Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Backdoor.generic2.slc / Backdoor.small.52.al ?


  • Please log in to reply
11 replies to this topic

#1 grrrrr...computers

grrrrr...computers

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:08 AM

Posted 29 September 2006 - 10:22 PM

Well, its doing a pretty good job. Infected my PC (xp media center) through a bad exe, and now it seems it can slip past full zonealarm lockdown. Cant boot to safe mode, nothing ive used can get rid of it.I have a norton ghost full backup, but it dates back ~3 weeks, and so i'drather not have to go back in time. According to AVG, the backdoor/trojan infected
C:\\Windows\System32\ntswrl32.dll
\ntcvx32.dl

I think there was another one, but i cant get AVG to find them reliably, and nothing else will find them at all. I found no info online. So here I am.

Logfile of HijackThis v1.99.1
Scan saved at 11:05:52 PM, on 9/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
c:\program files\dvrmstoolbox\dvrmsfilewatcherservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\AOL\1152654153\ee\AOLSoftware.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\vssms32.exe
C:\Program Files\Softwin\BitDefender10\bdmcon.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Belkin\Nostromo\nost_LM.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\msmsgs.exe
C:\Program Files\Microsoft ActiveSync\WCESMgr.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Death\Desktop\HijackThis.exe

R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.6.0\ViewBarBHO.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.6.0\ViewBar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1152654153\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Program Files\RivaTuner v2.0 RC 16\RivaTuner.exe" /S
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton Ghost\Agent\GhostTray.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [vssms32] C:\WINDOWS\system32\vssms32.exe
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe"
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Loadout Manager.lnk = C:\Program Files\Belkin\Nostromo\nost_LM.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: msmsgs.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.1\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DVRMSFileWatcherService - - c:\program files\dvrmstoolbox\dvrmsfilewatcherservice.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender10\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

BC AdBot (Login to Remove)

 


m

#2 grrrrr...computers

grrrrr...computers
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:08 AM

Posted 29 September 2006 - 10:23 PM

sorry, that second infected file was C:\\Windows\System32\ntcvx32.dll

#3 grrrrr...computers

grrrrr...computers
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:08 AM

Posted 29 September 2006 - 10:28 PM

ok, found that last file, it is C:\\Windows\system32\vssms32.dll
That one seems to have an exe process associated with it, as when i tried to shut down windows it gave me an end now option for it (although it shut down by itself in ~2 seconds)

#4 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:12:08 PM

Posted 06 October 2006 - 12:45 PM

Sorry for the delay. If you are still having problems please post a brand new HijackThis log as a reply to this topic. Before posting the log, please make sure you follow all the steps found in this topic:

Preparation Guide For Use Before Posting A Hijackthis Log

Please also post the problems you are having.

#5 grrrrr...computers

grrrrr...computers
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:08 AM

Posted 08 October 2006 - 02:52 PM

i found the entries in explorer and deleted them, and i thought the problem was gone, everything ran fine for a week, with the excption that I still cant boot into safe mode. Then yesterday Firefox started acting screwy. Tried opera, same results. All my pages either come up 404 or become redirected to google.I thought it was a DNS problem, but ipconfig/flushdns in command prompt didnt fix it, and directly entering the ip of the site in the adress bar doesnt help. rescanned my computer, nothing. Additionally, my system restore wont run. I dont know if this is a symptom of the infection from last week or what im currently suffering. Somtimes after a restart my brower will work fine for 5 minutes, and then act screwy again. An interesting note: AV and firewall updates wont work, but BitComet, a bittorrent client, is running fine. Any ideas? HJT log to follow.

Logfile of HijackThis v1.99.1
Scan saved at 3:40:59 PM, on 10/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
c:\program files\dvrmstoolbox\dvrmsfilewatcherservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\BitComet\BitComet.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Belkin\Nostromo\nost_LM.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Microsoft ActiveSync\WCESMgr.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\dumprep.exe
C:\Documents and Settings\Death\Desktop\HijackThis.exe

R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.6.0\ViewBarBHO.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.6.0\ViewBar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Program Files\RivaTuner v2.0 RC 16\RivaTuner.exe" /S
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton Ghost\Agent\GhostTray.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe"
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Loadout Manager.lnk = C:\Program Files\Belkin\Nostromo\nost_LM.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.1\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DVRMSFileWatcherService - - c:\program files\dvrmstoolbox\dvrmsfilewatcherservice.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender10\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

#6 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:12:08 PM

Posted 08 October 2006 - 04:41 PM

Hey there,

I think half the problem lies in the fact you have so much protection!
I think the protections are cancelling each other out, stopping updates etc.
Where are you getting redirected to in google? Please let me know..
Do you get any errors when you run system restore? Please be exact as possible.

