Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple Problems, Most Fixed... Still Some Left


  • Please log in to reply
10 replies to this topic

#1 workah0lic

workah0lic

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:53 PM

Posted 17 August 2006 - 04:28 AM

First off, let me say that I read through and did everything in the post about what to do before posting a HJT log...

My problem started about 3 days ago when I noticed that my PC was lagging on startup. There was a 10 second lag between the XP progress bar screen and the login screen. Also, my system itself was running slow. It was so slow that I couldn't even do much at times - spybot, adaware and ewido took forever but found nothing. System Mechanic found some adware, but it removed it easily. After all that, it was still having the same 2 problems although the lagging had decreased. I decided to re-image my system in order to eliminate whatever problem I was having. Everything was fine, but then it started acting up again after an hour or so.

I currently have: Spybot: Search & Destroy, Spyware Doctor, AdAware SE, ewidio, XoftSpySE, Spyware Blaster and System Mechanic 6. After the re-image didn't really work, I started to do massive Spyware scans. I have run all of these programs over and over again, in safe mode and regular mode. I have been through numerous restarts and I still haven't gotten rid of everything. One program will say that there are no problems, but then another will find something. After cleaning, I reboot only to find that another spyware has surfaced. Most of them are being found by Spython (part of System Mechanic), but AdAware and SpyBot have found some as well. Some of the things I am encountering are: 2Search, Elitebar, Look2Me, Trojan.Installer, plus many many others that I can't remember.

The most recent 2 I encountered were Adware-Defender and WinPup32. I really can't seem to get rid of WinPup32 (being found ONLY by System Mechanic's Spython). I have tried the manual removal methods also but to no avail. Once it is supposedly removed by System Mechanic, I reboot. I scan again and it's there again! This has happened over 10 times already. I have even tried removing it in safe mode 3 or 4 times.

I have no idea what to do. I believe the majority of the problems have been fixed, but I can't be sure. If anyone can help me out, I'd really appreciate it. Oh, I also forgot to mention that my Remote Registry Service was randomly enabled somehow as well. I disabled it as soon as I realized it was on, but I have no idea how long it was active for. Is that a problem?

Right now, the lagging issue is pretty much gone. The only lag I am getting now is between the progress bar of XP's startup and the login screen. There's still about a 10 second delay between those 2. Before, the transfer from 1 to the other was almost instant...

If I think of anything else that may be useful, I'll post it here. For now, here is my HiJackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 2:16:35 AM, on 8/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
D:\Program Files\ASUS\Ai Booster\OverClk.exe
d:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
D:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
D:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\CTsvcCDA.exe
D:\Program Files\Scansoft\PaperPort\pptd40nt.exe
D:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
D:\Program Files\Yahoo!\browser\ybrwicon.exe
D:\Program Files\2Wire\2PortalMon.exe
D:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
D:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\Program Files\ewido anti-spyware 4.0\ewido.exe
d:\Program Files\ewido anti-spyware 4.0\guard.exe
D:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
D:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
D:\Program Files\Eraser\eraser.exe
D:\Program Files\Google\GoogleToolbarNotifier\1.0.711.1664\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
d:\Program Files\Spyware Doctor\sdhelp.exe
D:\Program Files\palmOne\Hotsync.exe
D:\Program Files\LIUtilities\SpeedUpMyPC\speedupmypc.exe
d:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
D:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
D:\Program Files\Omni\Omni keyboard driver\5.0\KbdAp32A.exe
C:\WINDOWS\System32\alg.exe
D:\Program Files\Omni\OmniMouse Driver\4.06\Mouse32A.exe
D:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
D:\Program Files\iolo\System Mechanic 6\SysMech6.exe
D:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dsl.sbc.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://dsl.sbc.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - D:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - d:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - D:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar2.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - D:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Launch Ai Booster] "d:\Program Files\ASUS\Ai Booster\OverClk.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SW20] C:\WINDOWS\system32\sw20.exe
O4 - HKLM\..\Run: [SW24] C:\WINDOWS\system32\sw24.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTSysVol] d:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] d:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] d:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [PaperPort PTD] d:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [YBrowser] d:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [2wSysTray] D:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [HP Software Update] "D:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DiskeeperSystray] "D:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [amd_dc_opt] "D:\Program Files\AMD\amd_dc_opt\amd_dc_opt.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [XoftSpySE] d:\Program Files\XoftSpySE\xoftspy.exe -s
O4 - HKLM\..\Run: [!ewido] "D:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [Spyware Doctor] "D:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [SMSystemAnalyzer] "d:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe"
O4 - HKCU\..\Run: [RemoteCenter] d:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Eraser] D:\Program Files\Eraser\eraser.exe -hide
O4 - HKCU\..\Run: [swg] d:\Program Files\Google\GoogleToolbarNotifier\1.0.711.1664\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Uniblue Registry Booster] D:\Program Files\Uniblue\Registry Booster\RegistryBooster.exe /S
O4 - Startup: Ai Booster v2.00.70.lnk = ?
O4 - Startup: HP Digital Imaging Monitor.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Startup: HP Image Zone Fast Start.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Startup: InterVideo WinCinema Manager.lnk = D:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: Omni keyboard driver 5.0.lnk = D:\Program Files\Omni\Omni keyboard driver\5.0\KbdAp32A.exe
O4 - Startup: OmniMouse Driver 4.06.lnk = D:\Program Files\Omni\OmniMouse Driver\4.06\Mouse32A.exe
O4 - Startup: palmOne Registration.lnk = D:\Program Files\palmOne\register.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HOTSYNC.lnk = D:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: SpeedUpMyPC.lnk = D:\Program Files\LIUtilities\SpeedUpMyPC\speedupmypc.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://d:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - d:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - d:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - d:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.2.2.89.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} (Seagate SeaTools English Online) - http://www.seagate.com/support/disc/asp/to.../npseatools.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - d:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - D:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - D:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Diskeeper - Diskeeper Corporation - D:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - d:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - d:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - d:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007\Win32\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - d:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007\RpcSandraSrv.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - D:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - d:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - d:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


Again, thanks in advance to anyone that tries to help me. I really really appreciate it.

Chris

BC AdBot (Login to Remove)

 


#2 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,648 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:06:53 PM

Posted 21 August 2006 - 01:13 PM

Hi workah0lic, welcome to BC and sorry for the delay.

I don't see any signs of infection in your log, just some clutter that can be fixed but that I doubt will solve your issues.

