Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Something Is Very Wrong


  • Please log in to reply
32 replies to this topic

#1 lawrancec

lawrancec

  • Banned
  • 92 posts
  • OFFLINE
  •  
  • Local time:11:50 AM

Posted 02 April 2007 - 09:28 PM

Hello,
About 2 months ago I had a virus/spyware infection where somebody from this forum has already helped me clean. But after the cleaning, my computer seems to be in worst shape then before (in terms of functionality), however, the virus/spyware is gone but MANY MANY functions of this computer are not working. So I would be very grateful if someone could check my log just to see if there is anything still wrong because, again, many things are not right here. Thanks!

Lawrance


Logfile of HijackThis v1.99.1
Scan saved at 7:20:34 PM, on 4/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\ehome\RMSysTry.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\ehome\RMSvc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HijackThis\abc.bat.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://education.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [SunKistEM] "C:\Program Files\Digital Media Reader\shwiconem.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [IPHSend] "C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Extender Resource Monitor.lnk = C:\WINDOWS\ehome\RMSysTry.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files\Common Files\Pure Networks Shared\puresp3.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WgaLogon - WgaLogon.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Unknown owner - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe" -k runservice (file missing)
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

BC AdBot (Login to Remove)

 


#2 jurgenv

jurgenv

  • Members
  • 1,093 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:07:50 PM

Posted 03 April 2007 - 12:54 PM

Your log looks clean, what do you mean with some functions aren't working anymore? :thumbsup:
Greets Jürgenv

Donation: Click me.

#3 lawrancec

lawrancec
  • Topic Starter

  • Banned
  • 92 posts
  • OFFLINE
  •  
  • Local time:11:50 AM

Posted 03 April 2007 - 04:07 PM

well there are many but I'll try to list some that come to mind *cry*

I get a generic win32 host error upon start up
My toolbar randomly changes from xp to classical view
My sound does not work anymore
I cannot install any Windows Update
My system restore function seems to work when it wants to
My CDs do not autorun anymore

But most important:
I cannot reformat my computer due to a registry failure in the hive
"Systemroot\system32\config\SECURITY"

Thanks =)
lawrance

#4 jurgenv

jurgenv

  • Members
  • 1,093 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:07:50 PM

Posted 03 April 2007 - 04:08 PM

But do you still have your cd-rom from windows XP?
Greets Jürgenv

Donation: Click me.

#5 lawrancec

lawrancec
  • Topic Starter

  • Banned
  • 92 posts
  • OFFLINE
  •  
  • Local time:11:50 AM

Posted 03 April 2007 - 04:16 PM

When I bought my computer, I didnt come with the actual XP disk, instead it came with this system recovery disk that has Windows XP in it

#6 jurgenv

jurgenv

  • Members
  • 1,093 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:07:50 PM

Posted 03 April 2007 - 04:18 PM

Please put the cd-rom in your cd-rom drive and go to start==>run==>type: sfc /scannow and hit Enter.
Let windows do his job and see if it helps.
Greets Jürgenv

Donation: Click me.

#7 lawrancec

lawrancec
  • Topic Starter

  • Banned
  • 92 posts
  • OFFLINE
  •  
  • Local time:11:50 AM

Posted 03 April 2007 - 04:19 PM

ok i'll do that and post back on how that turns out, Thanks!

lawrance

Update: Its half way there =)

Edited by lawrancec, 03 April 2007 - 04:28 PM.


#8 lawrancec

lawrancec
  • Topic Starter

  • Banned
  • 92 posts
  • OFFLINE
  •  
  • Local time:11:50 AM

Posted 03 April 2007 - 04:42 PM

Ok the scan finished and it was unable to find anything wrong. What should my next step be? Thanks

lawrance

#9 jurgenv

jurgenv

  • Members
  • 1,093 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:07:50 PM

Posted 03 April 2007 - 04:47 PM

Boot into the Recovery Console by following these steps:
  • Insert the Windows CD and restart your computer. Follow your computer's prompts to boot from the CD. (You might need to adjust settings in the computer's BIOS to enable the option to boot from a CD.)
  • Follow the setup prompts to load the basic Windows startup files. At the Welcome To Setup screen press R to start the Recovery Console.
  • Enter the number of the Windows installation you want to access from the Recovery Console.
  • When prompted, type the Administrator password. If you're using the Recovery Console on a system running Windows XP Home Edition, this password is blank by default, so just press Enter.
  • Now type: chkdsk /r and hit Enter, let windows do his job and after that, boot again and tell me if it worked.

Greets Jürgenv

Donation: Click me.

#10 lawrancec

lawrancec
  • Topic Starter

  • Banned
  • 92 posts
  • OFFLINE
  •  
  • Local time:11:50 AM

Posted 03 April 2007 - 04:53 PM

The problem is, the recovery CD is different from the Windows XP CD in that when I boot from CD I am only give 2 options:
"r" to begin recovery
or
"q" to quit recovery

When I press "r" I get a loading screen and the PC angel splash screen then I get a blue screen with this following error:

Stop:c0000218 {Registry File Failure}
The registy cannot load the hive (file)
\Systemroot\System32\Config\SECURITY
or its log or alternate.
It is corrupt, absent, or not rewritable

P.S. The recovery CD does not have a reocery console, as far as I know.