I do not recommend that you have more than one anti virus product installed and running on your computer at a time.
The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to create "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause false alarms - When the anti virus software tells you that your PC has a virus when it actually doesn't. Also it can cause system performance problems; your system may lock up due to both software products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove two of BitDefender, Symantec, AVG, leaving one.

I see you have Viewpoint installed.
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.
  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player
Download GMER from Here
Right Click the Zip and Select "Extract All"
Double Click gmer.exe to launch the program.
Click on the Rootkit Tab and then click Scan.
It takes a while to run, once complete, copy the results to notepad and save them somewhere safe.
Post those results in the next reply.

Please download Combofix to your desktop.
Doubleclick combo.exe to launch the application.
Follow the prompts that will be displayed on the screen.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.

David

#7 grrrrr...computers

grrrrr...computers
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:08 AM

Posted 08 October 2006 - 07:37 PM

I uninstalled bitdefender and viewpoint. although i saw symnatec on HJT, i didnt see it on add/remove or start menu, nor do i remember ever installing it. However, it is not running a live shield and shouldnt be interacting with my computer in almost any way. As for system restore, it comfortingly notes, "System restore is not able to protect your computer. Please restart your computer, and then run System Restore again" [OK] The browser is extremely screwy and unpredictable. Case in point: I click my Engadget shortcut, my address bar reads www.tomshardware.com (the shortcut next to endaget) and Google.com pops up, although interstingly its exactly the same as what i see on this working linux computer when i type Google.com except it says english beneath the google logo. other times ill get a 404. The shortcut reads the proper address under properties. Anyway, i ran GMER and Combofix (nice programs) and they churned up some interesting results, most notably the modified tcpip settings GMER notced. Heres the logs:


GMER 1.0.11.11390 - http://www.gmer.net
Rootkit 2006-10-08 20:18:51
Windows 5.1.2600 Service Pack 2

*****************************************************************************************************************************************************

---- System - GMER 1.0.11 ----

SSDT \SystemRoot\System32\vsdatant.sys ZwConnectPort
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateFile
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateKey
SSDT \SystemRoot\System32\vsdatant.sys ZwCreatePort
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcess
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcessEx
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateSection
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateWaitablePort
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteFile
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDuplicateObject
SSDT \SystemRoot\System32\vsdatant.sys ZwLoadKey
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenFile
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenProcess
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenThread
SSDT \SystemRoot\System32\vsdatant.sys ZwReplaceKey
SSDT \SystemRoot\System32\vsdatant.sys ZwRequestWaitReplyPort
SSDT \SystemRoot\System32\vsdatant.sys ZwRestoreKey
SSDT \SystemRoot\System32\vsdatant.sys ZwSecureConnectPort
SSDT \SystemRoot\System32\vsdatant.sys ZwSetInformationFile
SSDT \SystemRoot\System32\vsdatant.sys ZwSetValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwTerminateProcess

---- Devices - GMER 1.0.11 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [F15B32A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [F15B32A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [F15B32A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F7E0585A] avgtdi.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [F15B32A0] vsdatant.sys
Device \Driver\usb_rndisx \Device\{B7282F6A-7BE6-43A9-A44B-AF3E1DAAD3ED} IRP_MJ_PNP [F7B70E8A] RNDISMPX.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [F15B32A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [F15B32A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [F15B32A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F7E0585A] avgtdi.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [F15B32A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [F15B32A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [F15B32A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [F15B32A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [F7E0585A] avgtdi.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [F15B32A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [F15B32A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [F15B32A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [F15B32A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [F7E0585A] avgtdi.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [F15B32A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE [F15B32A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSE [F15B32A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL [F15B32A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [F7E0585A] avgtdi.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLEANUP [F15B32A0] vsdatant.sys
---- Processes - GMER 1.0.11 ----