The WinPup32 issue is apparently a false posiitive of System Mechanic's Spython. Please see this info: http://www.wilderssecurity.com/showthread.php?t=140120

Since you have ewido installed, apparently Spython thinks part of it is malware. In my opinion, System Mechanic is over-rated and Spython is not yet to be trusted. I trialed SM a few years ago, before Spython was part of the package. They have some nice tools, but I didn't trust their registry cleaner and don't trust reg cleaners overall.

Spython is still relatively new. When it comes to malware removal, it is generally better to stick to programs that are tried and true. The problem with such all in one toolbox programs like SM is that they dilute their attention--I prefer programs that do one thing and do it well.

What I would suggest to you is that you not use Spython and contact SM to let them know of the false positive. They won't be able to develope the program into a good one without knowing of the problem. Stick to one anitivrus, one Firewall and no more than three good antispyware programs.

You should be in good shape with Spybot, Ad-Aware and SpywareDoctor (and if SpywareDoctor is a trial, I suggest you uninstall it). Ewido is more of an anti-trojan and is very trustworthy and works very well after the trial expires.

As to the lag issue, I'm not sure if it is malware related. I see by your log that you have a complex setup and several factors that may be affecting your system and could be difficult to sort out. It is still possible there is something malicious that is hidden from HijackThis, so we can do some more scans. But if we find nothing, I think you would be better served to post in the XP forum.

What I would like for you to do for now, since it has been a few days, is to post a fresh HijackThis log. Let me know of anything else you have tried and of any other progress you have made and we will take it from there.

Also, is your D drive a partition on your hard drive? Please give me a little more info on how that is set up.

The thing about people

is they change

when they walk away.--Mipso


#3 workah0lic

workah0lic
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:53 PM

Posted 21 August 2006 - 01:40 PM

I really appreciate the response and the 411 about the false positive. I think I was possibly really infected prior to ewido, or it could have been some other error since I was getting WinPup32 flags before I installed ewido (it was the whole reason I DL'd ewido). I found that in order to get rid of the flag, be it an ewido error or some other false positive, I had to reboot in safe mode. Once in safe mode, I cannot simply use spython to remove it. Once it is removed, Spython continues to see it there and attempts to remove it again. The only way to remove it is to run Spython and then run Registry Booster. After that, it's gone and won't show up for a couple of days. But alas, it always comes back. heh...

My D drive is a seperate drive altogether. I set it up so that all my programs install there and only the core OS is on my C drive.

Below is a new HJT log. Again, thanks for your help.

Logfile of HijackThis v1.99.1
Scan saved at 11:34:05 AM, on 8/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\ASUS\Ai Booster\OverClk.exe
D:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
D:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
D:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
D:\Program Files\Yahoo!\browser\ybrwicon.exe
d:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
D:\Program Files\2Wire\2PortalMon.exe
D:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
D:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\CTsvcCDA.exe
D:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
D:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe
D:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Eraser\eraser.exe
D:\Program Files\Google\GoogleToolbarNotifier\1.0.711.1664\GoogleToolbarNotifier.exe
d:\Program Files\ewido anti-spyware 4.0\guard.exe
D:\Program Files\palmOne\Hotsync.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
D:\Program Files\LIUtilities\SpeedUpMyPC\speedupmypc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
D:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
D:\Program Files\Omni\Omni keyboard driver\5.0\KbdAp32A.exe
D:\Program Files\Omni\OmniMouse Driver\4.06\Mouse32A.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
d:\Program Files\Spyware Doctor\sdhelp.exe
D:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
d:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
D:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dsl.sbc.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://dsl.sbc.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - D:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - d:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - D:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar2.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - D:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Launch Ai Booster] "d:\Program Files\ASUS\Ai Booster\OverClk.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SW20] C:\WINDOWS\system32\sw20.exe
O4 - HKLM\..\Run: [SW24] C:\WINDOWS\system32\sw24.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTSysVol] d:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] d:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] d:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [PaperPort PTD] d:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [YBrowser] d:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [2wSysTray] D:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [HP Software Update] "D:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DiskeeperSystray] "D:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [amd_dc_opt] "D:\Program Files\AMD\amd_dc_opt\amd_dc_opt.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [XoftSpySE] d:\Program Files\XoftSpySE\xoftspy.exe -s
O4 - HKCU\..\Run: [Spyware Doctor] "D:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [SMSystemAnalyzer] "d:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe"
O4 - HKCU\..\Run: [RemoteCenter] d:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Eraser] D:\Program Files\Eraser\eraser.exe -hide
O4 - HKCU\..\Run: [swg] d:\Program Files\Google\GoogleToolbarNotifier\1.0.711.1664\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Uniblue Registry Booster] D:\Program Files\Uniblue\Registry Booster\RegistryBooster.exe /S
O4 - Startup: Ai Booster v2.00.70.lnk = ?
O4 - Startup: HP Digital Imaging Monitor.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Startup: HP Image Zone Fast Start.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Startup: InterVideo WinCinema Manager.lnk = D:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: Omni keyboard driver 5.0.lnk = D:\Program Files\Omni\Omni keyboard driver\5.0\KbdAp32A.exe
O4 - Startup: OmniMouse Driver 4.06.lnk = D:\Program Files\Omni\OmniMouse Driver\4.06\Mouse32A.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HOTSYNC.lnk = D:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: SpeedUpMyPC.lnk = D:\Program Files\LIUtilities\SpeedUpMyPC\speedupmypc.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://d:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - d:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - d:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - d:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} (Seagate SeaTools English Online) - http://www.seagate.com/support/disc/asp/to.../npseatools.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - d:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - D:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - D:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Diskeeper - Diskeeper Corporation - D:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - d:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - d:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - d:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007\Win32\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - d:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007\RpcSandraSrv.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - D:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - d:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - d:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


What exactly should I clean up, or is that a question better saved for the XP thread?

Thanks and take care,

Chris

Edited by workah0lic, 21 August 2006 - 01:42 PM.


#4 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,648 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:06:53 PM

Posted 21 August 2006 - 08:03 PM

OK, well, I get the feeling that whatever is being flagged is not malicious. Some scanners are flagging legitmate tools that can be used for good or ill. Known as Riskware or Hacktools and various other terms. Anything that can make changes to the system and registry might be brought to your attention and aren't really flase positives because the scanner doesn't know if it is something you put there yourself or if it came along with malware. With all the tools you have running it could be several of both Riskware and false positives.