#11 jurgenv

jurgenv

  • Members
  • 1,093 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:07:50 PM

Posted 03 April 2007 - 04:55 PM

Hmm strange.. I suggest you start a topic here with your problem.
Greets Jürgenv

Donation: Click me.

#12 lawrancec

lawrancec
  • Topic Starter

  • Banned
  • 92 posts
  • OFFLINE
  •  
  • Local time:11:50 AM

Posted 03 April 2007 - 04:56 PM

Sad to say, I already have but no one is able to help me. All I am getting are post on how to reformat a WORKING computer, which sadly, my computer is does not fit in that category. But thanks for looking over my log for me!

lawrance

Edited by lawrancec, 03 April 2007 - 04:57 PM.


#13 jurgenv

jurgenv

  • Members
  • 1,093 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:07:50 PM

Posted 03 April 2007 - 04:59 PM

Windows is propably messed up due the infections, so a format would do the trick... I can try a last time:

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Greets Jürgenv

Donation: Click me.

#14 lawrancec

lawrancec
  • Topic Starter

  • Banned
  • 92 posts
  • OFFLINE
  •  
  • Local time:11:50 AM

Posted 03 April 2007 - 05:11 PM

A reformat would do the trick but the problem is that I can't =( And you are right about the infections messing up windows because I did have an infection about 2 months ago. But here is the log:

"Owner" - 07-04-03 14:58:23 Service Pack 2
ComboFix 07-03-15.2 - Running from: "C:\Documents and Settings\Owner\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2007-03-03 to 2007-04-03 ))))))))))))))))))))))))))))))))))


2007-04-02 15:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-04-02 14:14 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\gtopala
2007-04-02 13:22 <DIR> d-------- C:\Program Files\Western Digital Technologies
2007-04-01 14:45 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2007-03-24 19:34 <DIR> d-------- C:\Program Files\Common Files\Raxco
2007-03-24 19:34 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Raxco
2007-03-24 19:32 <DIR> d-------- C:\Program Files\Raxco
2007-03-19 17:50 <DIR> d-------- C:\WINDOWS\pss
2007-03-18 21:17 <DIR> d-------- C:\Program Files\iTunes
2007-03-18 21:14 <DIR> d-------- C:\Program Files\QuickTime
2007-03-17 22:53 2,320,000 --a------ C:\WINDOWS\system32\TUKernel.exe
2007-03-17 22:42 <DIR> d-------- C:\Temp
2007-03-17 14:47 <DIR> d-------- C:\avenger
2007-03-17 13:21 24,072 --a------ C:\WINDOWS\system32\uxtuneup.dll
2007-03-17 13:21 <DIR> d-------- C:\Program Files\TuneUp Utilities 2007
2007-03-17 13:21 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\TuneUp Software
2007-03-17 13:20 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\TuneUp Software
2007-03-16 21:22 <DIR> d-------- C:\Program Files\ImTOO
2007-03-16 21:02 <DIR> d-------- C:\Program Files\TuneXP
2007-03-14 23:17 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\PC Tools
2007-03-14 21:10 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys
2007-03-14 21:10 298,104 --a------ C:\WINDOWS\system32\imon.dll
2007-03-14 21:10 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys
2007-03-13 20:59 0 --a------ C:\WINDOWS\system32\SBRC.dat
2007-03-13 20:59 0 --a------ C:\WINDOWS\system32\SBFC.dat
2007-03-11 22:43 33,920 --a------ C:\WINDOWS\system32\drivers\oreans32.sys
2007-03-11 13:41 <DIR> d-------- C:\Program Files\CCleaner
2007-03-07 19:07 <DIR> d-------- C:\!KillBox
2007-03-05 22:52 <DIR> d-------- C:\Program Files\Internet Download Manager
2007-03-05 22:52 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\IDM
2007-03-05 22:52 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\DMCache
2007-03-05 21:57 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\IE7pro


