d1-74d16c67 Infected: Trojan.Java.ClassLoader.Dummy.d 1
C:\Documents and Settings\Jeff\Application Data\Sun\Java\Deployment\cache\6.0\27\5be8249b-11a952bb Infected: Trojan.Java.ClassLoader.Dummy.d 1

The selected area was scanned.



Deckard's System Scanner v20071014.68
Run by Jeff on 2008-08-01 08:25:32
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Jeff.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:26:10 AM, on 8/1/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\SONY\sHotKey\sHotKey.exe
C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\CDProxyServ.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe
C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtWLan.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Jeff\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Jeff.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [sHotKey] "C:\Program Files\SONY\sHotKey\sHotKey.exe"
O4 - HKLM\..\Run: [VAIO Update 2] "C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" /Stationary
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [VAIO Recovery] "C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TotalRecorderScheduler] "C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} (WaveTab Control) - file://J:\setup\RiffLick.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O23 - Service: Plug and Play Device Manager ($sys$DRMServer) - Unknown owner - C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - C:\WINDOWS\CDProxyServ.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: M-Audio CMIDI Installer (MA_CMIDI_InstallerService) - Unknown owner - C:\Program Files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe
O23 - Service: SonicStageMonitoring - Sony Corporation - C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
O23 - Service: Sony TV Tuner Controller - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\halsv.exe
O23 - Service: Sony TV Tuner Manager - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe
O23 - Service: Sony TVTA Manager - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe
O23 - Service: VAIO Entertainment Aggregation and Control Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
O23 - Service: VAIO Entertainment File Import Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe

--
End of file - 11017 bytes

-- Files created between 2008-07-01 and 2008-08-01 -----------------------------

2008-08-01 08:25:50 0 d-------- C:\Program Files\Trend Micro
2008-08-01 03:51:39 0 d-------- C:\Program Files\Java
2008-08-01 03:51:37 0 d-------- C:\Program Files\Common Files\Java
2008-08-01 03:32:41 102796396 --a------ C:\backup.reg
2008-07-28 12:27:22 0 --a------ C:\WINDOWS\nsreg.dat
2008-07-26 20:36:01 260272 --a------ C:\cmldr
2008-07-26 20:35:54 0 d-------- C:\cmdcons
2008-07-26 20:30:52 68096 --a------ C:\WINDOWS\zip.exe
2008-07-26 20:30:52 49152 --a------ C:\WINDOWS\VFind.exe
2008-07-26 20:30:52 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-07-26 20:30:52 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-07-26 20:30:52 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-07-26 20:30:52 98816 --a------ C:\WINDOWS\sed.exe
2008-07-26 20:30:52 80412 --a------ C:\WINDOWS\grep.exe
2008-07-26 20:30:52 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-07-21 21:29:44 0 d-------- C:\Documents and Settings\Jeff\Application Data\Malwarebytes
2008-07-21 21:29:41 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-21 21:29:40 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-12 01:42:11 0 d-------- C:\Program Files\Lavasoft
2008-07-12 01:41:35 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-08 21:36:48 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-08 21:36:44 0 d-------- C:\Program Files\SpywareBlaster
2008-07-07 22:35:13 0 d-------- C:\WINDOWS\Prefetch
2008-07-07 22:26:26 0 d-------- C:\WINDOWS\system32\scripting
2008-07-07 22:26:25 0 d-------- C:\WINDOWS\l2schemas
2008-07-07 22:26:24 0 d-------- C:\WINDOWS\system32\en
2008-07-07 22:26:24 0 d-------- C:\WINDOWS\system32\bits
2008-07-07 22:24:13 0 d-------- C:\WINDOWS\ServicePackFiles
2008-07-07 22:21:23 0 d-------- C:\WINDOWS\network diagnostic
2008-07-04 00:56:03 0 d-------- C:\Program Files\iTunes
2008-07-04 00:55:18 0 d-------- C:\Program Files\Bonjour
2008-07-04 00:54:30 0 d-------- C:\Program Files\QuickTime
2008-07-04 00:52:37 0 d-------- C:\Program Files\Apple Software Update
2008-07-04 00:52:12 0 d-------- C:\Program Files\Common Files\Apple
2008-07-04 00:52:11 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple


-- Find3M Report ---------------------------------------------------------------

2008-08-01 03:51:37 0 d-------- C:\Program Files\Common Files
2008-08-01 03:00:56 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-07-28 12:27:20 0 d-------- C:\Documents and Settings\Jeff\Application Data\Mozilla
2008-07-12 17:50:48 0 d-------- C:\Program Files\Vstplugins
2008-07-12 17:38:37 0 d-------- C:\Documents and Settings\Jeff\Application Data\Adobe
2008-07-08 18:31:41 0 d-------- C:\Documents and Settings\Jeff\Application Data\AVG7
2008-07-07 22:26:51 0 d-------- C:\Program Files\Messenger
2008-07-07 22:26:24 0 d-------- C:\Program Files\Movie Maker
2008-07-07 22:23:49 0 d-------- C:\Program Files\Windows NT
2008-07-04 00:56:08 0 d-------- C:\Program Files\iPod
2008-06-30 02:37:36 0 d-------- C:\Program Files\PLUG INS
2008-06-25 22:08:47 0 d-------- C:\Program Files\NCH Swift Sound
2008-06-20 23:14:15 0 d-------- C:\Program Files\NCH Software
2008-06-20 23:13:16 0 d-------- C:\Documents and Settings\Jeff\Application Data\NCH Swift Sound
2008-06-20 23:05:24 0 d-------- C:\Documents and Settings\Jeff\Application Data\FairStars Audio Converter
2008-06-07 19:34:22 0 d-------- C:\Program Files\SlySoft


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [08/05/2005 02:56 PM]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [09/10/2004 12:10 AM]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [03/17/2004 06:10 PM C:\WINDOWS\system32\Hdaudpropshortcut.exe]
"IAAnotif"="C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe" [03/23/2004 03:16 PM]
"SoundMan"="SOUNDMAN.EXE" [07/28/2004 08:40 PM C:\WINDOWS\SOUNDMAN.EXE]
"sHotKey"="C:\Program Files\SONY\sHotKey\sHotKey.exe" [08/22/2003 12:22 PM]
"VAIO Update 2"="C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" [01/17/2004 06:36 AM]
"AlcWzrd"="ALCWZRD.EXE" [07/28/2004 09:34 PM C:\WINDOWS\ALCWZRD.EXE]
"VAIO Recovery"="C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe" [04/20/2003 01:08 AM]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 11:50 AM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [04/15/2008 08:06 AM]
"TotalRecorderScheduler"="C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe" [05/12/2006 02:32 AM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [03/28/2008 09:17 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [05/27/2008 10:50 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [06/02/2008 11:13 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [03/30/2006 04:45 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [11/2/2005 4:58:26 PM]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 10:05:26 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
AutoRun\command- F:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{858bdf90-3b28-11dd-a8cd-000fb5c1fa9f}]
AutoRun\command- F:\wd_windows_tools\WDSetup.exe




-- End of Deckard's System Scanner: finished at 2008-08-01 08:26:47 ------------




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:28:37 AM, on 8/1/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\SONY\sHotKey\sHotKey.exe
C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\CDProxyServ.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe
C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtWLan.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [sHotKey] "C:\Program Files\SONY\sHotKey\sHotKey.exe"
O4 - HKLM\..\Run: [VAIO Update 2] "C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" /Stationary
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [VAIO Recovery] "C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TotalRecorderScheduler] "C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} (WaveTab Control) - file://J:\setup\RiffLick.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O23 - Service: Plug and Play Device Manager ($sys$DRMServer) - Unknown owner - C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - C:\WINDOWS\CDProxyServ.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: M-Audio CMIDI Installer (MA_CMIDI_InstallerService) - Unknown owner - C:\Program Files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe
O23 - Service: SonicStageMonitoring - Sony Corporation - C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
O23 - Service: Sony TV Tuner Controller - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\halsv.exe
O23 - Service: Sony TV Tuner Manager - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe
O23 - Service: Sony TVTA Manager - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe
O23 - Service: VAIO Entertainment Aggregation and Control Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
O23 - Service: VAIO Entertainment File Import Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe

--
End of file - 10985 bytes

#12 Guest_White Warrior_*

Guest_White Warrior_*

  • Guests
  • OFFLINE
  •  

Posted 03 August 2008 - 09:28 PM

Hello stiahhh

First of all, please save these instructions in Notepad to your Desktop, or print them, for easy reference. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.

Now we need to clean the Java cache as there are infections present in it.