Library C:\WINDOWS\system32\sockspy.dll (*** hidden *** ) @ C:\Program Files\Microsoft ActiveSync\WCESMgr.exe [272] 0x00440000
Library C:\WINDOWS\system32\sockspy.dll (*** hidden *** ) @ C:\WINDOWS\ehome\ehmsas.exe [280] 0x10000000
Library C:\WINDOWS\system32\sockspy.dll (*** hidden *** ) @ C:\PROGRA~1\MICROS~3\rapimgr.exe [360] 0x10000000
Library C:\WINDOWS\system32\sockspy.dll (*** hidden *** ) @ C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE [368] 0x10000000
Library C:\WINDOWS\system32\sockspy.dll (*** hidden *** ) @ C:\WINDOWS\system32\rundll32.exe [828] 0x10000000
Library C:\WINDOWS\system32\sockspy.dll (*** hidden *** ) @ C:\WINDOWS\ALCWZRD.EXE [1300] 0x10000000
Library C:\WINDOWS\system32\sockspy.dll (*** hidden *** ) @ C:\WINDOWS\ehome\ehtray.exe [1776] 0x10000000
Library C:\WINDOWS\system32\sockspy.dll (*** hidden *** ) @ C:\Program Files\Logitech\SetPoint\SetPoint.exe [2124] 0x00950000
Library C:\WINDOWS\system32\sockspy.dll (*** hidden *** ) @ C:\WINDOWS\SOUNDMAN.EXE [2200] 0x10000000
Library C:\WINDOWS\system32\sockspy.dll (*** hidden *** ) @ C:\Program Files\Windows Media Player\wmplayer.exe [2360] 0x10000000
Library C:\WINDOWS\system32\sockspy.dll (*** hidden *** ) @ C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe [2452] 0x00360000
Library C:\WINDOWS\system32\sockspy.dll (*** hidden *** ) @ C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE [2472] 0x10000000
Library C:\WINDOWS\system32\sockspy.dll (*** hidden *** ) @ C:\WINDOWS\system32\rundll32.exe [2532] 0x10000000
Library C:\WINDOWS\System32\sockspy.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [2580] 0x10000000
Library C:\WINDOWS\system32\sockspy.dll (*** hidden *** ) @ C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe [2596] 0x10000000
Library C:\WINDOWS\system32\sockspy.dll (*** hidden *** ) @ C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe [2600] 0x10000000
Library C:\WINDOWS\system32\sockspy.dll (*** hidden *** ) @ C:\Program Files\Common Files\Symantec Shared\ccApp.exe [2692] 0x10000000
Library C:\WINDOWS\system32\sockspy.dll (*** hidden *** ) @ C:\Program Files\Norton Ghost\Agent\GhostTray.exe [2776] 0x10000000
Library C:\WINDOWS\system32\sockspy.dll (*** hidden *** ) @ C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe [3104] 0x00370000
Library C:\WINDOWS\system32\sockspy.dll (*** hidden *** ) @ C:\Program Files\BitComet\BitComet.exe [3160] 0x10000000
Library C:\WINDOWS\system32\sockspy.dll (*** hidden *** ) @ C:\WINDOWS\system32\msiexec.exe [3576] 0x10000000
Library C:\WINDOWS\system32\sockspy.dll (*** hidden *** ) @ C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.EXE [3616] 0x10000000
Library C:\WINDOWS\System32\sockspy.dll (*** hidden *** ) @ C:\WINDOWS\system32\alg.exe [3692] 0x10000000
Library C:\WINDOWS\system32\sockspy.dll (*** hidden *** ) @ C:\WINDOWS\system32\WgaTray.exe [3736] 0x10000000
Library C:\WINDOWS\system32\sockspy.dll (*** hidden *** ) @ C:\Program Files\Belkin\Nostromo\nost_LM.exe [3760] 0x10000000
Library C:\WINDOWS\system32\sockspy.dll (*** hidden *** ) @ C:\Program Files\Microsoft ActiveSync\wcescomm.exe [4024] 0x10000000
Library C:\WINDOWS\system32\sockspy.dll (*** hidden *** ) @ C:\WINDOWS\system32\dllhost.exe [4708] 0x10000000
Library C:\WINDOWS\system32\sockspy.dll (*** hidden *** ) @ C:\Program Files\Mozilla Firefox\firefox.exe [5044] 0x10000000
Library C:\WINDOWS\system32\sockspy.dll (*** hidden *** ) @ C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe [5764] 0x10000000

---- Registry - GMER 1.0.11 ----

Reg \Registry\USER\S-1-5-21-1644491937-1965331169-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count@HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\Qrngu\Qrfxgbc\Fznegcubar Tnzrf naq Nccf\Fznegcubar Tnzrf naq Nccf\FCI\Tnzrm\SHYY ERGNVY - FznegPurff i1.0 sbe Jvaqbjf FznegCubar FCI\Crahygvzngr.Vap.FznegPurff.i1.0.sbe.Jvaqbjf.Fznegcubarf.Ergnvy-OYMCQN\fznegpurfffrghc.rkr 0x31 0x00 0x00 0x00 ...
Reg \Registry\USER\S-1-5-21-1644491937-1965331169-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count@HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\Qrngu\Qrfxgbc\Fznegcubar Tnzrf naq Nccf\Fznegcubar Tnzrf naq Nccf\FCI\Tnzrm\SHYY ERGNVY - FznegPurff i1.0 sbe Jvaqbjf FznegCubar FCI\Crahygvzngr.Vap.FznegPurff.i1.0.sbe.Jvaqbjf.Fznegcubarf.Ergnvy-OYMCQN\o-cvf10\fznegpurfffrghc.rkr 0x31 0x00 0x00 0x00 ...
Reg \Registry\USER\S-1-5-21-1644491937-1965331169-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count@HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\Qrngu\Qrfxgbc\Fznegcubar Tnzrf naq Nccf\Fznegcubar Tnzrf naq Nccf\FCI\Tnzrm\SHYY ERGNVY - FznegPurff i1.0 sbe Jvaqbjf FznegCubar FCI\Crahygvzngr.Vap.FznegPurff.i1.0.sbe.Jvaqbjf.Fznegcubarf.Ergnvy-OYMCQN\o-cvf10\penpxgeb.rkr 0x31 0x00 0x00 0x00 ...