It would be helpful to know exactly what is getting flagged. The exact file name and what folder it is in and/or the exact reg entry. I don't know if Spython will show that--some scanners just tell you they found something and just name the infection. So I want to see some logs that I know will give some good details. If you have any saved logs from Spython showing what they cleaned, you can post that too as it's possible I might get some info from it.

I just get the feeling that part of Reg Booster might be what is getting pointed to as bad. It's running in the background and can make changes to the registry, so might be why you're catching things in normal mode and not safe mode (if I'm understanding you correctly). Or one of the other many tools you have running in the background. More on that later.

Let's try the following:

---------------------------------

Scan again with HijackThis and put a checkmark next to the following entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =


Close all other windows--you should only see HijackThis on your Desktop--and then click the "Fix checked" button.
---------------
While you have HijackThis open--

Click the Config... button then the Misc Tools button.

Now click the Open Uninstall Manager button, then the Save List button. Save the list somewhere convenient like My Documents and then the list will open in Notepad. Copy and Paste that list into your next reply to this post.
------------------------

Update and run ewido. I would like to see a log from both normal and safe mode. If you are still running version 3.5, uninstall it first and download and install it according to the following instructions. If you have version 4 ignore the part about downloading and installing, but got over the steps to insure you have it configured correctly. This is a canned speech for running it in safe mode--just run it in normal mode first then boot into safe mode to run it again and post both logs.

First download ewido anti-spyware from HERE and save that file to your desktop.
  • Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need to run ewido and update the definition files.
  • On the main screen select the "Update" icon then click "Start Update". The update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
  • Select "Automatically generate report after every scan"
  • Un-Select "Only if threats were found"
Close ewido anti-spyware and reboot your computer into Safe Mode.
  • Lauch ewido-anti-spyware by double-clicking the icon on your desktop.
    IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan"
  • Ewido will now begin the scanning process, be patient this may take a little time.
  • Ewido will list any infections found on the left hand side. When the scan has finished, it should automatically set the recommended action to Quarantine--if not click on Recommended Action and set it there. Click the Apply all actions button. Ewido will display "All actions have been applied" on the right hand side.
  • Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).
  • Close ewido.
-----------------------------

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
_______________

Please perform this online scan: Kaspersky Webscan

Note that you need to run this scan with Internet Explorer for it to work correctly. Also, a new version came out on Aug. 8, 2006, so if you have used this online scanner previous to that date please uninstall the compnents that are already on you computer by going to Add or Remove Programs through your Control Panel and uninstall Kaspersky Online Scanner Then click on the link above and proceed with the following:

1. Read the Requirements and Privacy statement, then select "Accept"
2. A dialogue box will appearing asking "Do you want to install this software?" Name: kavwebscan_unicode.cab
NOTE: If you are running XP SP2, you may need to click on the Information Bar to allow the ActiveX to install and may need to repeat step 1.
3. Select "Install" to download the ActiveX controls that allows ActiveScan to run.
4. If running MSAS beta you may receive an alert that an IE ActiveX program requires your approval. Click "Allow"
5. Wait for the scanner to initialize and update its databases. When the download is complete it will say ready, click "Next"
6. Click "Scan Settings" and check the option to use the EXTENDED DATABASE, then click "OK"
7. Select a target to scan: Click on "My Computer" and the scan will begin.
8. When the scan is complete choose save the results by clicking "Save Report As Text" Give the Report a name and save it to your desktop.
9. Post the Kaspersky scan results in your next reply.
-----------
Post back with all those logs along with a fresh HijackThis log and we should have a better idea what is going on. Also if you have any programs that have disabled startups, go in and re-enable them before you do the HJT scan. This way I can see what may need to be fixed permanently. You can disable them again once the scan is done and before you reboot.

So D is an internal slave hard drive or external or something else?

The thing about people

is they change

when they walk away.--Mipso


#5 workah0lic

workah0lic
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:53 PM

Posted 22 August 2006 - 09:10 PM

I'll get to work on this tonight and update you as soon as I am done. Thanks again for your help. Also, D is an internal HDD running on SATA - all my drives are running on SATA. I have:

C: Internal - Raptor for OS only
D: Internal - for programs and my documents
E: External - for downloads
F: Internal - for storage
G: Nothing Assigned as of now - removed the existing drive
H: External IDE/USB2.0 HDD for backups
I: External Backup to the Backup (I'm being extra careful due to past events)
J:, K: DVD-+R Drives
L: M: N: O: Card Reader

Hope that clarifies things.

Also, I found that the false positive is exactly what others are finding in that link you posted - It's ewido's startup entry in my registry. So I assume everything is clean. The only problem that I do have is the sudden lag between the Loading bar screen of XP Pro and the Login Screen. I originally thought it was only about 10 seconds, but found that it's really around 20 seconds after closer inspection/timing.

Edited by workah0lic, 22 August 2006 - 09:12 PM.


#6 workah0lic

workah0lic
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:53 PM

Posted 23 August 2006 - 12:41 AM

OK. So I am almost finished with everything (no new HJT or Kaspersky log yet - see notes below). Here is what I have so far:

HJT Uninstall List:

2Wire Wireless Client
AC3Filter (remove only)
Acronis True Image Home
Ad-Aware SE Personal
Adobe Flash Player 9 ActiveX
Adobe Reader 7.0
Ai Booster
AMD Dual-Core Optimizer
AsusUpdate
Athlon 64 Processor Driver
BitTornado 0.3.7
CC_ccProxyExt
ccCommon
ccPxyCore
Cool & Quiet
Creative DVD Audio Plugin for Audigy Series
Creative MediaSource
Creative System Information
Data Lifeguard Tools
Direct Show Ogg Vorbis Filter (remove only)
DiscWizard for Windows
Diskeeper Professional Premier Edition
DivX
DivX Converter
DivX Player
DivX Web Player
DivxToDVD 0.5.2
DVD Decrypter (Remove Only)
DVD Shrink 3.2
Eraser
ewido anti-spyware 4.0
Google Toolbar for Internet Explorer
HijackThis 1.99.1
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows XP (KB896344)
HP Image Zone 4.7
HP PSC & OfficeJet 4.7
HP Software Update
InterVideo WinDVD 5
iolo technologies' DriveScrubber
iolo technologies' System Mechanic 6
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 6
LiveUpdate 3.0 (Symantec Corporation)
Marvell Miniport Driver
Matroska Pack - Lazy Man's MKV 0.94 (2004-11-11)
Max Payne
MechWarrior 4 Mercenaries
MechWarrior Black Knight
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 2.0
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Office XP Professional with FrontPage
MSRedist
Nero OEM
Norton AntiSpam
Norton AntiSpam
Norton AntiVirus 2006
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security 2006 (Symantec Corporation)
Norton Protection Center
Norton WMI Update
Norton WMI Update
NVIDIA Drivers
Omni keyboard driver 5.0
OmniMouse Driver 4.06
palmOne
PaperPort 8.0 SE
PC Inspector File Recovery
PC Probe II
QuickTime
Registry Mechanic 5.2
SBC Yahoo! Applications
SBC Yahoo! DSL Home Networking Installer
Seagate SeaTools English Online
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913433)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Sid Meier's Pirates!
SiSoftware Sandra Lite 2007 (Win64/32/CE)
Sound Blaster Audigy 2 ZS
SPBBC
SpeedUpMyPC
Spybot - Search & Destroy 1.4
Spyware Doctor 3.8
SpywareBlaster v3.5.1
Starcraft
SureThing CD Labeler Deluxe 4
UberSoldier
Uniblue Registry Booster
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
VideoLAN VLC media player 0.8.1
Windows Driver Package - (mr7910) Image 06/28/2005 1.3.0.0
Windows Installer 3.1 (KB893803)
Windows Media Connect
Windows Media Format Runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 10
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinRAR archiver
WinTasks
XoftSpySE
XviD Media Codec 1.1.1
Yahoo! Install Manager
Yahoo! SiteBuilder
Z Steel Soldiers

ewido Report:---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 7:39:04 PM 8/22/2006

+ Scan result:



Nothing found.


::Report end


Combo Fix Log:
Chris - 06-08-22 20:20:40.25
ComboFix 06.08.18 - Running from: C:\Documents and Settings\Chris\Desktop

((((((((((((((((((((((((((((((( Files Created from 2006-07-22 to 2006-08-22 ))))))))))))))))))))))))))))))))))


