Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Detected Trojans With Ad-aware Program / Tv Media Display Virus


  • Please log in to reply
7 replies to this topic

#1 millerlite2407

millerlite2407

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:18 AM

Posted 18 April 2006 - 09:48 PM

I am running Windows 2000 Professional. I previously had iworm_attck_v122.02a virus along with pop-up malware OHPEver4. I found directions on bleepingcomputer.com as seen here: Here and apparently removed the issues from my system. Upon futher scanning, Windows Defender discovered the TV Media Display virus. When attempting to remove the problem, the Windows Defender simply gives me an error box with a numerical code and says the chosen actions can not be completed. I then searched for the TV Media Display bug and discovered several places which gave directions to manually go into the registry queue and manually remove the keys related to the bug. When searching for those keys I was unable to find any on the list, but Defender still finds the TV Media Display bug and can not remove it. Any help that can be provided to remove this bug would be helpful.
Also soon thereafter, I was running Lavasoft's Ad-Aware SE Personal to check my computer for any additional spyware. While scanning my local drive, my MacAfee VirusScan 7.1 program's VirusScan On-Access Message window appeared with the following trojans that have been supposedly deleted, these paths are from the VirusScan log:

Deleted DOGWITCH\Jake C:\Documents and Settings\Jake.DOGWITCH\Local Settings\Temp\AAWTMP\C340578\28FAE8\VerifierBug.class Exploit-ByteVerify
Deleted DOGWITCH\Jake C:\Documents and Settings\Jake.DOGWITCH\Local Settings\Temp\AAWTMP\C340578\28FAE8\Counter.class Exploit-ByteVerify
Deleted DOGWITCH\Jake C:\Documents and Settings\Jake.DOGWITCH\Local Settings\Temp\AAWTMP\C340578\28FAE8\Gummy.class Exploit-ByteVerify
Deleted DOGWITCH\Jake C:\Documents and Settings\Jake.DOGWITCH\Local Settings\Temp\AAWTMP\C340578\28FAE8\Beyond.class Exploit-ByteVerify
Deleted DOGWITCH\Jake C:\Documents and Settings\Jake.DOGWITCH\Local Settings\Temp\AAWTMP\C340578\28FAE8\Worker.class JV/Shinwow
Deleted DOGWITCH\Jake C:\Documents and Settings\Jake.DOGWITCH\Local Settings\Temp\AAWTMP\C340578\28FAE8\web.exe Generic Downloader.y
Deleted DOGWITCH\Jake C:\Documents and Settings\Jake.DOGWITCH\Local Settings\Temp\AAWTMP\C340578\FFC18\A.class Exploit-ByteVerify
Deleted DOGWITCH\Jake C:\Documents and Settings\Jake.DOGWITCH\Local Settings\Temp\AAWTMP\C340578\FFC18\BlackBox.class Exploit-ByteVerify
Deleted DOGWITCH\Jake C:\Documents and Settings\Jake.DOGWITCH\Local Settings\Temp\AAWTMP\C340578\FFC18\Beyond.class Exploit-ByteVerify

Unfortunately, although it says they have been deleted, everytime I run Ad-Aware, these exact same trojans appear everytime. I have tried to search around for a solution with no success. Any help that anyone can provide to help clean my system would be greatly appreciated. I have also inlcuded a HiJackThis Log that is listed below.

Logfile of HijackThis v1.99.1
Scan saved at 8:56:24 PM, on 4/18/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZipToA.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Dfxcm\Daboc.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Rainlendar\Rainlendar.exe
C:\Program Files\Opera\Opera.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Jake.DOGWITCH\Local Settings\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://flashline.kent.edu/cp/home/loginf
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {8d83b16e-0de1-452b-ac52-96ec0b34aa4b} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [SysUpd] C:\WINNT\sysupd.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Kzjob] C:\Program Files\Dfxcm\Daboc.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - Startup: Shortcut to Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe
O4 - Global Startup: EPSON Background Monitor.lnk = C:\EPSON\ESM2\STMS.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IomegaAccess - Iomega Corporation - C:\WINNT\system32\IomegaAccess.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: ZipToA - Iomega Corporation - C:\WINNT\system32\ZipToA.exe

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:18 AM

Posted 25 April 2006 - 06:51 AM

Sorry for the delay. If you are still having problems please post a brand new HijackThis log as a reply to this topic. Before posting the log, please make sure you follow all the steps found in this topic:

Preparation Guide For Use Before Posting A Hijackthis Log

#3 millerlite2407

millerlite2407
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:18 AM

Posted 25 April 2006 - 07:23 PM

Well I am still having the same issues, here is my new hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 8:22:03 PM, on 4/25/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZipToA.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Rainlendar\Rainlendar.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\WINNT\system32\msiexec.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Jake.DOGWITCH\Local Settings\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://flashline.kent.edu/cp/home/loginf
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {8d83b16e-0de1-452b-ac52-96ec0b34aa4b} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [SysUpd] C:\WINNT\sysupd.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - Startup: Shortcut to Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe
O4 - Global Startup: EPSON Background Monitor.lnk = C:\EPSON\ESM2\STMS.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IomegaAccess - Iomega Corporation - C:\WINNT\system32\IomegaAccess.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: ZipToA - Iomega Corporation - C:\WINNT\system32\ZipToA.exe

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:18 AM

Posted 26 April 2006 - 03:46 PM

Click on start, settings, control panel and double-click on add/remove programs. From with add/remove program uninstall the following if they exist:

IST Service

Print out these instructions and then close all windows including Internet Explorer.

Then I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button:

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {8d83b16e-0de1-452b-ac52-96ec0b34aa4b} - (no file)
O4 - HKLM\..\Run: [SysUpd] C:\WINNT\sysupd.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe

Reboot your computer into Safe Mode

Then delete these files or directories (Do not be concerned if they do not exist)

C:\WINNT\sysupd.exe
C:\Program Files\ISTsvc\

Reboot your computer to go back to normal mode.

To use RootKit Revealer please make sure you are logged in as an Administrator to the computer.
  • Please download and unzip Rootkit Revealer to your desktop.
  • Please leave the defaults set as they are to:
    • Hide NTFS Metadata Files: this option is on by default
    • Scan Registry: this option is on by default.
  • Launch rootkit revealer on the system and press the Scan button.
    RootkitRevealer scans the system reporting its actions in a status area at the bottom of its window and noting discrepancies in the output list. It may take a long time please disconnect from the internet and leave the PC to be scanned until it is finished.
  • The log can be very large please edit out the items in the following folders in the log : C:\RECYCLER\NPROTECT and C:\System Volume Information, if in the log, before posting it.
  • Please post the balance of the log here in this thread using Add Reply (please double check that it has all been posted as it may be too long for one post)]
Then Download and Save blacklite to your desktop.
F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtml
Double-click blbeta.exe then accept the agreement.
leave [X]scan through windows explorer checked,
click > scan then > next,
You'll see a list of all items found.
Don't choose for rename yet! I want to see the log first, because legit items can also be present there... like "wbemtest.exe"
There must be also a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers).
Copy and paste this log along with the rootkit revealer log. Also post a brand new hijackthis log

#5 millerlite2407

millerlite2407
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:18 AM

Posted 28 April 2006 - 06:28 PM

RootkitRevealver log:

HKLM\SOFTWARE\Network Associates\TVD\Shared Components\On Access Scanner\McShield\dwFilesScanned 4/26/2006 11:26 PM 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Network Associates\TVD\Shared Components\On Access Scanner\McShield\dwLastModified 4/26/2006 11:26 PM 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Network Associates\TVD\Shared Components\On Access Scanner\McShield\szLastScanned 4/26/2006 11:26 PM 300 bytes Windows API length not consistent with raw hive data.
HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\s0 12/18/2005 10:20 PM 4 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\s1 12/18/2005 10:20 PM 4 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\s2 12/18/2005 10:20 PM 4 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\g0 12/18/2005 10:20 PM 32 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\h0 12/18/2005 10:20 PM 4 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 12/18/2005 11:24 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\Jake.DOGWITCH\Application Data\Aim\millerlite2407\urlcache\aim2.tmp 4/26/2006 11:13 PM 334 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Jake.DOGWITCH\Application Data\Aim\millerlite2407\urlcache\aim3.tmp 4/26/2006 11:43 PM 340 bytes Hidden from Windows API.
C:\Documents and Settings\Jake.DOGWITCH\Cookies\jake@advertising[1].txt 4/26/2006 11:25 PM 303 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Jake.DOGWITCH\Cookies\jake@advertising[2].txt 4/26/2006 11:39 PM 302 bytes Hidden from Windows API.
C:\Documents and Settings\Jake.DOGWITCH\Local Settings\Temporary Internet Files\Content.IE5\07UBUVMP\AIM_UAC[1].adp 4/24/2006 9:14 PM 748 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Jake.DOGWITCH\Local Settings\Temporary Internet Files\Content.IE5\07UBUVMP\AIM_UAC[2].adp 4/25/2006 10:13 AM 748 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Jake.DOGWITCH\Local Settings\Temporary Internet Files\Content.IE5\07UBUVMP\AIM_UAC[3].adp 4/25/2006 10:31 PM 748 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Jake.DOGWITCH\Local Settings\Temporary Internet Files\Content.IE5\07UBUVMP\AIM_UAC[4].adp 4/26/2006 7:02 PM 748 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Jake.DOGWITCH\Local Settings\Temporary Internet Files\Content.IE5\07UBUVMP\AIM_UAC[6].adp 4/22/2006 3:07 PM 2.27 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Jake.DOGWITCH\Local Settings\Temporary Internet Files\Content.IE5\07UBUVMP\AIM_UAC[7].adp 4/22/2006 3:47 PM 748 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Jake.DOGWITCH\Local Settings\Temporary Internet Files\Content.IE5\07UBUVMP\AIM_UAC[8].adp 4/22/2006 7:10 PM 748 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Jake.DOGWITCH\Local Settings\Temporary Internet Files\Content.IE5\07UBUVMP\Com_Mess;MN=93190294;wm=o;rm=1;sz=120x60;tile=1;dcove=d;ord=425976171[2] 4/26/2006 11:28 PM 490 bytes Hidden from Windows API.
C:\Documents and Settings\Jake.DOGWITCH\Local Settings\Temporary Internet Files\Content.IE5\07UBUVMP\Com_Mess;MN=93190294;wm=o;rm=1;sz=120x60;tile=1;dcove=d;ord=426098327[2] 4/26/2006 11:30 PM 490 bytes Hidden from Windows API.
C:\Documents and Settings\Jake.DOGWITCH\Local Settings\Temporary Internet Files\Content.IE5\07UBUVMP\Com_Mess;MN=93190294;wm=o;rm=1;sz=120x60;tile=1;dcove=d;ord=426580859[2] 4/26/2006 11:38 PM 490 bytes Hidden from Windows API.
C:\Documents and Settings\Jake.DOGWITCH\Local Settings\Temporary Internet Files\Content.IE5\07UBUVMP\Com_Mess;MN=93190294;wm=o;rm=1;sz=120x60;tile=1;dcove=d;ord=426673562[2] 4/26/2006 11:39 PM 515 bytes Hidden from Windows API.
C:\Documents and Settings\Jake.DOGWITCH\Local Settings\Temporary Internet Files\Content.IE5\07UBUVMP\ctrt=4[4] 4/26/2006 11:31 PM 489 bytes Hidden from Windows API.
C:\Documents and Settings\Jake.DOGWITCH\Local Settings\Temporary Internet Files\Content.IE5\07UBUVMP\ctrt=4[5] 4/26/2006 11:41 PM 489 bytes Hidden from Windows API.
C:\Documents and Settings\Jake.DOGWITCH\Local Settings\Temporary Internet Files\Content.IE5\IRI1MN6L\AIM_UAC[1].adp 4/23/2006 3:42 PM 748 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Jake.DOGWITCH\Local Settings\Temporary Internet Files\Content.IE5\IRI1MN6L\AIM_UAC[2].adp 4/26/2006 10:00 AM 748 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Jake.DOGWITCH\Local Settings\Temporary Internet Files\Content.IE5\IRI1MN6L\AIM_UAC[3].adp 4/22/2006 3:07 PM 748 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Jake.DOGWITCH\Local Settings\Temporary Internet Files\Content.IE5\IRI1MN6L\Com_Mess;MN=93190294;wm=o;rm=1;sz=120x60;tile=1;dcove=d;ord=425915718[2] 4/26/2006 11:27 PM 515 bytes Hidden from Windows API.
C:\Documents and Settings\Jake.DOGWITCH\Local Settings\Temporary Internet Files\Content.IE5\IRI1MN6L\Com_Mess;MN=93190294;wm=o;rm=1;sz=120x60;tile=1;dcove=d;ord=426067702[2] 4/26/2006 11:29 PM 515 bytes Hidden from Windows API.