---- Files - GMER 1.0.11 ----

ADS C:\Documents and Settings\All Users\Application Data\Symantec\hpc:468323563
ADS ...
ADS ...

---- EOF - GMER 1.0.11 ----















Death - 06-10-08 20:20:23.95 Service Pack 2
ComboFix 06.09.28 - Running from: "C:\Documents and Settings\Death\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-09-08 to 2006-10-08 ))))))))))))))))))))))))))))))))))


2006-10-08 12:30 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-10-05 19:52 49,536 --a------ C:\WINDOWS\system32\drivers\tiehdusb.sys
2006-10-05 19:52 21,456 --a------ C:\WINDOWS\system32\drivers\SilvrLnk.sys
2006-09-27 23:06 33,952 --a------ C:\WINDOWS\system32\drivers\oreans32.sys
2006-09-27 18:08 178,408 --a------ C:\WINDOWS\system32\muweb.dll
2006-09-27 18:08 127,208 --a------ C:\WINDOWS\system32\mucltui.dll
2006-09-25 16:46 15,840 --a------ C:\WINDOWS\system32\Machnm1.exe
2006-09-24 22:56 86,016 --a------ C:\WINDOWS\unvise32.exe
2006-09-17 21:50 109,568 --------- C:\WINDOWS\system32\pxinsi64.exe
2006-09-17 21:50 108,544 --------- C:\WINDOWS\system32\pxcpyi64.exe
2006-09-17 20:40 30,592 --------- C:\WINDOWS\system32\drivers\rndismpx.sys
2006-09-17 20:40 12,800 --------- C:\WINDOWS\system32\drivers\usb8023x.sys


