Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I need to verify


  • Please log in to reply
15 replies to this topic

#1 audiO

audiO

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 26 February 2009 - 09:32 PM

The past month with my computer has been a bit weird. I started getting the blue screen of death. Now, when I googled my options as far as repairing this damned bsod, I realized my computer wasnt going to bleep the bed. Moving on...I started off by downloading malawarebytes thinking maybe I had some nasty trojan on my computer that AVG wasn't picking up. Well, that didn't solve my problem. I took it a step further and go Hijack This, I have no idea whether I should post it or not or if its going to help the situation. Anyways, I finally thought maybe installing SP3 would help. Haha! Yeah that's right I just installed it now xD! But the odd thing is, after one of the blue screens of death, it said when the I got to my desktop after the reboot "Windows has successfully recovered from a fatal error." Something along those lines.

If you need any logs or anything, let me know. I'd like to know if my problem has been solved or not.

FYI: tonight I have not had a BSOD.

BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:08:14 AM

Posted 27 February 2009 - 09:02 AM

Please post any logs from MBAM and AVG that give as many details of the infection as possible

Do not post a HJT log here under any circumstances

Edited by DaChew, 27 February 2009 - 09:03 AM.

Chewy

No. Try not. Do... or do not. There is no try.

#3 audiO

audiO
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 27 February 2009 - 02:33 PM

Greetings Chew,
Thank you for responding, sorry I posted in wrong section. Very new to this site :thumbsup: I have to scans running now, should be done within the hour.

#4 audiO

audiO
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 27 February 2009 - 11:26 PM

Malwarebytes' Anti-Malware 1.34
Database version: 1798
Windows 5.1.2600 Service Pack 3

2/27/2009 11:25:59 PM
mbam-log-2009-02-27 (23-25-59).txt

Scan type: Full Scan (C:\|)
Objects scanned: 136452
Time elapsed: 1 hour(s), 20 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Wierd eh

#5 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:08:14 AM

Posted 27 February 2009 - 11:42 PM

Download silentrunners.vbs to your Desktop.
A zipped version can be found here.
  • If you used the zipped version, unzip (extract) the file to its own folder: C:\Silent Runners.
  • Double-click the SilentRunners.vbs inside the folder or on your desktop to start.
  • A message box will appear asking if you want to skip the supplemental searches.
  • Press "Yes" to skip [default] or "No" to include them.
  • Another message box will appear saying: "Silent Runners has started. A message box like this will appear when its done." The tool will scan your system and create a log by default, in the same directory as the script or one your desktop. The log is named "Startup Programs (ComputerName) date/timestamp.txt".
  • When finished, the next message to appear will say: "All Done! the results are in the file..." (it will provide the full path location of the log.
  • Copy & paste the log in your next reply.
Note: If you have a script blocking program you may get a warning asking if you want to allow the script to run. Some will say "malicious script warning" or something to that effect. There is nothing malicious about this script, you can click to allow it to execute.
Chewy

No. Try not. Do... or do not. There is no try.

#6 audiO

audiO
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 28 February 2009 - 12:47 AM

Ummm, when I open Silent Runners, after being extracted to a separate folder. It opens up as a notepad, and I can't figure out how to run it.

#7 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:08:14 AM

Posted 28 February 2009 - 06:17 AM

Run HijackThis.
Click on Open the Misc Tools Section.
Then press Generate StartupList log, leave both boxes next to it unchecked.
Select Yes at the prompt.
A Notepad file will open, and will automatically be saved in your HijackThis folder.
Paste this log in your next reply.
More information with a screenshot, can be found here.

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.
More information with a screenshot, can be found here.
Chewy

No. Try not. Do... or do not. There is no try.

