Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected


  • Please log in to reply
11 replies to this topic

#1 rat2255

rat2255

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:57 PM

Posted 07 April 2007 - 12:06 PM

I have some type of malware on my machine and I cant get rid of it and dont know what it is. every two days I have to format my D: because my computer starts beeping and slows it down to snail speed. I am also sure it is malware because I partioned my hard drive into D: and E: and it only deletes D:. I have tried many softwares and they cant find anything (Norton, housecall, panda ect...). also everytime my computer beeps explorer.exe goes up about +10 CPU in the prosses.

here is my hijackThis file while the computer is beeping.

Logfile of HijackThis v1.99.1
Scan saved at 11:32:34 AM, on 4/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\ATI Multimedia\main\ATISched.EXE
C:\PROGRA~1\AIM\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CompuServe 7.0\cstray.exe
C:\Program Files\palmOne\HOTSYNC.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\DOCUME~1\Aaron\LOCALS~1\Temp\Temporary Directory 2 for hijackthis[1].zip\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: VMN Toolbar - {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} - C:\PROGRA~1\VMNTOO~1\VMNTOO~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: (no name) - {2ECB7FB2-0333-416F-92FD-4904AD49252B} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: VMN Toolbar - {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} - C:\PROGRA~1\VMNTOO~1\VMNTOO~1.DLL
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] D:\Program Files II\nero\InCD\InCD.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\main\ATISched.EXE
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: CompuServe 7.0 Tray Icon.lnk = C:\Program Files\CompuServe 7.0\cstray.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files II\MS Office 2000\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = D:\Program Files II\MS Office 2000\Office\1033\OLFSNT40.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {2250C29C-C5E9-4F55-BE4E-01E45A40FCF1} (CMediaMix Object) - http://musicmix.messenger.msn.com/Medialogic.CAB
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1135775985904
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1173303152968
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab55579.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h cltCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Unknown owner - D:\Program Files II\nero\InCD\InCDsrv.exe (file missing)
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WMP54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe" "WMP54Gv4.exe (file missing)

BC AdBot (Login to Remove)

 


m

#2 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,522 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:57 PM

Posted 10 April 2007 - 07:29 PM

I need to see another HijackThis log, but you need to extract (unzip) HijackThis first. Otherwise the backups made when items are fixed won't be secure. The easiest way to accomplish this is to reinstall and delete any copies of HijackThis.zip you have saved.

Please download the self-extracting version of HijackThis from here:

HijackThis_sfx download

Save HijackThis_sfx to your desktop.

Double-click the file then click the Unzip button. Then close the Self-Extractor window.

Using My Computer/Windows Explorer, navigate to C:\Program Files\HijackThis and double click on HijackThis.exe to run it. If you would like to make a shortcut so it's more easily accessable, right click HijackThis.exe and choose Send To > Desktop (create shortcut).

Please run the extracted HijackThis.exe from now on. Delete any copies of HijackThis.zip that you have saved.

Open HijackThis and click Do a system scan and save a log file. Copy the entire contents of that log and post it here by clicking the Add Reply button.

The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#3 rat2255

rat2255
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:57 PM

Posted 12 April 2007 - 03:40 PM

ok here it is

Logfile of HijackThis v1.99.1
Scan saved at 3:36:14 PM, on 4/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\ATI Multimedia\main\ATISched.EXE
C:\PROGRA~1\AIM\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\CompuServe 7.0\cstray.exe
C:\Program Files\palmOne\HOTSYNC.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\NAVW32.exe
C:\Program Files\Common Files\Symantec Shared\COH\coh32.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: VMN Toolbar - {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} - C:\PROGRA~1\VMNTOO~1\VMNTOO~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: (no name) - {2ECB7FB2-0333-416F-92FD-4904AD49252B} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: VMN Toolbar - {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} - C:\PROGRA~1\VMNTOO~1\VMNTOO~1.DLL
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] D:\Program Files II\nero\InCD\InCD.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\main\ATISched.EXE
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: CompuServe 7.0 Tray Icon.lnk = C:\Program Files\CompuServe 7.0\cstray.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files II\MS Office 2000\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = D:\Program Files II\MS Office 2000\Office\1033\OLFSNT40.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {2250C29C-C5E9-4F55-BE4E-01E45A40FCF1} (CMediaMix Object) - http://musicmix.messenger.msn.com/Medialogic.CAB
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1135775985904
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1173303152968
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab55579.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h cltCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Unknown owner - D:\Program Files II\nero\InCD\InCDsrv.exe (file missing)
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WMP54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe" "WMP54Gv4.exe (file missing)

#4 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,522 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:57 PM

Posted 12 April 2007 - 09:22 PM

I really don't see any signs of malware in your log. An orphan reg entry of a legit program but it won't cause the problems you describe. Let's dig a little deeper but if other scanners aren't finding anything then it is probably a hardware or operating system problem.

Scan again with HijackThis and put a checkmark next to the following entries:

O3 - Toolbar: (no name) - {2ECB7FB2-0333-416F-92FD-4904AD49252B} - (no file)


Close all other windows--you should only see HijackThis on your Desktop and Taskbar--and then click the "Fix checked" button.

Download and install AVG Anti-Spyware v7.5.
  • After download, double click on the file to launch the install process.
  • Choose a language, click "OK" and then click "Next".
  • Read the "License Agreement" and click "I Agree".
  • Accept default installation path: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5, click "Next", then click "Install".
  • After setup completes, click "Finish" to start the program automatically or launch AVG Anti-Spyware by double-clicking its icon on your desktop or in the system tray.
  • Connect to the Internet, go back to AVG Anti-Spyware, select the "Update" button and click "Start update". Wait until you see the "Update successful" message. If you are having problems with the updater, manually update with the AVG Anti-Spyware Full database installer from here.
  • Exit AVG Anti-Spyware when done - DO NOT perform a scan yet.
Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode". (Note: When run in safe mode, sometimes the GUI is larger than the screen and the buttons at the bottom are partly or completely hidden, making them unaccessible for doing a scan. If this is the case, then you may have to run your scan in normal mode and advise your helper afterwards.)