C:\Documents and Settings\Jake.DOGWITCH\Local Settings\Temporary Internet Files\Content.IE5\IRI1MN6L\Com_Mess;MN=93190294;wm=o;rm=1;sz=120x60;tile=1;dcove=d;ord=426159171[2] 4/26/2006 11:31 PM 490 bytes Hidden from Windows API.
C:\Documents and Settings\Jake.DOGWITCH\Local Settings\Temporary Internet Files\Content.IE5\IRI1MN6L\Com_Mess;MN=93190294;wm=o;rm=1;sz=120x60;tile=1;dcove=d;ord=426703968[2] 4/26/2006 11:40 PM 490 bytes Hidden from Windows API.
C:\Documents and Settings\Jake.DOGWITCH\Local Settings\Temporary Internet Files\Content.IE5\K7OR69YP\AIM_UAC[1].adp 4/23/2006 5:14 AM 748 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Jake.DOGWITCH\Local Settings\Temporary Internet Files\Content.IE5\K7OR69YP\AIM_UAC[2].adp 4/24/2006 11:13 AM 748 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Jake.DOGWITCH\Local Settings\Temporary Internet Files\Content.IE5\K7OR69YP\AIM_UAC[3].adp 4/24/2006 8:25 PM 748 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Jake.DOGWITCH\Local Settings\Temporary Internet Files\Content.IE5\K7OR69YP\AIM_UAC[5].adp 4/25/2006 5:39 PM 748 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Jake.DOGWITCH\Local Settings\Temporary Internet Files\Content.IE5\K7OR69YP\Com_Mess;MN=93190294;wm=o;rm=1;sz=120x60;tile=1;dcove=d;ord=426006827[2] 4/26/2006 11:28 PM 515 bytes Hidden from Windows API.
C:\Documents and Settings\Jake.DOGWITCH\Local Settings\Temporary Internet Files\Content.IE5\K7OR69YP\Com_Mess;MN=93190294;wm=o;rm=1;sz=120x60;tile=1;dcove=d;ord=426489812[2] 4/26/2006 11:36 PM 515 bytes Hidden from Windows API.
C:\Documents and Settings\Jake.DOGWITCH\Local Settings\Temporary Internet Files\Content.IE5\K7OR69YP\Com_Mess;MN=93190294;wm=o;rm=1;sz=120x60;tile=1;dcove=d;ord=426765030[2] 4/26/2006 11:41 PM 515 bytes Hidden from Windows API.
C:\Documents and Settings\Jake.DOGWITCH\Local Settings\Temporary Internet Files\Content.IE5\K7OR69YP\ctrt=4[4] 4/26/2006 11:30 PM 537 bytes Hidden from Windows API.
C:\Documents and Settings\Jake.DOGWITCH\Local Settings\Temporary Internet Files\Content.IE5\K7OR69YP\ctrt=4[5] 4/26/2006 11:40 PM 489 bytes Hidden from Windows API.
C:\Documents and Settings\Jake.DOGWITCH\Local Settings\Temporary Internet Files\Content.IE5\QB4VEB2R\AIM_UAC[1].adp 4/24/2006 6:06 PM 748 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Jake.DOGWITCH\Local Settings\Temporary Internet Files\Content.IE5\QB4VEB2R\AIM_UAC[2].adp 4/23/2006 4:48 PM 748 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Jake.DOGWITCH\Local Settings\Temporary Internet Files\Content.IE5\QB4VEB2R\AIM_UAC[3].adp 4/23/2006 5:03 PM 748 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Jake.DOGWITCH\Local Settings\Temporary Internet Files\Content.IE5\QB4VEB2R\AIM_UAC[4].adp 4/23/2006 6:43 PM 748 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Jake.DOGWITCH\Local Settings\Temporary Internet Files\Content.IE5\QB4VEB2R\AIM_UAC[5].adp 4/23/2006 8:27 PM 748 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Jake.DOGWITCH\Local Settings\Temporary Internet Files\Content.IE5\QB4VEB2R\AIM_UAC[6].adp 4/24/2006 10:08 PM 748 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Jake.DOGWITCH\Local Settings\Temporary Internet Files\Content.IE5\QB4VEB2R\Com_Mess;MN=93190294;wm=o;rm=1;sz=120x60;tile=1;dcove=d;ord=426037280[2] 4/26/2006 11:29 PM 515 bytes Hidden from Windows API.
C:\Documents and Settings\Jake.DOGWITCH\Local Settings\Temporary Internet Files\Content.IE5\QB4VEB2R\Com_Mess;MN=93190294;wm=o;rm=1;sz=120x60;tile=1;dcove=d;ord=426128749[2] 4/26/2006 11:30 PM 515 bytes Hidden from Windows API.
C:\Documents and Settings\Jake.DOGWITCH\Local Settings\Temporary Internet Files\Content.IE5\QB4VEB2R\Com_Mess;MN=93190294;wm=o;rm=1;sz=120x60;tile=1;dcove=d;ord=426642952[2] 4/26/2006 11:39 PM 490 bytes Hidden from Windows API.
C:\Documents and Settings\Jake.DOGWITCH\Local Settings\Temporary Internet Files\Content.IE5\QB4VEB2R\Com_Mess;MN=93190294;wm=o;rm=1;sz=120x60;tile=1;dcove=d;ord=426734577[2] 4/26/2006 11:40 PM 490 bytes Hidden from Windows API.
C:\Documents and Settings\Jake.DOGWITCH\Local Settings\Temporary Internet Files\Content.IE5\QB4VEB2R\ctrt=4[3] 4/26/2006 11:28 PM 489 bytes Hidden from Windows API.
C:\Documents and Settings\Jake.DOGWITCH\Local Settings\Temporary Internet Files\Content.IE5\QB4VEB2R\ctrt=4[4] 4/26/2006 11:38 PM 489 bytes Hidden from Windows API.
C:\WINNT\temp\MpCmdRun-6E-421CFC91-A93E-42AB-A35C-F06F127FCC44.lock 4/26/2006 11:34 PM 0 bytes Hidden from Windows API.
C:\WINNT\temp\TMP0000001CD6856B8872FFF4DE 4/26/2006 11:34 PM 512.00 KB Hidden from Windows API.
C:\WINNT\temp\TMP0000007C7FF7CA2F5EAAE499 4/27/2006 12:02 AM 22.00 MB Hidden from Windows API.