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-02 15:03 -------- d-------- C:\Program Files\lavasoft
2007-03-30 23:41 -------- d-------- C:\Program Files\bitcomet
2007-03-24 21:56 -------- d-------- C:\Program Files\starcraft
2007-03-24 21:56 -------- d-------- C:\Program Files\mathtype
2007-03-19 20:46 -------- d-------- C:\Program Files\aol toolbar
2007-03-19 17:16 -------- d-------- C:\DOCUME~1\Owner\APPLIC~1\uniblue
2007-03-18 21:17 -------- d-------- C:\Program Files\ipod
2007-03-18 21:13 -------- d-------- C:\Program Files\apple software update
2007-03-17 16:02 -------- d-------- C:\Program Files\njstar chinese wp
2007-03-17 13:55 -------- d-------- C:\Program Files\microsoft works
2007-03-17 13:55 -------- d-------- C:\Program Files\limewire
2007-03-17 13:55 -------- d-------- C:\DOCUME~1\Owner\APPLIC~1\prevx
2007-03-17 13:20 -------- d-------- C:\Program Files\Common Files\wise installation wizard
2007-03-16 00:58 -------- d-------- C:\Program Files\transcode360
2007-03-11 18:52 -------- d-------- C:\DOCUME~1\Owner\APPLIC~1\lavasoft
2007-03-10 20:47 -------- d-------- C:\Program Files\symantec
2007-03-10 17:21 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-03-10 12:37 -------- d-------- C:\Program Files\Common Files\symantec shared
2007-03-10 00:09 81984 --a------ C:\WINDOWS\system32\bdod.bin
2007-03-02 14:17 227856 --a------ C:\WINDOWS\system32\pdboot.exe
2007-03-02 10:26 67352 --a------ C:\WINDOWS\system32\drivers\DefragFs.sys
2007-02-28 20:17 4110 --a------ C:\WINDOWS\system32\tmp.reg
2007-02-26 18:37 -------- d-------- C:\Program Files\java
2007-02-25 21:42 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-02-23 19:47 -------- d-------- C:\Program Files\Common Files\pure networks shared
2007-02-18 22:36 -------- d-------- C:\DOCUME~1\Owner\APPLIC~1\river past g4
2007-02-18 21:18 163426 --a------ C:\WINDOWS\video cleaner pro uninstaller.exe
2007-02-18 21:18 -------- d-------- C:\Program Files\river past
2007-02-18 21:18 -------- d-------- C:\Program Files\Common Files\river past
2007-02-17 16:48 -------- d--h----- C:\Program Files\installshield installation information
2007-02-17 16:24 -------- d-------- C:\Program Files\microsoft.net
2007-02-15 00:51 -------- d-------- C:\Program Files\napster
2007-02-15 00:32 -------- d-------- C:\Program Files\windows media connect 2
2007-02-15 00:32 -------- d-------- C:\Program Files\guild wars
2007-02-08 20:44 26944 --a------ C:\WINDOWS\system32\drivers\purendis.sys
2007-02-08 20:44 25792 --a------ C:\WINDOWS\system32\drivers\pnarp.sys
2007-02-07 18:44 -------- d-------- C:\DOCUME~1\Owner\APPLIC~1\winrar
2007-02-03 13:03 -------- d-------- C:\Program Files\difx
2007-02-03 13:02 -------- d-------- C:\Program Files\pure networks


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"WMPNSCFG"="C:\\Program Files\\Windows Media Player\\WMPNSCFG.exe"
"SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SunKistEM"="\"C:\\Program Files\\Digital Media Reader\\shwiconem.exe\""
"SoundMan"="SOUNDMAN.EXE"
"Reminder"="%WINDIR%\\Creator\\Remind_XP.exe"
"Recguard"="%WINDIR%\\SMINST\\RECGUARD.EXE"
"nod32kui"="\"C:\\Program Files\\Eset\\nod32kui.exe\" /WAITSERVICE"
"nmapp"="\"C:\\Program Files\\Pure Networks\\Network Magic\\nmapp.exe\" -autorun -nosplash"
"ehTray"="C:\\WINDOWS\\ehome\\ehtray.exe"
"CHotkey"="zHotkey.exe"
"ATIPTA"="\"C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe\""
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"IPHSend"="\"C:\\Program Files\\Common Files\\AOL\\IPHSend\\IPHSend.exe\""
"UserFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,\
6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,75,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"IPHSend"="\"C:\\Program Files\\Common Files\\AOL\\IPHSend\\IPHSend.exe\""


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,\
63,65,73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,5c,52,6f,79,61,6c,65,2e,\
6d,73,73,74,79,6c,65,73,00
"InstallTheme"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,63,65,\
73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,2e,74,68,65,6d,65,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"=dword:00000001
"AllowUnhashedWebView"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
Usnsvc REG_MULTI_SZ usnsvc\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0
QWAVE REG_MULTI_SZ QWAVE\0\0

HKLM\software\Microsoft\Windows NT\CurrentVersion\Svchost *netsvcs*
UxTuneUp



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\1-Click Maintenance.job
C:\WINDOWS\tasks\AppleSoftwareUpdate.job


********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-04-03 15:05:55
C:\ComboFix2.txt ... 07-03-17 12:59




And just wondering, after I run "sfc /scannow" should there be a comfirmation box telling me if all the windows protected files are intact or not because after I run it, they progress bar just disappear and I do not get any further messages. Thanks

Edited by lawrancec, 03 April 2007 - 05:12 PM.


#15 jurgenv

jurgenv

  • Members
  • 1,093 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:07:50 PM

Posted 03 April 2007 - 05:16 PM

Please download this tool where you can easely find it:
http://wiki.djlizard.net/Dial-a-fix

Run Dial-a-fix and check everything in the main windows and click on 'Go'
Let the tool do his job and reboot the system and see if it helps.
Greets Jürgenv

Donation: Click me.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users