Scan with AVG Anti-Spyware as follows:
  • Click on the "Scanner" button and choose the "Settings" tab.
  • Under "How to act?", click on "Recommended actions" and choose "Quarantine" to set default action for detected malware.
  • Under "How to Scan?", "Possibly unwanted software", and What to Scan?" leave all the default settings.
  • Under "Reports" select "Automatically generate report after every scan" and UNcheck "Only if threats were found".
  • Click the "Scan" tab to return to scanning options.
  • Click "Complete System Scan" to start.
  • When the scan has finished, it should automatically be set to Quarantine--if not click on Recommended Action and set it there.
  • You will also be presented with a list of infected objects found. Click "Apply all actions" to place the files in Quarantine.
IMPORTANT! Do not save the report before you have clicked the Apply all actions button. If you do, the log that is created will indicate "No action taken", making it more difficult to interpret the report. So be sure you save it only AFTER clicking the "Apply all actions" button.
  • Click on "Save Report" to view all completed scans. Click on the most recent scan you just performed and select "Save report as" - the default file name will be in date/time format as follows: Report-Scan-20060620-142816.txt. Save to your desktop. A copy of each report will also be saved in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Reports\
  • Exit AVG Anti-Spyware when done, reboot normally and submit the log report in your next response.
Note: Close all open windows, programs, and DO NOT USE the computer while AVG Anti-Spyware is scanning. Doing so can hamper AVG Anti-Spyware's ability to clean properly and may result in reinfection.

AVG Anti-Spyware is free for 30 days and all the extensions of the full version will be activated. After the 30 day trial, active protection extensions will be deactivated and the program will turn into a feature-limited freeware version that you can can continue to use as an on-demand scanner or you may purchase a license to use the full version.

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
  • Close all applications and windows.
  • Double-click on dss.exe to run it, and follow the prompts.
  • When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
  • Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt in your next reply. If you have any problems with the logs, both can be found in C:\Deckard\System Scanner.
Note: some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.

Please download F-Secure Blacklight (fsbl.exe) and save to your C:\ drive.
  • Open a command window by going to Start > Run and typing: cmd
  • Copy/paste or type the following in the command window: C:\fsbl.exe /expert
  • Hit "Enter" to start the program and then close the cmd box.
  • Accept the user agreement and click "Next".
  • Click "Scan".
  • After the scan is complete, click "Next", then "Exit".
  • BlackLight will create a log in C:\ drive named "fsbl-xxxxxxx.log" (the xxxxxxx will be the date and time of the scan).
  • The log will have a list of all items found. Do not choose to rename any yet!
    I want to see the log first because legitimate items can also be present...like "wbemtest.exe" and "tcptest.exe.
  • Exit Blacklight and post the contents of the log in your next reply.
Please post back with:

AVGAS log
DSS logs
Blacklight log

The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#5 rat2255

rat2255
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:57 PM

Posted 13 April 2007 - 07:34 PM

AVGAS log


---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 5:23:18 PM 4/13/2007

+ Scan result:



C:\System Volume Information\_restore{EE4BEF82-7623-42FF-94EE-F7D74F334BBC}\RP406\A0081911.EXE -> Adware.Background : Cleaned.
C:\WINDOWS\system32\b4fm.dll -> Adware.BurnFree : Cleaned.
C:\Documents and Settings\Aaron\Local Settings\Temp\Temporary Internet Files\Content.IE5\MP4XFV5S\mm[2].js -> Adware.Chitika : Cleaned.
C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll -> Adware.Minibug : Cleaned.
C:\Program Files\IconUtils\IconLover\loader.exe -> Downloader.Small : Cleaned.
C:\System Volume Information\_restore{EE4BEF82-7623-42FF-94EE-F7D74F334BBC}\RP371\A0076208.dll -> Not-A-Virus.Downloader.Win32.PopCap.b : Cleaned.
:mozilla.10:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Angertk\4x6knh2b.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.11:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Angerta\4jq67w7m.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.11:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Dailymaze\ggsefvpt.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.14:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Dailymaze\ggsefvpt.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.17:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Angertk\4x6knh2b.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.18:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Angerta\4jq67w7m.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.6:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Dailymaze\ggsefvpt.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.7:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Angertk\4x6knh2b.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.8:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Angertk\4x6knh2b.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.9:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Angerta\4jq67w7m.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Aaron\Cookies\aaron@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Aaron\Cookies\aaron@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Aaron\Local Settings\Temp\Cookies\aaron@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Aaron\Local Settings\Temp\Cookies\aaron@metacafe.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Aaron\Local Settings\Temp\Cookies\aaron@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Patrick F Angert\Cookies\patrick f angert@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Patrick F Angert\Cookies\patrick f angert@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Patrick F Angert\Cookies\patrick f angert@paypal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Aaron\Local Settings\Temp\Cookies\aaron@ads.addynamix[1].txt -> TrackingCookie.Addynamix : Cleaned.
C:\Documents and Settings\Aaron\Cookies\aaron@adrevolver[2].txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\Aaron\Local Settings\Temp\Cookies\aaron@z1.adserver[1].txt -> TrackingCookie.Adserver : Cleaned.
C:\Documents and Settings\Aaron\Local Settings\Temp\Cookies\aaron@adtech[2].txt -> TrackingCookie.Adtech : Cleaned.
:mozilla.10:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Dailymaze\ggsefvpt.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.11:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Angertk\4x6knh2b.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.12:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Angerta\4jq67w7m.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.12:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Angertk\4x6knh2b.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.13:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Dailymaze\ggsefvpt.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.14:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Angerta\4jq67w7m.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.15:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Angerta\4jq67w7m.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.17:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Angerta\4jq67w7m.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.7:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Dailymaze\ggsefvpt.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.9:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Angertk\4x6knh2b.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.9:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Dailymaze\ggsefvpt.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Aaron\Local Settings\Temp\Cookies\aaron@advertising[2].txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.15:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Dailymaze\ggsefvpt.slt\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.19:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Angerta\4jq67w7m.slt\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Aaron\Cookies\aaron@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Aaron\Local Settings\Temp\Cookies\aaron@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Patrick F Angert\Cookies\patrick f angert@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Aaron\Local Settings\Temp\Cookies\aaron@bfast[2].txt -> TrackingCookie.Bfast : Cleaned.
C:\Documents and Settings\Aaron\Cookies\aaron@bluestreak[1].txt -> TrackingCookie.Bluestreak : Cleaned.
C:\Documents and Settings\Aaron\Cookies\aaron@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned.
C:\Documents and Settings\Aaron\Local Settings\Temp\Cookies\aaron@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned.
C:\Documents and Settings\Aaron\Cookies\aaron@www.burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Aaron\Local Settings\Temp\Cookies\aaron@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Aaron\Cookies\aaron@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\Aaron\Local Settings\Temp\Cookies\aaron@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\Aaron\Cookies\aaron@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Aaron\Local Settings\Temp\Cookies\aaron@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Patrick F Angert\Cookies\patrick f angert@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Aaron\Local Settings\Temp\Cookies\aaron@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Aaron\Local Settings\Temp\Cookies\aaron@ehg-crain.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Aaron\Local Settings\Temp\Cookies\aaron@ehg-oreilly.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Aaron\Local Settings\Temp\Cookies\aaron@ehg.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Aaron\Local Settings\Temp\Cookies\aaron@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Patrick F Angert\Cookies\patrick f angert@ehg-ati.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Patrick F Angert\Cookies\patrick f angert@ehg-foxsports.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Patrick F Angert\Cookies\patrick f angert@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.10:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Angerta\4jq67w7m.slt\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.16:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Angerta\4jq67w7m.slt\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Aaron\Cookies\aaron@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Aaron\Local Settings\Temp\Cookies\aaron@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Patrick F Angert\Cookies\patrick f angert@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Aaron\Local Settings\Temp\Cookies\aaron@search.msn[1].txt -> TrackingCookie.Msn : Cleaned.
C:\Documents and Settings\Patrick F Angert\Cookies\patrick_f_angert@search.msn[1].txt -> TrackingCookie.Msn : Cleaned.
C:\Documents and Settings\Aaron\Local Settings\Temp\Cookies\aaron@stat.onestat[2].txt -> TrackingCookie.Onestat : Cleaned.
C:\Documents and Settings\Aaron\Cookies\aaron@overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Patrick F Angert\Cookies\patrick f angert@www.paypal[1].txt -> TrackingCookie.Paypal : Cleaned.
C:\Documents and Settings\Patrick F Angert\Cookies\patrick f angert@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.6:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Angerta\4jq67w7m.slt\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.7:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Angerta\4jq67w7m.slt\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\Aaron\Local Settings\Temp\Cookies\aaron@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\Patrick F Angert\Cookies\patrick_f_angert@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\Patrick F Angert\Cookies\patrick f angert@revsci[2].txt -> TrackingCookie.Revsci : Cleaned.
C:\Documents and Settings\Aaron\Local Settings\Temp\Cookies\aaron@h.starware[2].txt -> TrackingCookie.Starware : Cleaned.
C:\Documents and Settings\Aaron\Local Settings\Temp\Cookies\aaron@www.starware[1].txt -> TrackingCookie.Starware : Cleaned.
:mozilla.18:C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Angertk\4x6knh2b.slt\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
C:\Documents and Settings\Aaron\Cookies\aaron@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned.
C:\Documents and Settings\Aaron\Local Settings\Temp\Cookies\aaron@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned.
C:\Documents and Settings\Aaron\Local Settings\Temp\Cookies\aaron@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Aaron\Cookies\aaron@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned.
C:\Documents and Settings\Aaron\Cookies\aaron@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Aaron\Local Settings\Temp\Cookies\aaron@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Patrick F Angert\Cookies\patrick f angert@valueclick[1].txt -> TrackingCookie.Valueclick : Cleaned.
C:\Documents and Settings\Aaron\Local Settings\Temp\Cookies\aaron@m.webtrends[2].txt -> TrackingCookie.Webtrends : Cleaned.
C:\Documents and Settings\Patrick F Angert\Cookies\patrick_f_angert@m.webtrends[1].txt -> TrackingCookie.Webtrends : Cleaned.
C:\Documents and Settings\Aaron\Cookies\aaron@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Aaron\Local Settings\Temp\Cookies\aaron@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Aaron\Local Settings\Temp\Cookies\aaron@c5.zedo[1].txt -> TrackingCookie.Zedo : Cleaned.
C:\Documents and Settings\Aaron\Local Settings\Temp\Cookies\aaron@zedo[1].txt -> TrackingCookie.Zedo : Cleaned.
C:\Program Files\TypingMaster\TypingMaster.exe -> Trojan.Crypt.v : Cleaned.


::Report end



DSS logs

main

Deckard's System Scanner v20070411.38
Run by Aaron on 2007-04-13 at 18:56:48
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
90: 2007-04-13 23:57:03 UTC - RP440 - Deckard's System Scanner Restore Point
89: 2007-04-12 21:00:55 UTC - RP439 - Software Distribution Service 2.0
88: 2007-04-11 04:08:00 UTC - RP438 - Software Distribution Service 2.0
87: 2007-04-10 00:18:45 UTC - RP437 - System Checkpoint
86: 2007-04-08 23:12:10 UTC - RP436 - System Checkpoint


-- First Restore Point --
1: 2007-01-14 22:09:09 UTC - RP351 - System Checkpoint


Backed up registry hives.

Performed disk cleanup.