#8 audiO

audiO
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 28 February 2009 - 11:03 AM

Here it is :thumbsup:

StartupList report, 2/28/2009, 11:02:49 AM
StartupList version: 1.52.2
Started from : C:\Program Files\Trend Micro\HijackThis\HijackThis.EXE
Detected: Windows XP SP3 (WinNT 5.01.2600)
Detected: Internet Explorer v7.00 (7.00.6000.16791)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Last.fm\LastFM.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

SoundMan = SOUNDMAN.EXE
FlashIcon = C:\Program Files\Generic\USB Card Reader Driver v2.3\FlashIcon.exe
RemoteControl = "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
NeroFilterCheck = C:\WINDOWS\system32\NeroCheck.exe
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
nwiz = nwiz.exe /install
amd_dc_opt = "C:\Program Files\AMD\amd_dc_opt\amd_dc_opt.exe"
Flashget = C:\PROGRA~1\FlashGet\flashget.exe /min
L2 Rage Patch = """"""""""""""""""""""""""""""""""""""""""""" silent"
AVG8_TRAY = C:\PROGRA~1\AVG\AVG8\avgtray.exe
iTunesHelper = "C:\Program Files\iTunes\iTunesHelper.exe"
NvMediaCenter = RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

iolo Task Agent = C:\Program Files\iolo\Common\Task Agent\Task_Agent.exe
MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
Aim6 = "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
BitTorrent DNA = "C:\Program Files\DNA\btdna.exe"
DAEMON Tools Lite = "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = NOTEPAD.EXE %1

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\system32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

flashget urlcatch - C:\PROGRA~1\FlashGet\jccatch.dll - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7}
WormRadar.com IESiteBlocker.NavFilter - C:\Program Files\AVG\AVG8\avgssie.dll - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
(no name) - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
(no name) - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing) - {A057A204-BACC-4D26-9990-79A187E2698E}
(no name) - C:\Program Files\FlashGet\getflash.dll - {F156768E-81EF-470C-9057-481BA8380DBA}

--------------------------------------------------

Enumerating Task Scheduler jobs:

AppleSoftwareUpdate.job

--------------------------------------------------

Enumerating Download Program Files:

[Crucial cpcScan]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\cpcScan.dll
CODEBASE = http://www.crucial.com/controls/cpcScanner.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9c.ocx
CODEBASE = http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #4: C:\Program Files\Bonjour\mdnsNSP.dll

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll
WPDShServiceObj: C:\WINDOWS\system32\WPDShServiceObj.dll

--------------------------------------------------
End of report, 6,262 bytes
Report generated in 0.141 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

#9 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:08:14 AM

Posted 28 February 2009 - 06:45 PM

Was AVG active and running when you applied SP3?
Chewy

No. Try not. Do... or do not. There is no try.

#10 audiO

audiO
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 28 February 2009 - 08:21 PM

Ummm, I can't recall if it was running or not. I closed out of most programs as it said to do so. It's possible that it was active and running when I installed it.

#11 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:08:14 AM

Posted 28 February 2009 - 08:37 PM

Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

Chewy

No. Try not. Do... or do not. There is no try.

#12 audiO

audiO
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 28 February 2009 - 09:08 PM

Alright here it is.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/28/2009 at 09:01 PM

Application Version : 4.25.1014

Core Rules Database Version : 3779
Trace Rules Database Version: 1738

Scan type : Quick Scan
Total Scan Time : 00:07:53

Memory items scanned : 206
Memory threats detected : 0
Registry items scanned : 408
Registry threats detected : 1
File items scanned : 4707
File threats detected : 0

Trojan.Media-Codec
HKU\S-1-5-21-1935655697-606747145-839522115-1004\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser#{84938242-5C5B-4A55-B6B9-A1507543B418}

#13 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:08:14 AM

Posted 28 February 2009 - 09:29 PM

Please print out and follow these instructions: "How to use SDFix". <- This program is for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
-- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.
Chewy

No. Try not. Do... or do not. There is no try.