Blacklight Log:

04/28/06 19:11:34 [Info]: BlackLight Engine 1.0.36 initialized
04/28/06 19:11:34 [Info]: OS: 5.0 build 2195 (Service Pack 4)
04/28/06 19:11:34 [Note]: 7019 4
04/28/06 19:11:34 [Note]: 7005 0
04/28/06 19:15:04 [Note]: 7006 0
04/28/06 19:15:04 [Note]: 7011 1332
04/28/06 19:15:04 [Note]: 7026 0
04/28/06 19:15:04 [Note]: 7026 0
04/28/06 19:15:09 [Note]: FSRAW library version 1.7.1015
04/28/06 19:16:22 [Note]: 7006 0
04/28/06 19:16:22 [Note]: 7011 1332
04/28/06 19:16:22 [Note]: 7026 0
04/28/06 19:16:22 [Note]: 7026 0
04/28/06 19:16:25 [Note]: FSRAW library version 1.7.1015
04/28/06 19:20:13 [Note]: 7007 0

Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 7:29:19 PM, on 4/28/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZipToA.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Rainlendar\Rainlendar.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\iTunes\iTunes.exe
C:\Documents and Settings\Jake.DOGWITCH\Local Settings\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://flashline.kent.edu/cp/home/loginf
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - Startup: Shortcut to Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe
O4 - Global Startup: EPSON Background Monitor.lnk = C:\EPSON\ESM2\STMS.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IomegaAccess - Iomega Corporation - C:\WINNT\system32\IomegaAccess.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: ZipToA - Iomega Corporation - C:\WINNT\system32\ZipToA.exe

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:18 AM

Posted 02 May 2006 - 03:36 PM

Looks ok....how does it feel to you?

#7 millerlite2407

millerlite2407
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:18 AM

Posted 04 May 2006 - 01:02 PM

It's running alot better than when we first started, but Windows Defender is still detecting the TV Media Display bug everytime it scans and it can not be removed. Also, when I run Lavasoft Adaware Personal, the list of deleted trojans that I initially posted still comes up. I'm not sure if these are 'real' problems or not because my system seems to be running fine. If you have any other courses of action just let me know.

#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:18 AM

Posted 04 May 2006 - 04:20 PM

What are the manual directions windows defender is giving you?

Also do this and see if this clears your ad-aware results:

This process will clean out your Temp files and your Temporary Internet Files. Please do both steps:

Step 1:Delete Temp Files
To clean out your temp files, click on Start and then run, and type %temp% and press the ok button.

This should open up the temp directory that your machine uses. Please delete all files that are found there. If you get an error when deleting a file, skip that file and delete all the others. If you had trouble deleting a file, reboot into Safe Mode and follow this step again. You should now be able to delete all the files.

Step 2: Delete Temporary Internet Files
Now I want you to open up Internet Explorer, and click on the Tools menu and then Internet Options. At the General tab, which should be the first tab you are currently on, click on the Delete Files button and put a checkmark in Delete offline content. Then press the OK button. This may take quite a while, so do not be alarmed with how long it takes. When it is done, your Temporary Internet Files will now be deleted.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users