-- HijackThis (run as Aaron.exe) -----------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 7:00:24 PM, on 4/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\ATI Multimedia\main\ATISched.EXE
C:\PROGRA~1\AIM\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CompuServe 7.0\cstray.exe
C:\Program Files\palmOne\HOTSYNC.EXE
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Aaron\Desktop\dss.exe
C:\PROGRA~1\HIJACK~1\Aaron.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: VMN Toolbar - {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} - C:\PROGRA~1\VMNTOO~1\VMNTOO~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: VMN Toolbar - {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} - C:\PROGRA~1\VMNTOO~1\VMNTOO~1.DLL
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] D:\Program Files II\nero\InCD\InCD.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\main\ATISched.EXE
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: CompuServe 7.0 Tray Icon.lnk = C:\Program Files\CompuServe 7.0\cstray.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files II\MS Office 2000\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = D:\Program Files II\MS Office 2000\Office\1033\OLFSNT40.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {2250C29C-C5E9-4F55-BE4E-01E45A40FCF1} (CMediaMix Object) - http://musicmix.messenger.msn.com/Medialogic.CAB
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1135775985904
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1173303152968
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab55579.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h cltCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Unknown owner - D:\Program Files II\nero\InCD\InCDsrv.exe (file missing)
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WMP54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe" "WMP54Gv4.exe (file missing)


-- HijackThis Fixed Entries (C:\PROGRA~1\HIJACK~1\backups\) --------------------

backup-20070413-132600-337 O3 - Toolbar: (no name) - {2ECB7FB2-0333-416F-92FD-4904AD49252B} - (no file)

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - "regedit.exe" "%1"


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 ATMhelpr - c:\windows\system32\drivers\atmhelpr.sys
R1 lusbaudio (Logitech USB Microphone) - c:\windows\system32\drivers\ovsound2.sys
R1 NPPTNT2 - c:\windows\system32\npptnt2.sys
R1 SRTSP - c:\windows\system32\drivers\srtsp.sys
R1 SRTSPX - c:\windows\system32\drivers\srtspx.sys
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.4.0.1) - c:\windows\system32\drivers\aegisp.sys
R2 tmcomm - c:\windows\system32\drivers\tmcomm.sys
R3 ac97intc (Intel® 82801 Audio Driver Install Service (WDM)) - c:\windows\system32\drivers\ac97intc.sys
R3 ATICXCAP (ATI TV Wonder Pro A/V Capture) - c:\windows\system32\drivers\aticxcap.sys
R3 ATICXTUN (ATI TV Wonder Pro Tuner (Philips 1236 MK3)) - c:\windows\system32\drivers\aticxtun.sys
R3 ATICXXBR (ATI TV Wonder Pro A/V Crossbar) - c:\windows\system32\drivers\aticxxbr.sys
R3 GTNDIS5 (GTNDIS5 NDIS Protocol Driver) - c:\windows\system32\gtndis5.sys
R3 QCEmerald (Logitech QuickCam Web) - c:\windows\system32\drivers\ovce.sys
R3 QCMerced (Logitech QuickCam Communicate) - c:\windows\system32\drivers\lvcm.sys
R3 RT2500 (Linksys Wireless-G PCI Adapter Driver) - c:\windows\system32\drivers\rt2500.sys
R3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys

S3 BCM42RLY - c:\windows\system32\bcm42rly.sys
S3 BEL (Belkin 11Mbps Wireless LAN Driver) - c:\windows\system32\drivers\belnds.sys (file missing)
S3 dump_wmimmc - c:\windows\system32\drivers\dump_wmimmc.sys (file missing)
S3 hamachi (Hamachi Network Interface) - c:\windows\system32\drivers\hamachi.sys
S3 hidgame (Microsoft Hid to Joystick Port Enabler) - c:\windows\system32\drivers\hidgame.sys
S3 i81x - c:\windows\system32\drivers\i81xnt5.sys
S3 iAimFP0 - c:\windows\system32\drivers\wadv01nt.sys
S3 iAimFP1 - c:\windows\system32\drivers\wadv02nt.sys
S3 iAimFP2 - c:\windows\system32\drivers\wadv05nt.sys
S3 iAimFP3 - c:\windows\system32\drivers\wsiintxx.sys
S3 iAimFP4 - c:\windows\system32\drivers\wvchntxx.sys
S3 iAimTV0 - c:\windows\system32\drivers\watv01nt.sys
S3 iAimTV1 - c:\windows\system32\drivers\watv02nt.sys
S3 iAimTV2 - c:\windows\system32\drivers\watv03nt.sys (file missing)
S3 iAimTV3 - c:\windows\system32\drivers\watv04nt.sys
S3 iAimTV4 - c:\windows\system32\drivers\wch7xxnt.sys
S3 jbridgep - c:\docume~1\aaron\locals~1\temp\jbridgep.sys (file missing)
S3 SRTSPL - c:\windows\system32\drivers\srtspl.sys
S3 TIEHDUSB - c:\windows\system32\drivers\tiehdusb.sys
S3 XTrapD12 - c:\windows\system32\xtrapd12.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 WMP54Gv4SVC - "c:\program files\linksys wireless-g pci wireless network monitor\wlservice.exe" "wmp54gv4.exe"

S2 InCDsrv (InCD Helper) - d:\program files ii\nero\incd\incdsrv.exe (file missing)
S3 usprserv (User Privilege Service) - c:\windows\system32\svchost.exe -k netsvcs


-- Scheduled Tasks -------------------------------------------------------------

2007-04-09 20:00:00 644 --a------ C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Patrick F Angert.job<NORTON~1.JOB>