To Clear the Java Runtime Environment (JRE) cache, do this:
  • Click Start > Settings > Control Panel.
  • Double-click the Java icon.
    -The Java Control Panel appears.
  • Click "Settings" under Temporary Internet Files.
    -The Temporary Files Settings dialog box appears.
  • Click "Delete Files".
    -The Delete Temporary Files dialog box appears.
    -There are three options on this window to clear the cache.
    • Delete Files
    • View Applications
    • View Applets
  • Click "OK" on Delete Temporary Files window.
    -Note: This deletes all the Downloaded Applications and Applets from the cache.
  • Click "OK" on Temporary Files Settings window.
  • Close the Java Control Panel.
You can also view these instructions along with screenshots here.

Finally:
Please open Notepad and Copy/Paste the following text into Notepad. Do NOT copy the word “quote.”

@ECHO OFF

REGEDIT.exe /E "%userprofile%\Desktop\key.txt" "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
exit


Save the file to the Desktop as peek.bat and make sure the Save as type field says All files.
Locate peek.bat on the Desktop and double-click on it to run it.

It will produce a file on the Desktop named key.txt

Please post that file back here to me.


White Warrior

Edited by White Warrior, 04 August 2008 - 06:04 PM.


#13 stiahhh

stiahhh
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:51 PM

Posted 04 August 2008 - 09:11 AM

hi WWarrior...

ok, i did exactly what you wrote but don't think it worked properly. clearing the Java cache went ok, but peek.bat didn't create any file on my computer. the dos window opened for a quick second, but that's all that happened. i tried twice, making sure everything was correct but with no luck...what next?

Edited by stiahhh, 04 August 2008 - 09:11 AM.


#14 Guest_White Warrior_*

Guest_White Warrior_*

  • Guests
  • OFFLINE
  •  

Posted 04 August 2008 - 06:01 PM

Hello stiahhh

I am very sorry. That was my fault. Could you try to run it again please.

Please open Notepad and Copy/Paste the following text into Notepad. Do NOT copy the word “quote.”

@ECHO OFF

REGEDIT.exe /E "%userprofile%\Desktop\key.txt" "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"

exit

Save the file to the Desktop as peek.bat and make sure the Save as type field says All files.
Locate peek.bat on the Desktop and double-click on it to run it.

It will produce a file on the Desktop named key.txt

Please post that file back here to me.


White Warrior

#15 stiahhh

stiahhh
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  

Posted 04 August 2008 - 09:20 PM

No problem, thanks for a fast reply. Here's key.txt :


Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin]
"DisplayName"="Adobe Flash Player Plugin"
"DisplayVersion"="9.0.124.0"
"Publisher"="Adobe Systems Incorporated"
"URLInfoAbout"="http://www.adobe.com/go/getflashplayer"
"DisplayIcon"="C:\\WINDOWS\\system32\\Macromed\\Flash\\uninstall_plugin.exe"
"UninstallString"="C:\\WINDOWS\\system32\\Macromed\\Flash\\uninstall_plugin.exe"
"NoModify"=dword:00000001
"NoRepair"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CCleaner]
"DisplayName"="CCleaner (remove only)"
"UninstallString"="\"C:\\Program Files\\CCleaner\\uninst.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HijackThis]
"DisplayName"="HijackThis 2.0.2"
"UninstallString"="\"C:\\Program Files\\Trend Micro\\HijackThis\\HijackThis.exe\" /uninstall"
"DisplayIcon"="C:\\Program Files\\Trend Micro\\HijackThis\\HijackThis.exe"
"DisplayVersion"="2.0.2"
"Publisher"="TrendMicro"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB951748]
"DisplayName"="Security Update for Windows XP (KB951748)"
"UninstallString"="\"C:\\WINDOWS\\$NtUninstallKB951748$\\spuninst\\spuninst.exe\""
"TSAware"=dword:00000001
"NoModify"=dword:00000001
"InstallDate"="20080709"
"Publisher"="Microsoft Corporation"
"NoRepair"=dword:00000001
"HelpLink"="http://support.microsoft.com?kbid=951748"
"URLInfoAbout"="http://support.microsoft.com"
"DisplayVersion"="1"
"ParentKeyName"="OperatingSystem"
"ParentDisplayName"="Windows XP - Software Updates"
"ReleaseType"="Security Update"
"RegistryLocation"="HKLM\\SOFTWARE\\Microsoft\\Updates\\Windows XP\\SP4\\KB951748"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB951978]
"DisplayName"="Update for Windows XP (KB951978)"
"UninstallString"="\"C:\\WINDOWS\\$NtUninstallKB951978$\\spuninst\\spuninst.exe\""
"TSAware"=dword:00000001
"NoModify"=dword:00000001
"InstallDate"="20080709"
"Publisher"="Microsoft Corporation"
"NoRepair"=dword:00000001
"HelpLink"="http://support.microsoft.com?kbid=951978"
"URLInfoAbout"="http://support.microsoft.com"
"DisplayVersion"="1"
"ParentKeyName"="OperatingSystem"
"ParentDisplayName"="Windows XP - Software Updates"
"ReleaseType"="Update"
"RegistryLocation"="HKLM\\SOFTWARE\\Microsoft\\Updates\\Windows XP\\SP4\\KB951978"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Malwarebytes' Anti-Malware_is1]
"Inno Setup: Setup Version"="5.2.3"
"Inno Setup: App Path"="C:\\Program Files\\Malwarebytes' Anti-Malware"
"InstallLocation"="C:\\Program Files\\Malwarebytes' Anti-Malware\\"
"Inno Setup: Icon Group"="Malwarebytes' Anti-Malware"
"Inno Setup: User"="Jeff"
"Inno Setup: Selected Tasks"=""
"Inno Setup: Deselected Tasks"="desktopicon,quicklaunchicon"
"DisplayName"="Malwarebytes' Anti-Malware"
"UninstallString"="\"C:\\Program Files\\Malwarebytes' Anti-Malware\\unins000.exe\""
"QuietUninstallString"="\"C:\\Program Files\\Malwarebytes' Anti-Malware\\unins000.exe\" /SILENT"
"Publisher"="Malwarebytes Corporation"
"URLInfoAbout"="http://www.malwarebytes.org"
"HelpLink"="http://www.malwarebytes.org"
"URLUpdateInfo"="http://www.malwarebytes.org"
"NoModify"=dword:00000001
"NoRepair"=dword:00000001
"InstallDate"="20080726"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox (3.0.1)]
"Comments"="Mozilla Firefox"
"DisplayIcon"="C:\\Program Files\\Mozilla Firefox\\firefox.exe,0"
"DisplayName"="Mozilla Firefox (3.0.1)"
"DisplayVersion"="3.0.1 (en-US)"
"InstallLocation"="C:\\Program Files\\Mozilla Firefox"
"Publisher"="Mozilla"
"UninstallString"="C:\\Program Files\\Mozilla Firefox\\uninstall\\helper.exe"
"URLInfoAbout"="http://en-US.www.mozilla.com/en-US/"
"URLUpdateInfo"="http://en-US.www.mozilla.com/en-US/firefox/"
"NoModify"=dword:00000001
"NoRepair"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpywareBlaster_is1]
"Inno Setup: Setup Version"="5.2.2"