2006-08-16 15:01 87,808 C:\WINDOWS\system32\S32EVNT1.DLL
2006-08-07 16:02 534,208 C:\WINDOWS\system32\SymNeti.dll
2006-08-07 16:02 161,472 C:\WINDOWS\system32\SymRedir.dll
2006-07-31 00:24 967 C:\WINDOWS\ScUnin.pif
2006-07-31 00:24 70,656 C:\WINDOWS\ScUnin.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-22 19:05 -------- d-------- C:\Program Files\HijackThis
2006-08-22 00:13 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-08-21 11:13 -------- d-------- C:\Documents and Settings\Chris\Application Data\Registry Booster
2006-08-21 02:25 -------- d-------- C:\Documents and Settings\Chris\Application Data\dvdcss
2006-08-17 22:43 -------- d---s---- C:\Documents and Settings\Chris\Application Data\Microsoft
2006-08-16 23:54 -------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2006-08-16 15:29 -------- d-------- C:\Program Files\Common Files
2006-08-16 15:25 -------- d-------- C:\Documents and Settings\Chris\Application Data\Symantec
2006-08-16 15:03 10344 --a------ C:\WINDOWS\system32\drivers\symlcbrd.sys
2006-08-08 21:47 67712 --a------ C:\WINDOWS\system32\drivers\SI3132.sys
2006-08-07 16:02 534208 --a------ C:\WINDOWS\system32\SymNeti.dll
2006-08-07 16:02 31936 --a------ C:\WINDOWS\system32\drivers\symids.sys
2006-08-07 16:02 28352 --a------ C:\WINDOWS\system32\drivers\symndis.sys
2006-08-07 16:02 24768 --a------ C:\WINDOWS\system32\drivers\symredrv.sys
2006-08-07 16:02 195776 --a------ C:\WINDOWS\system32\drivers\symtdi.sys
2006-08-07 16:02 161472 --a------ C:\WINDOWS\system32\SymRedir.dll
2006-08-07 16:02 110784 --a------ C:\WINDOWS\system32\drivers\symfw.sys
2006-08-07 16:01 12992 --a------ C:\WINDOWS\system32\drivers\symdns.sys
2006-08-06 02:26 -------- d-------- C:\Program Files\Common Files\EasyInfo
2006-08-06 02:10 967 --a------ C:\WINDOWS\ScUnin.pif
2006-08-06 02:10 70656 --a------ C:\WINDOWS\ScUnin.exe
2006-08-02 17:36 -------- d-------- C:\Documents and Settings\Chris\Application Data\Google
2006-07-27 06:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-21 01:24 72704 --a------ C:\WINDOWS\system32\hlink.dll
2006-07-17 00:28 1179136 --a------ C:\WINDOWS\system32\AutoPartNt.exe
2006-07-16 23:35 51072 --a------ C:\WINDOWS\system32\drivers\ikhlayer.sys
2006-07-16 23:35 30592 --a------ C:\WINDOWS\system32\drivers\ikhfile.sys
2006-07-14 03:24 -------- d-------- C:\Program Files\Internet Explorer
2006-07-13 06:01 -------- d-------- C:\Documents and Settings\Chris\Application Data\Help
2006-07-11 15:20 -------- d-------- C:\Documents and Settings\Chris\Application Data\AdobeUM
2006-07-10 08:52 -------- d-------- C:\Program Files\Symantec
2006-07-10 08:43 53248 --a------ C:\WINDOWS\PalmDevC.dll
2006-07-10 08:43 16694 --a------ C:\WINDOWS\system32\drivers\PalmUSBD.sys
2006-07-10 07:49 -------- d-------- C:\Documents and Settings\Chris\Application Data\vlc
2006-07-10 07:49 -------- d-------- C:\Documents and Settings\Chris\Application Data\Lavasoft
2006-07-10 07:49 -------- d-------- C:\Documents and Settings\Chris\Application Data\InterVideo
2006-07-10 07:49 -------- d-------- C:\Documents and Settings\Chris\Application Data\HotSync
2006-07-10 07:49 -------- d-------- C:\Documents and Settings\Chris\Application Data\Apple Computer
2006-07-10 07:49 -------- d-------- C:\Documents and Settings\Chris\Application Data\Adobe
2006-07-10 07:49 -------- d-------- C:\Documents and Settings\Chris\Application Data\.BitTornado
2006-07-10 07:48 62 --ahs---- C:\Documents and Settings\Chris\Application Data\desktop.ini
2006-07-03 14:40 778240 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2006-07-03 14:40 778240 --a------ C:\WINDOWS\system32\divx_xx07.dll
2006-07-03 14:40 761856 --a------ C:\WINDOWS\system32\divx_xx11.dll
2006-07-03 14:40 620180 --a------ C:\WINDOWS\system32\DivX.dll
2006-06-27 14:24 31744 --a------ C:\WINDOWS\system32\drivers\AmdTools.sys
2006-06-26 03:10 -------- d-------- C:\Documents and Settings\Chris\Application Data\Ahead
2006-06-25 23:55 36734 --a------ C:\WINDOWS\system32\OggDSuninst.exe
2006-06-25 23:50 -------- d-------- C:\Program Files\Common Files\LightScribe
2006-06-25 23:45 -------- d-------- C:\Documents and Settings\Chris\Application Data\Sun
2006-06-25 23:43 -------- d-------- C:\Program Files\Common Files\Java
2006-06-25 23:41 -------- d-------- C:\Program Files\Common Files\SureThing Shared
2006-06-25 23:38 -------- d-------- C:\Program Files\Common Files\Adobe
2006-06-25 23:24 -------- d-------- C:\Documents and Settings\Chris\Application Data\Leadertech
2006-06-25 23:12 -------- d-------- C:\Program Files\Common Files\System
2006-06-25 23:12 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-06-25 23:12 -------- d-------- C:\Program Files\Common Files\Designer
2006-06-25 23:07 34308 --a------ C:\WINDOWS\system32\BASSMOD.dll
2006-06-25 23:06 223128 --a------ C:\WINDOWS\system32\drivers\vaxscsi.sys
2006-06-25 22:57 96256 --a------ C:\WINDOWS\system32\drivers\sptd0573.sys
2006-06-25 22:57 642560 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2006-06-25 22:52 -------- d-------- C:\Program Files\Common Files\InterVideo
2006-06-25 22:36 -------- d-------- C:\Program Files\Common Files\Ahead
2006-06-25 21:55 99776 --a------ C:\WINDOWS\system32\drivers\snapman.sys
2006-06-25 21:55 388000 --a------ C:\WINDOWS\system32\drivers\timntr.sys
2006-06-25 21:55 32288 --a------ C:\WINDOWS\system32\drivers\tifsfilt.sys
2006-06-25 21:55 -------- d-------- C:\Program Files\Common Files\Acronis
2006-06-25 21:53 -------- d-------- C:\Program Files\Common Files\HP
2006-06-25 21:50 -------- d-------- C:\Program Files\Common Files\Hewlett-Packard
2006-06-25 21:46 -------- d-------- C:\Program Files\HP
2006-06-25 19:40 -------- d-------- C:\Documents and Settings\Chris\Application Data\SBC Yahoo! Messenger
2006-06-25 19:38 -------- d-------- C:\Documents and Settings\Chris\Application Data\Yahoo!
2006-06-25 19:19 -------- d-------- C:\Documents and Settings\Chris\Application Data\Macromedia
2006-06-25 19:16 -------- d-------- C:\Documents and Settings\Chris\Application Data\Creative
2006-06-25 19:03 -------- d-------- C:\Program Files\Common Files\scansoft shared
2006-06-25 18:15 -------- d-------- C:\Program Files\iolo
2006-06-25 17:37 -------- d-------- C:\Program Files\Windows Media Player
2006-06-25 17:37 -------- d-------- C:\Program Files\Messenger
2006-06-25 17:35 -------- d-------- C:\Program Files\Outlook Express
2006-06-25 17:13 -------- d-------- C:\Program Files\MSI
2006-06-25 17:05 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-06-25 17:04 -------- d-------- C:\Program Files\Common Files\InstallShield
2006-06-25 17:04 -------- d-------- C:\Program Files\ASUS
2006-06-25 16:24 -------- d-------- C:\Program Files\Google
2006-06-25 16:16 -------- d-------- C:\Program Files\Marvell
2006-06-25 16:15 -------- d-------- C:\Program Files\AMD
2006-06-25 16:04 -------- d-------- C:\Documents and Settings\Chris\Application Data\PC Tools
2006-06-25 15:26 -------- d--h----- C:\Program Files\Uninstall Information
2006-06-25 15:26 -------- d-------- C:\Documents and Settings\Chris\Application Data\Identities
2006-06-25 15:21 0 -rahs---- C:\MSDOS.SYS
2006-06-25 15:21 0 -rahs---- C:\IO.SYS
2006-06-25 15:21 0 --a------ C:\CONFIG.SYS
2006-06-25 15:21 0 --a------ C:\AUTOEXEC.BAT
2006-06-25 15:21 -------- d-------- C:\Program Files\microsoft frontpage
2006-06-25 15:20 -------- d--h----- C:\Program Files\WindowsUpdate
2006-06-25 15:20 -------- d-------- C:\Program Files\NetMeeting
2006-06-25 15:20 -------- d-------- C:\Program Files\Common Files\Services
2006-06-25 15:20 -------- d-------- C:\Program Files\Common Files\MSSoap
2006-06-25 15:19 -------- d-------- C:\Program Files\Movie Maker
2006-06-25 15:18 -------- d-------- C:\Program Files\Windows NT
2006-06-25 15:18 -------- d-------- C:\Program Files\MSN Gaming Zone
2006-06-25 15:18 -------- d-------- C:\Program Files\MSN
2006-06-25 07:42 -------- d-------- C:\Program Files\Common Files\ODBC
2006-06-25 07:41 -------- d-------- C:\Program Files\Common Files\SpeechEngines
2006-06-21 03:49 53248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2006-06-21 03:43 520192 --a------ C:\WINDOWS\system32\DivXsm.exe
2006-06-21 03:43 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2006-06-21 03:42 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2006-06-21 03:42 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2006-06-21 03:34 90112 --a------ C:\WINDOWS\system32\dpl100.dll
2006-06-21 03:34 593920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2006-06-21 03:34 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2006-06-21 03:34 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2006-06-21 03:34 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2006-06-21 03:34 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2006-06-21 03:34 200704 --a------ C:\WINDOWS\system32\dtu100.dll
2006-06-21 03:33 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2006-06-21 03:33 118784 --a------ C:\WINDOWS\system32\DivXCodecUpdateChecker.exe
2006-06-01 15:11 109568 --------- C:\WINDOWS\system32\pxinsi64.exe
2006-06-01 15:11 108544 --------- C:\WINDOWS\system32\pxcpyi64.exe
2006-06-01 15:07 245408 --a------ C:\WINDOWS\system32\unicows.dll
2006-05-29 07:05 761856 --a------ C:\WINDOWS\system32\xvidcore.dll
2006-05-25 01:22 53248 --a------ C:\WINDOWS\bdoscandel.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Launch Ai Booster"="\"d:\\Program Files\\ASUS\\Ai Booster\\OverClk.exe\""
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"SW20"="C:\\WINDOWS\\system32\\sw20.exe"
"SW24"="C:\\WINDOWS\\system32\\sw24.exe"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"CTSysVol"="d:\\Program Files\\Creative\\SBAudigy2ZS\\Surround Mixer\\CTSysVol.exe /r"
"CTDVDDET"="d:\\Program Files\\Creative\\SBAudigy2ZS\\DVDAudio\\CTDVDDet.EXE"
"CTHelper"="CTHELPER.EXE"
"SBDrvDet"="d:\\Program Files\\Creative\\SB Drive Det\\SBDrvDet.exe /r"
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"PaperPort PTD"="d:\\Program Files\\Scansoft\\PaperPort\\pptd40nt.exe"
"YBrowser"="d:\\Program Files\\Yahoo!\\browser\\ybrwicon.exe"
"2wSysTray"="D:\\Program Files\\2Wire\\2PortalMon.exe"
"HP Software Update"="\"D:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe\""
"Acronis Scheduler2 Service"="\"C:\\Program Files\\Common Files\\Acronis\\Schedule2\\schedhlp.exe\""
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"QuickTime Task"="\"D:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"DiskeeperSystray"="\"D:\\Program Files\\Diskeeper Corporation\\Diskeeper\\DkIcon.exe\""
"amd_dc_opt"="\"D:\\Program Files\\AMD\\amd_dc_opt\\amd_dc_opt.exe\""
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"!ewido"="\"D:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Spyware Doctor"="\"D:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"
"SMSystemAnalyzer"="\"d:\\Program Files\\iolo\\System Mechanic 6\\SMSystemAnalyzer.exe\""
"RemoteCenter"="d:\\Program Files\\Creative\\MediaSource\\RemoteControl\\RCMan.EXE"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Eraser"="D:\\Program Files\\Eraser\\eraser.exe -hide"
"swg"="d:\\Program Files\\Google\\GoogleToolbarNotifier\\1.0.711.1664\\GoogleToolbarNotifier.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoRecentDocsMenu"=dword:00000001
"StartMenuLogOff"=dword:00000001
"ClearRecentDocsOnExit"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Spyware Doctor"="\"d:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Spyware Doctor"="\"d:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - Chris.job
C:\WINDOWS\tasks\XoftSpySE.job