-- Files created between 2007-03-13 and 2007-04-13 -----------------------------

2007-04-13 15:10:51 524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-04-13 13:29:34 3968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-04-08 20:55:37 0 d-------- C:\LD
2007-04-07 22:47:48 0 d-------- C:\qbasic
2007-04-07 12:34:38 0 d-------- C:\HJT
2007-04-03 20:28:40 0 d-------- C:\WINDOWS\system32\ActiveScan<ACTIVE~1>
2007-04-03 15:43:41 1843584 -----n--- C:\WINDOWS\system32\win32k.sys
2007-03-31 12:40:47 0 d-------- C:\Program Files\Maxtor
2007-03-31 12:39:01 0 d-------- C:\Documents and Settings\Patrick F Angert\Application Data\Adobe
2007-03-31 10:50:14 0 d-------- C:\Documents and Settings\Patrick F Angert\Application Data\VMNTOOLBAR<VMNTOO~1>
2007-03-28 00:06:56 0 d-------- C:\helppppp
2007-03-28 00:03:42 0 d-------- C:\Program Files\Visicom Media<VISICO~1>
2007-03-27 23:55:22 0 d-------- C:\asdf
2007-03-27 23:29:38 0 d-------- C:\Documents and Settings\Aaron\Application Data\Visicom Media<VISICO~1>
2007-03-27 23:28:07 0 d-------- C:\Program Files\vmntoolbar<VMNTOO~1>
2007-03-27 23:28:05 0 d-------- C:\Documents and Settings\Aaron\Application Data\vmntoolbar<VMNTOO~1>
2007-03-27 23:28:02 0 d-------- C:\Program Files\VMN
2007-03-27 19:05:25 65582 --a------ C:\Documents and Settings\Aaron\hisave
2007-03-26 21:24:34 0 d-------- C:\web
2007-03-26 21:19:54 70656 --a------ C:\WINDOWS\system32\vspell32.dll
2007-03-26 21:19:53 102912 --a------ C:\WINDOWS\system32\Vb6stkit.dll
2007-03-26 21:19:51 84992 --a------ C:\WINDOWS\system32\Ledit32.dll
2007-03-23 20:11:39 0 d-------- C:\Program Files\World of Warcraft<WORLDO~1>
2007-03-18 09:03:04 0 d-------- C:\music2


-- Find3M Report ---------------------------------------------------------------

2007-04-13 14:34:52 0 d-------- C:\Program Files\Common Files\Symantec Shared<SYMANT~1>
2007-04-13 13:58:12 0 d-------- C:\Program Files\Toolkit3
2007-04-09 21:15:04 0 d-------- C:\Program Files\CompuServe 7.0<COMPUS~1.0>
2007-04-07 14:24:44 0 d-------- C:\Program Files\StepMania<STEPMA~2>
2007-04-03 22:36:44 0 d-------- C:\Program Files\QuickTime<QUICKT~1>
2007-04-03 22:35:33 0 d-------- C:\Program Files\palmOne
2007-04-03 22:32:54 0 d-------- C:\Program Files\Norton Internet Security<NORTON~2>
2007-04-03 22:32:18 0 d-------- C:\Program Files\MSN Messenger<MSNMES~1>
2007-04-03 22:19:08 0 d-------- C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor<LINKSY~1>
2007-04-03 21:57:10 0 d-------- C:\Program Files\iTunes
2007-04-03 21:53:07 0 d-------- C:\Program Files\Google
2007-04-03 21:35:03 0 d-------- C:\Program Files\AIM
2007-03-31 13:59:54 0 d-------- C:\Program Files\Snapshot Viewer<SNAPSH~1>
2007-03-31 12:40:43 0 d--h----- C:\Program Files\InstallShield Installation Information<INSTAL~1>
2007-03-27 21:38:00 0 d-------- C:\Program Files\MSN Games<MSNGAM~2>
2007-03-27 21:34:22 0 d-------- C:\Program Files\BitTorrent<BITTOR~1>
2007-03-23 20:21:03 0 d-------- C:\Program Files\Common Files\Blizzard Entertainment<BLIZZA~1>
2007-03-17 08:43:01 292864 --a------ C:\WINDOWS\system32\winsrv.dll
2007-03-09 01:14:37 0 d-------- C:\Documents and Settings\Aaron\Application Data\Ahead
2007-03-09 01:08:50 0 d-------- C:\Program Files\Ahead
2007-03-08 23:00:06 0 d-------- C:\Program Files\DebugMode<DEBUGM~1>
2007-03-08 20:12:50 0 d--h----- C:\Program Files\WindowsUpdate<WINDOW~2>
2007-03-08 10:36:28 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 10:36:28 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 10:36:28 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-07 16:46:12 0 d-------- C:\Program Files\Movie Maker<MOVIEM~1>
2007-03-06 22:13:31 0 d-------- C:\Documents and Settings\Aaron\Application Data\Uniblue
2007-03-04 22:44:15 0 d-------- C:\Documents and Settings\Aaron\Application Data\Arcsoft
2007-03-04 19:58:05 0 d---s---- C:\Documents and Settings\Aaron\Application Data\Microsoft<MICROS~1>
2007-03-02 01:27:45 0 d-------- C:\Program Files\Game_Maker7<GAME_M~3>
2007-03-02 00:20:21 1056 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-03-02 00:20:18 56 -r-hs---- C:\WINDOWS\system32\90BAB9B612.sys<90BAB9~1.SYS>
2007-03-02 00:18:56 0 d-------- C:\Program Files\Common Files\Enterbrain<ENTERB~1>
2007-03-01 23:07:53 0 d-------- C:\Program Files\Common Files\csshare
2007-03-01 01:49:07 0 d-------- C:\Program Files\Copy of StepMania<COPYOF~1>
2007-02-24 10:18:54 0 d-------- C:\Program Files\Symantec
2007-02-24 10:18:53 48776 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-02-24 10:11:08 0 d-------- C:\Program Files\Norton AntiVirus<NORTON~1>
2007-02-20 21:32:32 0 d-------- C:\Documents and Settings\Aaron\Application Data\Hamachi
2007-02-19 18:05:11 0 d-------- C:\Program Files\Game_Maker6<GAME_M~2>
2007-02-17 22:17:15 0 d-------- C:\Documents and Settings\Aaron\Application Data\teamspeak2<TEAMSP~1>
2007-02-14 23:40:26 0 d-------- C:\Program Files\Java
2007-02-05 15:17:02 185344 --a------ C:\WINDOWS\system32\upnphost.dll