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-08 20:00 -------- d-------- C:\Program Files\Viewpoint
2006-10-08 19:57 -------- d-------- C:\Program Files\Common Files\Softwin
2006-10-08 19:53 -------- d-------- C:\Program Files\Mozilla Firefox
2006-10-08 12:30 -------- d-------- C:\Program Files\Grisoft
2006-10-08 01:55 -------- d-------- C:\Program Files\Morpheus
2006-10-05 19:52 -------- d-------- C:\Program Files\TI Education
2006-10-05 19:51 -------- d-------- C:\Program Files\Common Files\TI Shared
2006-10-05 19:51 -------- d-------- C:\Program Files\Common Files
2006-10-05 19:44 -------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2006-10-03 06:32 -------- d-------- C:\Program Files\Microsoft ActiveSync
2006-10-01 21:01 -------- d-------- C:\Program Files\Agnitum
2006-09-29 22:30 -------- d-------- C:\Program Files\Alwil Software
2006-09-29 21:44 -------- d-------- C:\Program Files\Softwin
2006-09-26 22:57 -------- d---s---- C:\Documents and Settings\Death\Application Data\Microsoft
2006-09-26 22:04 -------- d-------- C:\Program Files\MSBuild
2006-09-26 22:04 -------- d-------- C:\Program Files\Microsoft Visual Studio
2006-09-26 22:04 -------- d-------- C:\Program Files\Microsoft Office
2006-09-26 22:04 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-09-26 22:03 -------- d-------- C:\Program Files\Microsoft Works
2006-09-26 22:01 -------- d-------- C:\Program Files\Microsoft Visual Studio 8
2006-09-26 22:01 -------- d-------- C:\Program Files\Common Files\System
2006-09-26 17:08 778656 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-09-25 20:01 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-09-25 20:01 -------- d-------- C:\Program Files\MDM
2006-09-25 18:31 -------- d-------- C:\Documents and Settings\Death\Application Data\Morpheus
2006-09-25 16:56 -------- d-------- C:\Program Files\Google
2006-09-25 16:46 -------- d-------- C:\Program Files\@Last Software
2006-09-24 22:55 -------- d-------- C:\Program Files\Handmark
2006-09-24 22:37 -------- d-------- C:\Program Files\ZIO
2006-09-24 22:21 -------- d-------- C:\Program Files\Pocket Tanks Deluxe
2006-09-24 20:42 -------- d-------- C:\Program Files\Ziosoft
2006-09-22 23:00 -------- d-------- C:\Program Files\Common Files\Viewpoint
2006-09-18 19:53 -------- d-------- C:\Program Files\Microsoft.NET
2006-09-18 19:38 -------- d-------- C:\Program Files\Emil Andersson
2006-09-17 21:51 -------- d-------- C:\Program Files\DivX
2006-09-17 20:42 2508 --a------ C:\Documents and Settings\Death\Application Data\$_hpcst$.hpc
2006-09-17 11:09 -------- d-------- C:\Program Files\The Print Shop 20
2006-09-16 11:38 -------- d-------- C:\Program Files\VSTplugins
2006-09-16 11:38 -------- d-------- C:\Documents and Settings\Death\Application Data\Publish Providers
2006-09-16 11:34 -------- d-------- C:\Documents and Settings\Death\Application Data\Sony
2006-09-16 11:33 -------- d-------- C:\Program Files\Sony
2006-09-11 20:11 -------- d-------- C:\Documents and Settings\Death\Application Data\vlc
2006-09-11 19:44 -------- d-------- C:\Program Files\TVUPlayer
2006-09-11 19:34 -------- d-------- C:\Program Files\VideoLAN
2006-09-06 18:32 -------- d-------- C:\Program Files\FLVPlayer
2006-09-06 18:30 -------- d-------- C:\Program Files\Total Video Converter
2006-09-05 18:15 -------- d-------- C:\Program Files\EA GAMES
2006-09-04 22:31 -------- d-------- C:\Program Files\Internet Explorer
2006-09-04 22:20 -------- d-------- C:\Documents and Settings\Death\Application Data\Adobe
2006-09-04 14:54 -------- d-------- C:\Program Files\DVRMSToolbox
2006-09-04 12:31 -------- d-------- C:\Program Files\Windows Media Player
2006-09-04 11:22 -------- d-------- C:\Program Files\Windows Media Connect 2
2006-09-04 09:15 -------- d-------- C:\Program Files\Java
2006-09-03 18:23 -------- d-------- C:\Program Files\Dragon Global
2006-09-03 18:23 -------- d-------- C:\Program Files\Common Files\Moonlight
2006-09-03 18:16 10368 --a------ C:\WINDOWS\system32\drivers\iviaspi.sys
2006-09-03 18:16 -------- d-------- C:\Program Files\InterVideo
2006-09-03 18:08 -------- d-------- C:\Program Files\ImTOO
2006-09-02 19:35 -------- d-------- C:\Documents and Settings\Death\Application Data\Logitech
2006-09-02 19:29 -------- d-------- C:\Program Files\Common Files\ATI
2006-09-02 19:29 -------- d-------- C:\Program Files\ATI Multimedia
2006-09-02 18:00 -------- d-------- C:\Program Files\Logitech
2006-09-02 18:00 -------- d-------- C:\Program Files\Common Files\Logitech
2006-09-01 13:50 356352 --a------ C:\WINDOWS\eSellerateEngine.dll
2006-09-01 13:49 -------- d-------- C:\Program Files\DFX
2006-09-01 13:46 60 --a------ C:\WINDOWS\system32\SYSWQDRV.SYS
2006-08-31 15:04 -------- d-------- C:\Program Files\CASHFLOW 202
2006-08-31 15:03 -------- d-------- C:\Program Files\CASHFLOW
2006-08-31 10:43 -------- d-------- C:\Program Files\PC Inspector File Recovery
2006-08-29 17:43 -------- d-------- C:\Program Files\Rockstar Games
2006-08-29 17:35 -------- d-------- C:\Program Files\WinRAR
2006-08-29 13:59 -------- d-------- C:\Program Files\Online Services
2006-08-29 11:47 -------- d-------- C:\Program Files\SlimServer
2006-08-29 11:47 -------- d-------- C:\Program Files\DynDNS Updater
2006-08-29 11:40 -------- d-------- C:\Program Files\Salloway
2006-08-25 23:12 -------- d-------- C:\Program Files\LimeWire
2006-08-24 22:42 8704 --a------ C:\WINDOWS\system32\wdfmgr.exe
2006-08-24 22:42 8704 --a------ C:\WINDOWS\system32\uwdf.exe
2006-08-24 22:30 99840 --a------ C:\WINDOWS\system32\wmpshell.dll
2006-08-24 22:30 990208 --a------ C:\WINDOWS\system32\drmv2clt.dll
2006-08-24 22:30 937984 --a------ C:\WINDOWS\system32\WMNetMgr.dll
2006-08-24 22:30 8337920 --a------ C:\WINDOWS\system32\wmploc.dll
2006-08-24 22:30 790016 --a------ C:\WINDOWS\system32\WMVSENCD.dll
2006-08-24 22:30 757248 --a------ C:\WINDOWS\system32\WMADMOD.dll
2006-08-24 22:30 7168 --a------ C:\WINDOWS\system32\asferror.dll
2006-08-24 22:30 656896 --a------ C:\WINDOWS\system32\WMVXENCD.dll
2006-08-24 22:30 63488 --a------ C:\WINDOWS\system32\wpdmtpus.dll
2006-08-24 22:30 629760 --a------ C:\WINDOWS\system32\wpd_ci.dll
2006-08-24 22:30 611840 --------- C:\WINDOWS\system32\wmpmde.dll
2006-08-24 22:30 603648 --a------ C:\WINDOWS\system32\WMSPDMOD.dll
2006-08-24 22:30 537600 --a------ C:\WINDOWS\system32\blackbox.dll
2006-08-24 22:30 532992 --a------ C:\WINDOWS\system32\wmdrmsdk.dll
2006-08-24 22:30 428032 --a------ C:\WINDOWS\system32\wmdrmdev.dll
2006-08-24 22:30 414208 --a------ C:\WINDOWS\system32\msscp.dll