"Inno Setup: App Path"="C:\\Program Files\\SpywareBlaster"
"InstallLocation"="C:\\Program Files\\SpywareBlaster\\"
"Inno Setup: Icon Group"="SpywareBlaster"
"Inno Setup: User"="Jeff"
"Inno Setup: Selected Tasks"=""
"Inno Setup: Deselected Tasks"="iconondesktop"
"DisplayName"="SpywareBlaster 4.1"
"DisplayIcon"="C:\\Program Files\\SpywareBlaster\\spywareblaster.exe"
"UninstallString"="\"C:\\Program Files\\SpywareBlaster\\unins000.exe\""
"QuietUninstallString"="\"C:\\Program Files\\SpywareBlaster\\unins000.exe\" /SILENT"
"DisplayVersion"="4.1.0"
"Publisher"="Javacool Software LLC"
"URLInfoAbout"="http://www.javacoolsoftware.com/"
"NoModify"=dword:00000001
"NoRepair"=dword:00000001
"InstallDate"="20080708"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{86EF9FC4-F209-4520-B7E1-C7FF0EEBDFFF}]
"Serial"="976580244241023988038330"
"NAME"="Jeff"
"COMPAN"=""
"AuthorizedCDFPrefix"=""
"Comments"=""
"Contact"="Customer Support"
"DisplayVersion"="1.5"
"HelpLink"=hex(2):68,00,74,00,74,00,70,00,3a,00,2f,00,2f,00,77,00,77,00,77,00,\
2e,00,61,00,64,00,6f,00,62,00,65,00,2e,00,63,00,6f,00,6d,00,2f,00,73,00,75,\
00,70,00,70,00,6f,00,72,00,74,00,2f,00,6d,00,61,00,69,00,6e,00,2e,00,68,00,\
74,00,6d,00,6c,00,00,00
"HelpTelephone"=""
"InstallDate"="20080712"
"InstallLocation"="C:\\Program Files\\Adobe\\Audition 1.5\\"
"InstallSource"="C:\\WINDOWS\\Downloaded Installations\\{35C2718C-FF5F-493C-BAB7-9366A3D34245}\\"
"NoRemove"=dword:00000001
"NoRepair"=dword:00000001
"Publisher"="Adobe Systems"
"Readme"=hex(2):43,00,3a,00,5c,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,20,\
00,46,00,69,00,6c,00,65,00,73,00,5c,00,41,00,64,00,6f,00,62,00,65,00,5c,00,\
41,00,75,00,64,00,69,00,74,00,69,00,6f,00,6e,00,20,00,31,00,2e,00,35,00,5c,\
00,52,00,65,00,61,00,64,00,6d,00,65,00,2e,00,68,00,74,00,6d,00,00,00
"Size"=""
"EstimatedSize"=dword:0000a5c7
"URLInfoAbout"="http://www.adobe.com"
"URLUpdateInfo"="http://www.adobe.com/audition/"
"VersionMajor"=dword:00000001
"VersionMinor"=dword:00000005
"WindowsInstaller"=dword:00000001
"Version"=dword:01050000
"Language"=dword:00000000
"DisplayName"="Adobe Audition 1.5"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}]
"AuthorizedCDFPrefix"=""
"Comments"=""
"Contact"=""
"DisplayVersion"="7.1.0.7"
"HelpLink"=hex(2):68,00,74,00,74,00,70,00,3a,00,2f,00,2f,00,77,00,77,00,77,00,\
2e,00,6c,00,61,00,76,00,61,00,73,00,6f,00,66,00,74,00,73,00,75,00,70,00,70,\
00,6f,00,72,00,74,00,2e,00,63,00,6f,00,6d,00,00,00
"HelpTelephone"=""
"InstallDate"="20080712"
"InstallLocation"="C:\\Program Files\\Lavasoft\\Ad-Aware\\"
"InstallSource"="C:\\Program Files\\Common Files\\Wise Installation Wizard\\"
"ModifyPath"=hex(2):4d,00,73,00,69,00,45,00,78,00,65,00,63,00,2e,00,65,00,78,\
00,65,00,20,00,2f,00,49,00,7b,00,44,00,45,00,44,00,35,00,33,00,42,00,30,00,\
42,00,2d,00,42,00,36,00,37,00,43,00,2d,00,34,00,32,00,34,00,34,00,2d,00,41,\
00,45,00,36,00,41,00,2d,00,44,00,36,00,46,00,44,00,33,00,43,00,32,00,38,00,\
44,00,31,00,45,00,46,00,7d,00,00,00
"NoRepair"=dword:00000001
"Publisher"="Lavasoft"
"Readme"=""
"Size"=""
"EstimatedSize"=dword:000064c5
"UninstallString"=hex(2):4d,00,73,00,69,00,45,00,78,00,65,00,63,00,2e,00,65,00,\
78,00,65,00,20,00,2f,00,49,00,7b,00,44,00,45,00,44,00,35,00,33,00,42,00,30,\
00,42,00,2d,00,42,00,36,00,37,00,43,00,2d,00,34,00,32,00,34,00,34,00,2d,00,\
41,00,45,00,36,00,41,00,2d,00,44,00,36,00,46,00,44,00,33,00,43,00,32,00,38,\
00,44,00,31,00,45,00,46,00,7d,00,00,00
"URLInfoAbout"=""
"URLUpdateInfo"="http://www.lavasoft.com"
"VersionMajor"=dword:00000007
"VersionMinor"=dword:00000001
"WindowsInstaller"=dword:00000001
"Version"=dword:07010000
"Language"=dword:00000409
"DisplayName"="Ad-Aware"




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users