#14 audiO

audiO
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 28 February 2009 - 11:28 PM

SDFix: Version 1.240
Run by Ryan Tvelia on Sat 02/28/2009 at 11:20 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\dat.txt - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-28 23:24:47
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:c1,71,e0,59,1f,a4,71,44,3c,a8,29,a0,16,a8,03,8a,38,13,4a,31,d4,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools Lite\"
"h0"=dword:00000001
"khjeh"=hex:be,05,fa,54,e9,a8,ca,eb,bd,b4,4b,59,f7,e2,90,5b,80,94,93,02,59,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,46,be,24,5f,ef,2a,73,bc,ba,e0,36,52,16,b7,4b,7d,28,..
"khjeh"=hex:61,63,d9,dd,c4,3f,4b,03,d7,b1,52,17,fa,50,67,f4,1a,5b,4b,5e,6f,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:5e,f4,55,50,c3,c4,7a,e1,32,9c,0e,50,41,6e,3e,d1,cd,bd,42,60,fa,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:c1,71,e0,59,1f,a4,71,44,3c,a8,29,a0,16,a8,03,8a,38,13,4a,31,d4,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools Lite\"
"h0"=dword:00000001
"khjeh"=hex:be,05,fa,54,e9,a8,ca,eb,bd,b4,4b,59,f7,e2,90,5b,80,94,93,02,59,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,46,be,24,5f,ef,2a,73,bc,ba,e0,36,52,16,b7,4b,7d,28,..
"khjeh"=hex:61,63,d9,dd,c4,3f,4b,03,d7,b1,52,17,fa,50,67,f4,1a,5b,4b,5e,6f,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:5e,f4,55,50,c3,c4,7a,e1,32,9c,0e,50,41,6e,3e,d1,cd,bd,42,60,fa,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:c1,71,e0,59,1f,a4,71,44,3c,a8,29,a0,16,a8,03,8a,38,13,4a,31,d4,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools Lite\"
"h0"=dword:00000001
"khjeh"=hex:be,05,fa,54,e9,a8,ca,eb,bd,b4,4b,59,f7,e2,90,5b,80,94,93,02,59,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,46,be,24,5f,ef,2a,73,bc,ba,e0,36,52,16,b7,4b,7d,28,..
"khjeh"=hex:61,63,d9,dd,c4,3f,4b,03,d7,b1,52,17,fa,50,67,f4,1a,5b,4b,5e,6f,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:5e,f4,55,50,c3,c4,7a,e1,32,9c,0e,50,41,6e,3e,d1,cd,bd,42,60,fa,..