2006-08-24 22:30 4096 --a------ C:\WINDOWS\system32\wmvdmoe2.dll
2006-08-24 22:30 4096 --a------ C:\WINDOWS\system32\wmvdmod.dll
2006-08-24 22:30 4096 --a------ C:\WINDOWS\system32\WMVADVE.DLL
2006-08-24 22:30 4096 --a------ C:\WINDOWS\system32\WMVADVD.dll
2006-08-24 22:30 4096 --a------ C:\WINDOWS\system32\wmsdmoe2.dll
2006-08-24 22:30 4096 --a------ C:\WINDOWS\system32\wmsdmod.dll
2006-08-24 22:30 4096 --a------ C:\WINDOWS\system32\wdfapi.dll
2006-08-24 22:30 4096 --a------ C:\WINDOWS\system32\MPG4DMOD.dll
2006-08-24 22:30 4096 --a------ C:\WINDOWS\system32\MP4SDMOD.dll
2006-08-24 22:30 4096 --a------ C:\WINDOWS\system32\MP43DMOD.dll
2006-08-24 22:30 37376 --a------ C:\WINDOWS\system32\wmdmps.dll
2006-08-24 22:30 35840 --a------ C:\WINDOWS\system32\wpdconns.dll
2006-08-24 22:30 349184 --a------ C:\WINDOWS\system32\wpdsp.dll
2006-08-24 22:30 347648 --a------ C:\WINDOWS\system32\wmdrmnet.dll
2006-08-24 22:30 33792 --a------ C:\WINDOWS\system32\wmdmlog.dll
2006-08-24 22:30 320512 --a------ C:\WINDOWS\system32\mswmdm.dll
2006-08-24 22:30 316928 --------- C:\WINDOWS\system32\MP4SDECD.dll
2006-08-24 22:30 314368 --a------ C:\WINDOWS\system32\wmpdxm.dll
2006-08-24 22:30 305152 --------- C:\WINDOWS\system32\MSDelta.dll
2006-08-24 22:30 295424 --------- C:\WINDOWS\system32\wmpeffects.dll
2006-08-24 22:30 284160 --a------ C:\WINDOWS\system32\PortableDeviceApi.dll
2006-08-24 22:30 276480 --a------ C:\WINDOWS\system32\audiodev.dll
2006-08-24 22:30 27648 --a------ C:\WINDOWS\system32\mspmsnsv.dll
2006-08-24 22:30 259072 --------- C:\WINDOWS\system32\MPG4DECD.dll
2006-08-24 22:30 2589184 --------- C:\WINDOWS\system32\WpdShext.dll
2006-08-24 22:30 258560 --------- C:\WINDOWS\system32\MP43DECD.dll
2006-08-24 22:30 2450944 --a------ C:\WINDOWS\system32\wmvcore.dll
2006-08-24 22:30 242176 --a------ C:\WINDOWS\system32\wmpasf.dll
2006-08-24 22:30 228352 --a------ C:\WINDOWS\system32\cewmdm.dll
2006-08-24 22:30 227328 --a------ C:\WINDOWS\system32\wmerror.dll
2006-08-24 22:30 222208 --a------ C:\WINDOWS\system32\WMASF.dll
2006-08-24 22:30 211968 --a------ C:\WINDOWS\system32\MFPLAT.dll
2006-08-24 22:30 210432 --a------ C:\WINDOWS\system32\qasf.dll
2006-08-24 22:30 204800 --a------ C:\WINDOWS\system32\wmpsrcwp.dll
2006-08-24 22:30 198144 --------- C:\WINDOWS\system32\PortableDeviceWMDRM.dll
2006-08-24 22:30 179712 --a------ C:\WINDOWS\system32\msnetobj.dll
2006-08-24 22:30 175104 --a------ C:\WINDOWS\system32\mspmsp.dll
2006-08-24 22:30 166912 --a------ C:\WINDOWS\system32\PortableDeviceTypes.dll
2006-08-24 22:30 1660416 --a------ C:\WINDOWS\system32\wmpencen.dll
2006-08-24 22:30 157184 --a------ C:\WINDOWS\system32\wmidx.dll
2006-08-24 22:30 154624 --a------ C:\WINDOWS\system32\wpdmtp.dll
2006-08-24 22:30 1539584 --a------ C:\WINDOWS\system32\WMVDECOD.dll
2006-08-24 22:30 1532416 --a------ C:\WINDOWS\system32\WMVENCOD.dll
2006-08-24 22:30 1392128 --a------ C:\WINDOWS\system32\WMVSDECD.dll
2006-08-24 22:30 133120 --a------ C:\WINDOWS\system32\WPDShServiceObj.dll
2006-08-24 22:30 1327616 --a------ C:\WINDOWS\system32\WMSPDMOE.dll
2006-08-24 22:30 132096 --------- C:\WINDOWS\system32\PortableDeviceWiaCompat.dll
2006-08-24 22:30 130048 --------- C:\WINDOWS\system32\wmpps.dll
2006-08-24 22:30 11264 --a------ C:\WINDOWS\system32\LAPRXY.dll
2006-08-24 22:30 1118208 --a------ C:\WINDOWS\system32\WMADMOE.dll
2006-08-24 22:30 101888 --------- C:\WINDOWS\system32\PortableDeviceClassExtension.dll
2006-08-24 20:31 100864 --a------ C:\WINDOWS\system32\logagent.exe
2006-08-24 20:27 249344 --a------ C:\WINDOWS\system32\drmupgds.exe
2006-08-24 20:26 38656 --a------ C:\WINDOWS\system32\drivers\wpdusb.sys
2006-08-24 20:26 17408 --------- C:\WINDOWS\system32\wpdshextautoplay.exe
2006-08-22 11:46 -------- d-------- C:\Program Files\Common Files\Adobe
2006-08-22 11:46 -------- d-------- C:\Program Files\Adobe
2006-08-22 11:35 -------- d-------- C:\Program Files\Common Files\Adobe Systems Shared
2006-08-21 08:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 05:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-21 05:14 128896 --a------ C:\WINDOWS\system32\drivers\fltmgr.sys
2006-08-20 15:02 -------- d-------- C:\Program Files\GoldWave
2006-08-20 15:02 -------- d-------- C:\Documents and Settings\Death\Application Data\Help
2006-08-13 17:39 -------- d-------- C:\Program Files\Web Publish
2006-08-13 17:36 -------- d-------- C:\Program Files\Dun74
2006-08-13 13:02 -------- d-------- C:\Program Files\Common Files\Broderbund
2006-08-12 14:36 27904 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-08-11 20:14 22752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2006-08-11 13:35 520192 --a------ C:\WINDOWS\system32\DivXsm.exe
2006-08-11 13:35 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2006-08-11 13:35 20640 --------- C:\WINDOWS\system32\drivers\pxhelp20.sys
2006-08-11 13:35 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2006-08-11 13:35 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2006-08-11 13:31 778240 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2006-08-11 13:31 778240 --a------ C:\WINDOWS\system32\divx_xx07.dll
2006-08-11 13:31 761856 --a------ C:\WINDOWS\system32\divx_xx11.dll
2006-08-11 13:31 73728 --a------ C:\WINDOWS\system32\dpl100.dll
2006-08-11 13:31 620180 --a------ C:\WINDOWS\system32\DivX.dll
2006-08-11 13:31 593920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2006-08-11 13:31 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2006-08-11 13:31 53248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2006-08-11 13:31 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2006-08-11 13:31 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2006-08-11 13:31 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2006-08-11 13:31 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2006-08-11 13:31 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2006-08-11 13:31 118784 --a------ C:\WINDOWS\system32\DivXCodecUpdateChecker.exe
2006-07-27 09:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-21 04:24 72704 --a------ C:\WINDOWS\system32\hlink.dll
2006-07-17 22:32 90112 --a------ C:\WINDOWS\system32\SpoonUninstall.exe
2006-07-15 18:15 502272 --a------ C:\WINDOWS\system32\winlogon.exe
2006-07-10 20:10 60416 --a------ C:\WINDOWS\ALCFDRTM.EXE
2006-07-10 19:39 0 -rahs---- C:\MSDOS.SYS
2006-07-10 19:39 0 -rahs---- C:\IO.SYS
2006-07-10 19:39 0 --a------ C:\CONFIG.SYS
2006-07-10 19:39 0 --a------ C:\AUTOEXEC.BAT
2006-07-10 15:05 62 --ahs---- C:\Documents and Settings\Death\Application Data\desktop.ini