Completion time: Tue 08/22/2006 20:20:55.26
ComboFix.txt



New HJT Log
I will post this in the morning, once Kaspersky is done scanning. It has been running for 20 minutes and has only gotten to 1% completion.

Kaspersky Scan Log:
Since Kaspersky is taking so long, I'll put this log in tomorrow also. Sorry for the delay

Edited by workah0lic, 23 August 2006 - 12:42 AM.


#7 workah0lic

workah0lic
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:53 PM

Posted 23 August 2006 - 11:25 AM

New HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 9:19:24 AM, on 8/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\ASUS\Ai Booster\OverClk.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
d:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
D:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
D:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
D:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\WINDOWS\system32\CTsvcCDA.exe
D:\Program Files\Yahoo!\browser\ybrwicon.exe
D:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
D:\Program Files\2Wire\2PortalMon.exe
D:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
D:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\Program Files\ewido anti-spyware 4.0\ewido.exe
D:\Program Files\Spyware Doctor\swdoctor.exe
d:\Program Files\ewido anti-spyware 4.0\guard.exe
D:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
D:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Eraser\eraser.exe
D:\Program Files\Google\GoogleToolbarNotifier\1.0.711.1664\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
d:\Program Files\Spyware Doctor\sdhelp.exe
D:\Program Files\palmOne\Hotsync.exe
D:\Program Files\LIUtilities\SpeedUpMyPC\speedupmypc.exe
D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
D:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
d:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
D:\Program Files\Omni\Omni keyboard driver\5.0\KbdAp32A.exe
D:\Program Files\Omni\OmniMouse Driver\4.06\Mouse32A.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
D:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dsl.sbc.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://dsl.sbc.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - D:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - d:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - D:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar2.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - D:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Launch Ai Booster] "d:\Program Files\ASUS\Ai Booster\OverClk.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SW20] C:\WINDOWS\system32\sw20.exe
O4 - HKLM\..\Run: [SW24] C:\WINDOWS\system32\sw24.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTSysVol] d:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] d:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] d:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [PaperPort PTD] d:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [YBrowser] d:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [2wSysTray] D:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [HP Software Update] "D:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DiskeeperSystray] "D:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [amd_dc_opt] "D:\Program Files\AMD\amd_dc_opt\amd_dc_opt.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [!ewido] "D:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [Spyware Doctor] "D:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [SMSystemAnalyzer] "d:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe"
O4 - HKCU\..\Run: [RemoteCenter] d:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Eraser] D:\Program Files\Eraser\eraser.exe -hide
O4 - HKCU\..\Run: [swg] d:\Program Files\Google\GoogleToolbarNotifier\1.0.711.1664\GoogleToolbarNotifier.exe
O4 - Startup: Ai Booster v2.00.70.lnk = ?
O4 - Startup: ewido anti-spyware.lnk = D:\Program Files\ewido anti-spyware 4.0\ewido.exe
O4 - Startup: HP Digital Imaging Monitor.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Startup: HP Image Zone Fast Start.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Startup: InterVideo WinCinema Manager.lnk = D:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: Omni keyboard driver 5.0.lnk = D:\Program Files\Omni\Omni keyboard driver\5.0\KbdAp32A.exe
O4 - Startup: OmniMouse Driver 4.06.lnk = D:\Program Files\Omni\OmniMouse Driver\4.06\Mouse32A.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HOTSYNC.lnk = D:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: SpeedUpMyPC.lnk = D:\Program Files\LIUtilities\SpeedUpMyPC\speedupmypc.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://d:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - d:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - d:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - d:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} (Seagate SeaTools English Online) - http://www.seagate.com/support/disc/asp/to.../npseatools.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - d:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - D:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - D:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Diskeeper - Diskeeper Corporation - D:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - d:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - d:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - d:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007\Win32\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - d:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007\RpcSandraSrv.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - D:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - d:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - d:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