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Common Files\\AOL\\1156011786\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1156011786\\ee\\aolsoftware.exe:*:Enabled:AOL Services"
"C:\\Program Files\\Common Files\\AOL\\1156011786\\ee\\aim6.exe"="C:\\Program Files\\Common Files\\AOL\\1156011786\\ee\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\Steam\\steamapps\\sniperxxkiler\\counter-strike\\hl.exe"="C:\\Program Files\\Steam\\steamapps\\sniperxxkiler\\counter-strike\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Program Files\\World of Warcraft\\WoW-1.11.1.5462-to-1.11.2.5464-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-1.11.1.5462-to-1.11.2.5464-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft\\WoW-1.11.2.5464-to-1.12.0.5595-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-1.11.2.5464-to-1.12.0.5595-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft\\WoW-1.11.0-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-1.11.0-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Documents and Settings\\Ryan Tvelia\\Desktop\\Games and other programs\\Subterfuge\\server5.exe"="C:\\Documents and Settings\\Ryan Tvelia\\Desktop\\Games and other programs\\Subterfuge\\server5.exe:*:Enabled:server5"
"C:\\Documents and Settings\\Ryan Tvelia\\Desktop\\Games and other programs\\Subterfuge\\Subterfuge.exe"="C:\\Documents and Settings\\Ryan Tvelia\\Desktop\\Games and other programs\\Subterfuge\\Subterfuge.exe:*:Disabled:Subterfuge"
"C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"="C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe:*:Enabled:SmartFTP Client 2.0"
"C:\\Documents and Settings\\Ryan Tvelia\\My Documents\\utorrent_1.6.exe"="C:\\Documents and Settings\\Ryan Tvelia\\My Documents\\utorrent_1.6.exe:*:Enabled:ęTorrent"
"C:\\Program Files\\Steam\\steamapps\\sniperxxkiler\\condition zero\\hl.exe"="C:\\Program Files\\Steam\\steamapps\\sniperxxkiler\\condition zero\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Program Files\\Steam\\steamapps\\sniperxxkiler\\half-life\\hl.exe"="C:\\Program Files\\Steam\\steamapps\\sniperxxkiler\\half-life\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Program Files\\BearShare Applications\\BearShare\\BearShare.exe"="C:\\Program Files\\BearShare Applications\\BearShare\\BearShare.exe:*:Disabled:BearShare"
"C:\\Program Files\\Wolfenstein - Enemy Territory\\ET.exe"="C:\\Program Files\\Wolfenstein - Enemy Territory\\ET.exe:*:Enabled:ET"
"C:\\Documents and Settings\\Ryan Tvelia\\Desktop\\Games and other programs\\bleepZDoom GL 2.2.exe"="C:\\Documents and Settings\\Ryan Tvelia\\Desktop\\Games and other programs\\bleepZDoom GL 2.2.exe:*:Enabled:ZDoom Launcher"
"C:\\Documents and Settings\\Ryan Tvelia\\Desktop\\Games and other programs\\New Folder\\bleepZDoom GL 2.2.exe"="C:\\Documents and Settings\\Ryan Tvelia\\Desktop\\Games and other programs\\New Folder\\bleepZDoom GL 2.2.exe:*:Enabled:ZDoom Launcher"
"C:\\Program Files\\FlashGet\\flashget.exe"="C:\\Program Files\\FlashGet\\flashget.exe:*:Enabled:Flashget"
"C:\\bleepZDoom\\bleepZDoom GL 2.2.exe"="C:\\bleepZDoom\\bleepZDoom GL 2.2.exe:*:Enabled:ZDoom Launcher"
"C:\\Program Files\\World of Warcraft\\WoW-2.0.12.6546-to-2.1.0.6692-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-2.0.12.6546-to-2.1.0.6692-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\America's Army\\System\\ArmyOps.exe"="C:\\Program Files\\America's Army\\System\\ArmyOps.exe:*:Enabled:ArmyOps"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Madden_NFL_08_by_fantastican.net\\Updater.exe"="C:\\Madden_NFL_08_by_fantastican.net\\Updater.exe:*:Enabled:Updater"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\DNA\\btdna.exe"="C:\\Program Files\\DNA\\btdna.exe:*:Enabled:DNA"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\WINDOWS\\system32\\PnkBstrA.exe"="C:\\WINDOWS\\system32\\PnkBstrA.exe:*:Enabled:PnkBstrA"
"C:\\WINDOWS\\system32\\PnkBstrB.exe"="C:\\WINDOWS\\system32\\PnkBstrB.exe:*:Enabled:PnkBstrB"
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"="C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe:*:Enabled:Call of Duty® 4 - Modern Warfare™"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
"C:\\Documents and Settings\\Ryan Tvelia\\My Documents\\FOGDownloaderEN-RunesOfMagic(2).exe"="C:\\Documents and Settings\\Ryan Tvelia\\My Documents\\FOGDownloaderEN-RunesOfMagic(2).exe:*:Enabled:FOG Downloader"
"C:\\Program Files\\Darkfall\\Lobby.exe"="C:\\Program Files\\Darkfall\\Lobby.exe:*:Enabled:Lobby"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Thu 12 Feb 2009 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Fri 12 Nov 2004 37,376 ...H. --- "C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe"

Finished!

#15 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:08:14 AM

Posted 01 March 2009 - 02:38 AM

Well your AV and daemon tools might not be getting along, when did you upgrade from avg 7 to avg 8?

P2P, download manager, game protections and the list goes on.

:thumbsup:

Trojan Files Found:

C:\WINDOWS\dat.txt - Deleted


and a remnant of an earlier infection some time ago?

Edited by DaChew, 01 March 2009 - 02:40 AM.

Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users