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitComet"="\"C:\\Program Files\\BitComet\\BitComet.exe\""
"ATI Remote Control"="C:\\Program Files\\ATI Multimedia\\RemCtrl\\ATIRW.exe"
"H/PC Connection Agent"="\"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\\WINDOWS\\ehome\\ehtray.exe"
"PRONoMgrWired"="C:\\Program Files\\Intel\\PROSetWired\\NCS\\PROSet\\PRONoMgr.exe"
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe"
"SoundMan"="SOUNDMAN.EXE"
"AlcWzrd"="ALCWZRD.EXE"
"Alcmtr"="ALCMTR.EXE"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RunDLL32.exe NvMCTray.dll,NvTaskbarInit"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"RivaTunerStartupDaemon"="\"C:\\Program Files\\RivaTuner v2.0 RC 16\\RivaTuner.exe\" /S"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"Norton Ghost 10.0"="\"C:\\Program Files\\Norton Ghost\\Agent\\GhostTray.exe\""
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AutorunsDisabled]
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"BDAgent"="\"C:\\Program Files\\Softwin\\BitDefender10\\bdagent.exe\""
"BDMCon"="\"C:\\Program Files\\Softwin\\BitDefender10\\bdmcon.exe\" /reg"
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1152654153\\ee\\AOLSoftware.exe"