-- Registry Dump ---------------------------------------------------------------


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"ATI Launchpad"=""
"ATI Scheduler"="C:\\Program Files\\ATI Multimedia\\main\\ATISched.EXE"
"LogitechSoftwareUpdate"="\"C:\\Program Files\\Logitech\\Video\\ManifestEngine.exe\" boot"
"BitTorrent"="\"C:\\Program Files\\BitTorrent\\bittorrent.exe\" --force_start_minimized"
"AIM"="C:\\PROGRA~1\\AIM\\aim.exe -cnetwait.odl"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"NBJ"="\"C:\\Program Files\\Ahead\\Nero BackItUp\\NBJ.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"InCD"="D:\\Program Files II\\nero\\InCD\\InCD.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"LVCOMSX"="C:\\WINDOWS\\system32\\LVCOMSX.EXE"
"LogitechVideoRepair"="C:\\Program Files\\Logitech\\Video\\ISStart.exe"
"LogitechVideoTray"="C:\\Program Files\\Logitech\\Video\\LogiTray.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0\\bin\\jusched.exe\""
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"osCheck"="\"C:\\Program Files\\Norton Internet Security\\osCheck.exe\""
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"="Narrator.exe"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"=dword:00000001
"AllowUnhashedWebView"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"_NoDriveTypeAutoRun"=dword:00000000

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0

*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_COMHOST


-- End of Deckard's System Scanner: finished at 2007-04-13 at 19:01:22 ---------

Edited by rat2255, 13 April 2007 - 10:55 PM.


#6 rat2255

rat2255
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:57 PM

Posted 13 April 2007 - 10:57 PM

extra

Deckard's System Scanner v20070411.38
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Celeron™ CPU 1300MHz
Percentage of Memory in Use: 66%
Physical Memory (total/avail): 509.98 MiB / 171.28 MiB
Pagefile Memory (total/avail): 1248.89 MiB / 903.11 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1993.16 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 74.53 GiB total, 34.91 GiB free.
D: is Fixed (NTFS) - 55.9 GiB total, 55.84 GiB free.
E: is CDROM (No Media)
F: is CDROM (No Media)
G: is Fixed (NTFS) - 58.59 GiB total, 58.53 GiB free.


-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

AntiVirusDisableNotify is set.
FirewallDisableNotify is set.

FW: Norton Internet Security v2007 (Symantec Corporation)
AV: Norton Internet Security v2007 (Symantec Corporation)


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Aaron\Application Data
CLASSPATH=C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=MOVIEMAKER
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Aaron
LOGONSERVER=\\MOVIEMAKER
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Program Files\Internet Explorer;;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 11 Stepping 1, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0b01
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Aaron\LOCALS~1\Temp
TMP=C:\DOCUME~1\Aaron\LOCALS~1\Temp
USERDOMAIN=MOVIEMAKER
USERNAME=Aaron
USERPROFILE=C:\Documents and Settings\Aaron
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