Kaspersky Log:

KASPERSKY ONLINE SCANNER REPORT
Wednesday, August 23, 2006 9:12:12 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 23/08/2006
Kaspersky Anti-Virus database records: 217399


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
E:\
F:\
H:\
J:\
K:\
L:\
M:\
N:\
O:\
P:\

Scan Statistics
Total number of scanned objects 80098
Number of viruses found 2
Number of infected objects 14 / 0
Number of suspicious objects 0
Duration of the scan process 01:47:05

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Confid.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Content.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Privacy.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Restrict.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\WebHist.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\HPPAppActivity.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\HPPHomePageActivity.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2006-08-22_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped

C:\Documents and Settings\Chris\Application Data\Symantec\PendingAlertsQueue.log Object is locked skipped

C:\Documents and Settings\Chris\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Chris\Local Settings\Application Data\ApplicationHistory\hpqgalry.exe.1b552ee2.ini.inuse Object is locked skipped

C:\Documents and Settings\Chris\Local Settings\Application Data\HP\Digital Imaging\db\administrativeInfo.dbf Object is locked skipped

C:\Documents and Settings\Chris\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.cdx Object is locked skipped

C:\Documents and Settings\Chris\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.dbf Object is locked skipped

C:\Documents and Settings\Chris\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.cdx Object is locked skipped

C:\Documents and Settings\Chris\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.dbf Object is locked skipped

C:\Documents and Settings\Chris\Local Settings\Application Data\HP\Digital Imaging\db\CB_Server_Errors.txt Object is locked skipped

C:\Documents and Settings\Chris\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.cdx Object is locked skipped

C:\Documents and Settings\Chris\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.dbf Object is locked skipped

C:\Documents and Settings\Chris\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.cdx Object is locked skipped

C:\Documents and Settings\Chris\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.dbf Object is locked skipped

C:\Documents and Settings\Chris\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.fpt Object is locked skipped

C:\Documents and Settings\Chris\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.cdx Object is locked skipped

C:\Documents and Settings\Chris\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.dbf Object is locked skipped

C:\Documents and Settings\Chris\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.cdx Object is locked skipped

C:\Documents and Settings\Chris\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.dbf Object is locked skipped

C:\Documents and Settings\Chris\Local Settings\Application Data\HP\Digital Imaging\db\managedFolderTable.dbf Object is locked skipped

C:\Documents and Settings\Chris\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.cdx Object is locked skipped

C:\Documents and Settings\Chris\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.dbf Object is locked skipped

C:\Documents and Settings\Chris\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.cdx Object is locked skipped

C:\Documents and Settings\Chris\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.dbf Object is locked skipped

C:\Documents and Settings\Chris\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.cdx Object is locked skipped

C:\Documents and Settings\Chris\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.dbf Object is locked skipped

C:\Documents and Settings\Chris\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Chris\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Chris\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Chris\Local Settings\History\History.IE5\MSHist012006082220060823\index.dat Object is locked skipped

C:\Documents and Settings\Chris\Local Settings\Temp\hpodvd09.log Object is locked skipped

C:\Documents and Settings\Chris\Local Settings\Temp\Perflib_Perfdata_28c.dat Object is locked skipped

C:\Documents and Settings\Chris\Local Settings\Temp\Perflib_Perfdata_304.dat Object is locked skipped

C:\Documents and Settings\Chris\Local Settings\Temp\Perflib_Perfdata_c30.dat Object is locked skipped

C:\Documents and Settings\Chris\Local Settings\Temp\~DF4567.tmp Object is locked skipped

C:\Documents and Settings\Chris\Local Settings\Temp\~DFDBCF.tmp Object is locked skipped

C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Chris\ntuser.dat Object is locked skipped

C:\Documents and Settings\Chris\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\AntiSpam\Log\Spam.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBConfig.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDebug.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDetect.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBNotify.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBRefr.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg2.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetDev.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetLoc.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetUsr.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMNot.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMReg.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMRSt.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStHash.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStMSI.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBValid.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPPolicy.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStart.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStop.log Object is locked skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\WINDOWS\CSC\00000001 Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{D864005A-A624-4CFD-83F2-EE413220F711}.bin Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped

C:\WINDOWS\system32\drivers\sptd0573.sys Object is locked skipped

C:\WINDOWS\system32\drivers\vaxscsi.sys Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\Temp\2wswlog\2PortalMon_Debug.txt Object is locked skipped

C:\WINDOWS\Temp\Perflib_Perfdata_664.dat Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

C:\WINDOWS\{00000004-00000000-00000008-00001102-00000004-20021102}.CDF Object is locked skipped

D:\My Documents\CJ's\Downloads\Programs, Trailers, Patches and Demos (NOTSHARED)\cs1005.exe/WISE0024.BIN Infected: not-a-virus:Server-Proxy.Win32.Hltv skipped

D:\My Documents\CJ's\Downloads\Programs, Trailers, Patches and Demos (NOTSHARED)\cs1005.exe WiseSFX: infected - 1 skipped

D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\logs\starwind.2006-08-22.21-54-50.log Object is locked skipped

D:\Program Files\LIUtilities\SpeedUpMyPC\pldt.dat Object is locked skipped

D:\Program Files\Norton Internet Security\Norton AntiVirus\AVApp.log Object is locked skipped

D:\Program Files\Norton Internet Security\Norton AntiVirus\AVError.log Object is locked skipped

D:\Program Files\Norton Internet Security\Norton AntiVirus\AVVirus.log Object is locked skipped

D:\Program Files\Norton Internet Security\Norton AntiVirus\Savrt\0249NAV~.TMP Object is locked skipped

D:\Program Files\Norton Internet Security\Norton AntiVirus\Savrt\0363NAV~.TMP Object is locked skipped

D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

D:\System Volume Information\_restore{A5498FA8-CC57-414D-A215-FC53419919A5}\RP131\A0022961.exe/stream/data0003 Infected: not-a-virus:AdWare.Win32.Webdir.b skipped