#8 grrrrr...computers

grrrrr...computers
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:08 AM

Posted 08 October 2006 - 07:39 PM

wait that HJT log didnt get posted, here it is


Logfile of HijackThis v1.99.1
Scan saved at 8:23:28 PM, on 10/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
c:\program files\dvrmstoolbox\dvrmsfilewatcherservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\BitComet\BitComet.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Belkin\Nostromo\nost_LM.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Microsoft ActiveSync\WCESMgr.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\system32\DllHost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Death\Desktop\HijackThis.exe

R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Program Files\RivaTuner v2.0 RC 16\RivaTuner.exe" /S
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton Ghost\Agent\GhostTray.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe"
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Loadout Manager.lnk = C:\Program Files\Belkin\Nostromo\nost_LM.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.1\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DVRMSFileWatcherService - - c:\program files\dvrmstoolbox\dvrmsfilewatcherservice.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#9 grrrrr...computers

grrrrr...computers
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:08 AM

Posted 08 October 2006 - 07:43 PM

alrite, right now, for apparently no reason, the internet is working. Ill let you know how long, if at all, that lasts.

#10 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:12:08 PM

Posted 09 October 2006 - 10:57 AM

Heya,

It is a good idea to print off these instructions:
This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available.
You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
A print out of the instructions would be a good reference to make sure you don't yet lost.
Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out!
If you have any queries about the process or just general questions, just ask.

Click Start > run and type: services.msc
Locate the system restore service and doubleclick it.
Click the stop button, then set the startup type dropdown to disabled.
Click apply/ok, then reboot.

Then, check the "System Volume Information folder" on each drive (you may need to set folder options/view tab to see hidden and system folders for this)
Delete any contents. Reverse the steps to disable the service to restart it.

Be forewarned that doing this removes all existing restore points,
But it doesn't really matter as they weren't working anyways.

If this does not help, follow these steps to reinstall System Restore:

Please set your system to show all files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Then, open Windows Explorer from Start/All Programs and go to the
C:\Windows\Inf folder.
Locate the sr.inf file, right-click it and choose install.

You may need to either insert your WinXP CD or know where your I386 folder is located on the hard drive.
You may also need to know where the "ServicePackFiles folder" is (usually under the Windows directory).

I've had quite a few users with problems removing Norton/Symantec.
Luckily a removal tool can uninstall the program completely.

Please download and save SymNRT.exe to your desktop:
ftp://ftp.symantec.com/public/english_us_...sgen/SymNRT.exe

Close all programs and double click on the tool.
Follow the on-screen instructions.
Restart the computer if asked.
Then delete the SymNRT.exe tool from your desktop.
Open the Program Files folder on your local disk ( normally C: )
Find and delete any folders with Norton/Symantec in it.

Next, let's try and repair the internet connection:
Go to start > run and type cmd
A dos Window will appear.
Type next in the dos window: netsh winsock reset
Hit enter and reboot.

Please download the Suspicious File Packer from here:
http://www.safer-networking.org/files/sfp.zip
Unzip it to the desktop and run it.

Paste the following bold part into the Suspicious File Packer window:

C:\WINDOWS\unvise32.exe
C:\WINDOWS\system32\SYSWQDRV.SYS


Allow SFP to pack the file. This will generate a CAB archive on your desktop.
Go to this page.
Enter the url of this thread in the first field.
Where it says, browse to the file that you want to submit, click the browse button next to the second field and browse to the CAB archive that was been created on your desktop.
The cab file will be called requested-files[*].cab (the * stands for the date and hour).
Then click the Send File button below.
Please let me know when you have submitted the files.

Reboot and let me know when you have submitted the files.
David

#11 grrrrr...computers

grrrrr...computers
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:08 AM

Posted 10 October 2006 - 05:04 PM

im not gonna remove the symnatic, cause i just realized that its norton ghost, which (luckily) sitll works. Naturaly, however, the latest backup is 3 months old, so restoring to the backup is not a feasible idea. Ill follow up with the results from your instructions

#12 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:12:08 PM

Posted 11 October 2006 - 10:56 AM

Sure thing, I'll check for a reply later. :thumbsup:
We will have to remove the left over Symantec services manually.
Some are not related to Norton Ghost.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users