HelpAssistant
Patrick F Angert (admin)
Aaron (admin)
Administrator (new local, admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
3DGPAi1 Game Resources 1.0 --> C:\3DGPAi1\unins000.exe
3DNA Desktop --> C:\Program Files\3DNA\3DNA\Uninstall.exe
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe PhotoDeluxe 2.0 --> C:\WINDOWS\uninst.exe -f"C:\Program Files\PhotoDeluxe 2.0\DeIsL1.isu"
Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Adobe Type Manager 4.0 --> C:\WINDOWS\uninst.exe -f"C:\Program Files\Adobe Type Manager\DeIsL1.isu" -c"C:\Program Files\Adobe Type Manager\UNINST.DLL"
Age of Empires III --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{7B9CC60A-9B81-46A3-A953-76B6BF9EEC97}
Ahead InCD EasyWrite Reader --> C:\WINDOWS\unmrw.exe /UNINSTALL
AOL Instant Messenger --> C:\Program Files\AIM\uninstll.exe -LOG= C:\Program Files\AIM\install.log -OEM=
AppCore --> MsiExec.exe /I{EFB5B3B5-A280-4E25-BE1C-634EEFE32C1B}
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Multimedia Center 8.2.0.0 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{42BC25C4-E224-45FB-8CEF-162D2EEC5A34} /l1033
AV --> MsiExec.exe /I{F4DB525F-A986-4249-B98B-42A8066251CA}
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
Burn4Free CD and DVD --> "D:\Program Files II\Burn4Free\uninstall.exe"
Call of Duty Dawnville Demo --> D:\PROGRA~1\CALLOF~1\Uninstall\Unwise.exe /u D:\PROGRA~1\CALLOF~1\Uninstall\Install.log
Captain Keyboard --> C:\PROGRA~1\CAPTAI~1\UNWISE.EXE C:\PROGRA~1\CAPTAI~1\INSTALL.LOG
ccCommon --> MsiExec.exe /I{3CCAD2EF-CFF2-4637-82AA-AABF370282D3}
Chicken Invaders 2 v2.60 --> "D:\Program Files II\chicken\Chicken Invaders 2\unins000.exe"
Clear Sailing --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1EA8CF83-AEFE-4952-B902-F0D08F9F2D01}\Setup.exe" -l0x9
CompuServe --> C:\Program Files\Common Files\csshare\csunins_us.exe
DAO --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{C88E49AA-41C5-4420-A08D-BE1B6C5A3A74}
Dawn --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5569C99B-129C-426E-920A-FD1F0DC01FDC}\Setup.exe"
DebugMode Wax 2.0 --> "D:\Program Files II\wax\uninst.exe"
DH Lore Invasion Demo --> C:\Program Files\DHLIDemo\Uninstal.exe
Ellusionist TROUBL_MAKER® 5.0 --> C:\WINDOWS\iun6002.exe "C:\Program Files\Ellusionist TROUBL_MAKER\irunin.ini"
F-22 Lightning 3 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\NovaLogic\F-22 Lightning 3\Uninst.isu"
FL Studio 6 --> C:\Program Files\Image-Line\FL Studio 6\uninstall.exe
FPS Creator Demo --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E70E9721-A42A-4D7A-8087-AA69614328A0}\Setup.exe" -l0x9
Game Maker 5.3A --> C:\WINDOWS\GPInstall.exe "/UNINST=C:\Program Files\Game_Maker5\UnInst.log" "/APPNAME=Game Maker 5.3A"
Game Maker 6 Resource Pack 1 --> C:\WINDOWS\GPInstall.exe "/UNINST=C:\Program Files\Game_Maker6\UnInstR1.log" "/APPNAME=Game Maker 6 Resource Pack 1"
Game Maker 6 Resource Pack 2 --> C:\WINDOWS\GPInstall.exe "/UNINST=C:\Program Files\Game_Maker6\UnInstR2.log" "/APPNAME=Game Maker 6 Resource Pack 2"
Game Maker 6 Resource Pack 3 --> C:\WINDOWS\GPInstall.exe "/UNINST=C:\Program Files\Game_Maker6\UnInst.log" "/APPNAME=Game Maker 6 Resource Pack 3"
Game Maker 6 Resource Pack 4 --> C:\WINDOWS\GPInstall.exe "/UNINST=C:\Program Files\Game_Maker6\UnInstR4.log" "/APPNAME=Game Maker 6 Resource Pack 4"
Game Maker 6.1 --> C:\Program Files\Game_Maker6\Uninstal.exe
Game Maker 7.0 --> C:\Program Files\Game_Maker7\Uninstal.exe
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar4.dll"
GUIDE PLUS+™ for Windows® System - ATI --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{99D34763-7E45-4FE5-8424-28DBC3A5F0BF}\setup.exe"
Guild Wars --> "D:\Program Files II\gw\Guild Wars\Gw.exe" -uninstall
Harry Potter and the Goblet of Fire™ Demo --> D:\Program Files II\hrypotgof\EAUninstall.exe
Heavy Gear 2 --> D:\PROGRA~1\HEAVVY~1\UNINST~1\UNINST~1.EXE D:\Program Files II\heavvygear\uninstall\Heavy Gear 2.log
HijackThis 1.99.1 --> C:\DOCUME~1\Aaron\LOCALS~1\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe /uninstall
IconUtils --> "C:\Program Files\IconUtils\uninstall.exe"
InCD --> C:\WINDOWS\NuNInst.exe /UNINSTALL
Install Creator --> C:\Program Files\Install Creator\Uninstal.exe
InterActual Player --> C:\Program Files\InterActual\InterActual Player\inuninst.exe
iTunes --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{501BADCD-F8F7-44CB-AC3F-6ED25C1A28B5} /l1033
J2ME Wireless Toolkit 2.1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4172B0A9-D860-4612-B154-56F42D47A912}\Setup.exe" -l0x9 -uninst
J2SE Development Kit 5.0 Update 10 --> MsiExec.exe /I{32A3A4F4-B792-11D6-A78A-00B0D0150100}
J2SE Runtime Environment 5.0 Update 10 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150100}
J2SE Runtime Environment 5.0 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150030}
J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
J2SE Runtime Environment 5.0 Update 8 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150080}
J2SE Runtime Environment 5.0 Update 9 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150090}
Java 2 Runtime Environment Standard Edition v1.3.1_02 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\JavaSoft\JRE\1.3.1_02\Uninst.isu"
Java 2 Runtime Environment, SE v1.4.2_13 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142130}
Java 2 SDK Standard Edition v1.2.2_017 --> C:\WINDOWS\IsUninst.exe -fC:\jdk1.2.2\Uninst.isu
Java™ SE Development Kit 6 --> MsiExec.exe /I{32A3A4F4-B792-11D6-A78A-00B0D0160000}
Java™ SE Runtime Environment 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160000}
JCreator LE 3.50 --> "C:\Program Files\Xinox Software\JCreatorV3LE\unins000.exe"
Kaspersky Online Scanner --> C:\WINDOWS\system32\KASPER~1\KASPER~1\kavuninstall.exe
LEGO Studios --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{983A2596-2010-11D4-9103-00105A0DE2E8}\setup.exe" -l0x9
Linksys Wireless-G PCI Adapter --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4DDC3BED-CC68-44AA-B435-D727B620CA5B}\setup.exe" -l0x9