D:\System Volume Information\_restore{A5498FA8-CC57-414D-A215-FC53419919A5}\RP131\A0022961.exe/stream Infected: not-a-virus:AdWare.Win32.Webdir.b skipped

D:\System Volume Information\_restore{A5498FA8-CC57-414D-A215-FC53419919A5}\RP131\A0022961.exe NSIS: infected - 2 skipped

E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

F:\Backup of Programs on Lightscribe Discs\Treo Apps\XviD-1.0.3-20122004.exe/stream/data0003 Infected: not-a-virus:AdWare.Win32.Webdir.b skipped

F:\Backup of Programs on Lightscribe Discs\Treo Apps\XviD-1.0.3-20122004.exe/stream Infected: not-a-virus:AdWare.Win32.Webdir.b skipped

F:\Backup of Programs on Lightscribe Discs\Treo Apps\XviD-1.0.3-20122004.exe NSIS: infected - 2 skipped

F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

H:\Backup of Programs on Lightscribe Discs\Treo Apps\XviD-1.0.3-20122004.exe/stream/data0003 Infected: not-a-virus:AdWare.Win32.Webdir.b skipped

H:\Backup of Programs on Lightscribe Discs\Treo Apps\XviD-1.0.3-20122004.exe/stream Infected: not-a-virus:AdWare.Win32.Webdir.b skipped

H:\Backup of Programs on Lightscribe Discs\Treo Apps\XviD-1.0.3-20122004.exe NSIS: infected - 2 skipped

H:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

H:\System Volume Information\_restore{5395B9E6-FCDF-4566-B5CF-9A27852290F1}\RP9\A0001963.exe/stream/data0003 Infected: not-a-virus:AdWare.Win32.Webdir.b skipped

H:\System Volume Information\_restore{5395B9E6-FCDF-4566-B5CF-9A27852290F1}\RP9\A0001963.exe/stream Infected: not-a-virus:AdWare.Win32.Webdir.b skipped

H:\System Volume Information\_restore{5395B9E6-FCDF-4566-B5CF-9A27852290F1}\RP9\A0001963.exe NSIS: infected - 2 skipped

Scan process completed.


Kaspersky found alot of stuff I guess, but it didn't clean anything... I turned off system restore a few days back and thought all my restore files were delted, but it found some restore files on my D Drive. What do I do about that? Also just so you know, I went and deleted cs1005.exe and XviD-1.0.3-20122004.exe. I don't really need those anymore anyway.

#8 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,648 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:06:53 PM

Posted 23 August 2006 - 12:29 PM

OK, be sure to delete those two files on your backup drives as well if you haven't already. Also go into Add/Remove and uninstall XviD Media Codec 1.1.1. You have to be real careful with codecs nowdays and really anything you get thru file sharing and copying.

Yeh, Kaspersky doesn't clean but it is about the best at detection (that's why it takes so long, plus you have a lot of drives to scan) and we can tell by its log what may need to be dealt with. Some of those locked objects may need to be dealt with--give me some time to look into those a little more. Kind of having a bad day so it may take a while.

As for the infected restore points--not sure why it is just drive D but it will make a new restore point automatically when you re-enable. So anything that is infected that is still on your system will still get backed up again. Has it been a few days since you purged restore points? After you unistall that codec and delete those files, you might try running Kaspersky again and just scan the D drive and see if any infected retore points are found.

I'll get back with you as soon as I can. I think you are in pretty good shape as far as malware and just have some inactive leftovers, but we will check it out some more.

The thing about people

is they change

when they walk away.--Mipso


#9 workah0lic

workah0lic
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:53 PM

Posted 23 August 2006 - 12:35 PM

Just removed XVID... I'll download a new version from Download.com.

I can't figure out how to remove the restore points. I deactived SysRestore about a week ago and I haven't reactivated it since.

I guess Kas is better than NIS, huh? I just downloaded Kas and am going to install it on this computer. I'll put NIS on my wife's computer. It's being built right now and I didn't have an AV program for it yet.... lol

#10 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,648 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:06:53 PM

Posted 26 August 2006 - 02:05 PM

Sorry for taking so long to get back to you. I would have told you to hold off on installing KAV. It is what I use and IMO one of the top two AV's, but uninstalling Norton can cause more problems than it solves. Norton is not bad other than being a resource hog so if it is working OK I would just leave it until you get the other problems straightened out. Even KAV can give you a bad install, especially if Norton isn't removed completely and no matter how good an AV, new malware is coming out all the time, so you can't just depend on an AV and other security programs to keep you clean. They will all miss what they don't know about yet.

As far as the System Restore files, not sure about how that works. If you show hidden files you should see a System Volume Information folder on all of you writable drives (other than optical). But on my flash drive the folder inside there is empty, so I think the actual backup files are on the C: drive in the Windows folder. Look in your folders on your other drives and let me know if it is the same for you and we will look into removing those later as they are protected and take some extra steps. Kaspersky is showing folders in E and F as well as D.

I don't see any other clear cases of malware in those locked files. But they may give some clues as to what your other problems may be. Before I turn you over to the XP forum, since you did have some infections, let's check for any rootkits.

Please download F-Secure Blacklight :thumbsup: from here: http://www.f-secure.com/blacklight/try_blacklight.html

Save the program to a folder, for example c:\black

Go to Start --> Run --> type (or copy and paste) C:\black\blbeta.exe /expert (note there is a space between "blbeta.exe" and "/") and press the OK button.

Select "I accept the agreement" and then press the Next button.

Press the Scan button.

When it is done, press the Next button and then the Exit button.

Open the c:\black folder and you will find a log. Please post the content of that log.
Don't fix anything with BlackLight. Files found may be legitimate.

Please download http://download.bleepingcomputer.com/grinler/dumpwin.zip and save it to your desktop.

Once the file has completed downloading, extract the file by right-clicking on it and selecting Extract all. Then keep pressing the Next button till you see the Finished button. Now click on the Finished button.

A folder should have opened. Now double-click on the dumpwin folder and then double-click on the dumpwin.bat file. When it has completed it will have opened a notepad. Please post the contents of that notepad as a reply to this topic.

And let me know how everything's been going.

The thing about people

is they change

when they walk away.--Mipso


#11 workah0lic

workah0lic
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:53 PM

Posted 02 September 2006 - 01:18 AM

My apologies for not replying sooner. I am currently out of town, but I will get on this as soon as possible. I should be back by Tuesday.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users