LiveUpdate 3.2 (Symantec Corporation) --> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
Logitech Print Service --> C:\PROGRA~1\Logitech\PRINTS~1\UNWISE.EXE C:\PROGRA~1\Logitech\PRINTS~1\INSTALL.LOG
Logitech QuickCam --> MsiExec.exe /I{0496D9E9-224B-4AFA-8F37-23B98D52F1EB}
Logitech® Camera Driver --> "C:\Program Files\Common Files\Logitech\QCDRV\BIN\SETUP.EXE" UNINSTALL REMOVEPROMPT
MAGIX music maker SE --> C:\MAGIX\music_maker_SE\unwise.exe
MAGIX playR jukebox --> D:\Program Files II\playR_jukebox\unwise.exe
MaxBlast 3 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{639858DD-4966-40F3-A706-7C838BCF3A2B}\setup.exe"
Microsoft Age of Empires II --> "C:\Program Files\Microsoft Games\Age of Empires II\UNINSTAL.EXE" /runtemp /uninstall
Microsoft Age of Empires II: The Conquerors Expansion --> "C:\Program Files\Microsoft Games\Age of Empires II\UNINSTALX.EXE" /runtemp /addremove
Microsoft Halo Trial --> "C:\Program Files\Microsoft Games\Halo Trial\UNINSTAL.EXE" /runtemp /addremove
Microsoft Office 2000 SR-1 Disc 2 --> MsiExec.exe /I{00040409-78E1-11D2-B60F-006097C998E7}
Microsoft Office 2000 SR-1 Professional --> MsiExec.exe /I{00010409-78E1-11D2-B60F-006097C998E7}
Microsoft Windows Journal Viewer --> MsiExec.exe /X{43DCF766-6838-4F9A-8C91-D92DA586DFA8}
Mozilla Firefox (1.5.0.10) --> C:\Program Files\Mozilla Firefox\uninstall\uninstall.exe /ua "1.5.0.10 (en-US)"
MSN Gaming Zone --> C:\PROGRA~1\MSNGAM~1\zsetup.exe /Uninstall
MSN Messenger 7.5 --> MsiExec.exe /I{CEB3A11A-03EA-11DA-BFBD-00065BBDC0B5}
MSRedist --> MsiExec.exe /I{B7C61755-DB48-4003-948F-3D34DB8EAF69}
Mystery Case Files Ravenhearst --> "C:\Program Files\MSN Games\Mystery Case Files Ravenhearst\Uninstall.exe" "C:\Program Files\MSN Games\Mystery Case Files Ravenhearst\install.log"
Nalu --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{681F447D-49EC-4D5D-AE0A-145A8AA4E239}\Setup.exe" -l0x9
Nero OEM --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
NeroMediaPlayer --> C:\WINDOWS\UNNMP.exe /UNINSTALL
NeroVision Express 2 SE --> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
Norton AntiVirus --> MsiExec.exe /X{830D8CBD-C668-49e2-A969-C2C2106332E0}
Norton Confidential Browser Component --> MsiExec.exe /I{4843B611-8FCB-4428-8C23-31D0A5EAE164}
Norton Confidential Web Protection Component --> MsiExec.exe /I{D353CC51-430D-4C6F-9B7E-52003DA1E05A}
Norton Internet Security --> MsiExec.exe /I{48185814-A224-447A-81DA-71BD20580E1B}
Norton Internet Security --> MsiExec.exe /I{5AA2CD16-706F-41f3-87C5-2B5A031F2B3B}
Norton Internet Security --> MsiExec.exe /I{E3EFA461-EB83-4C3B-9C47-2C1D58A01555}
Norton Internet Security --> MsiExec.exe /I{E5EE9939-259F-4DE2-8023-5C49E16A4F43}
Norton Internet Security (Symantec Corporation) --> "C:\Program Files\Common Files\Symantec Shared\SymSetup\{5AA2CD16-706F-41f3-87C5-2B5A031F2B3B}_10_2_0_30\{5AA2CD16-706F-41f3-87C5-2B5A031F2B3B}.exe" /X
Norton Protection Center --> MsiExec.exe /I{9A129ABC-A53A-4209-A21E-D5DEDFB7CCA8}
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
Optical Quantum Control --> C:\WINDOWS\system32\javaws.exe -uninstall -prompt "http://phet-web.colorado.edu/simulations/shaper/shaper.jnlp"
Palm Desktop --> MsiExec.exe /X{E89D78B8-28F7-412F-8B26-C684739CBBDC}
Panda ActiveScan --> C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan
Pokémon Project Studio Blue --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\The Learning Company\Pokémon Project Studio Blue\Uninst.isu"
Prisms of Light 2 --> D:\Uninstal.exe
PSPad editor --> "D:\PSPad editor\Uninst\unins000.exe"
Quest3D 3.0d Demo --> "D:\Program Files II\quest\Quest3D 3.0d Demo\unins000.exe"
Quest3D Virtual Club 1.1 --> C:\Program Files\Quest3D\Virtual Club\Q3DUnInst.exe
QuickTime --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{929408E6-D265-4174-805F-81D1D914E2A4} /l1033
Radio Waves and Electro-magnetic Fields --> C:\WINDOWS\system32\javaws.exe -uninstall -prompt "http://phet-web.colorado.edu/simulations/emf/emf.jnlp"
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
RGSS-RTP Standard --> MsiExec.exe /I{5A9FE525-8B8F-4701-A937-7F6745A4E9C7}
RPGToolkit, Version 3.0.6 --> C:\Program Files\Toolkit3\uninstall.exe
SPBBC 32bit --> MsiExec.exe /I{77772678-817F-4401-9301-ED1D01A8DA56}
Starcraft --> C:\WINDOWS\SCunin.exe C:\WINDOWS\SCunin.dat
StepMania (remove only) --> "C:\Program Files\StepMania\uninstall.exe"
StepMania CVS 4.0 (remove only) --> "C:\Program Files\StepMania CVS\uninstall.exe"
Super Collapse! II --> C:\PROGRA~1\GAMEHO~1\COLLAP~1\UNWISE.EXE /U C:\PROGRA~1\GAMEHO~1\COLLAP~1\INSTALL.LOG
Symantec KB-DocID:2003093015493306 --> MsiExec.exe /I{08C5815C-2C6E-44f8-8748-0E61BC9AFB68}
SymNet --> MsiExec.exe /I{2DA85B02-13C0-4E6D-9A76-22E6B3DD0CB2}
Tachyon Demo --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\NovaLogic\Tachyon Demo\Uninst.isu"
TeamSpeak 2 RC2 --> "C:\Program Files\Teamspeak2_RC2\unins000.exe"
TeamSpeak 2 Server RC2 --> "D:\Program Files II\Teamspeak2_RC2\unins000.exe"
Text-To-Speech-Runtime --> MsiExec.exe /X{7B3F0113-E63C-4D6D-AF19-111A3165CCA2}
TI Connect 1.6 --> MsiExec.exe /I{A8B94669-8654-4126-BD28-D0D2412CDED6}
Torque Game Engine Demo (remove only) --> "D:\Program Files II\tourque demo\USE THIS ONE\Torque Game Engine Demo\uninst-demo.exe"
Torque Warzone Demo (remove only) --> "D:\Program Files II\tourque demo\Torque Warzone Demo\uninst-demo.exe"
Tropical Screensaver --> C:\WINDOWS\ss3unstl.exe "Tropical Screensaver"
TypingMaster Pro --> "C:\Program Files\TypingMaster\unins000.exe"
Viewpoint Media Player (Remove Only) --> C:\Program Files\Viewpoint\Viewpoint Media Player\\mtsAxInstaller.exe /u
Virtual FlashCards 2.1 --> "C:\Program Files\Virtual FlashCards\unins000.exe"
VMN Toolbar --> C:\Program Files\vmntoolbar\uninstall.exe -uninstall -prompt
Windows Media Encoder 9 Series --> msiexec.exe /I {E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
Windows Media Encoder 9 Series --> MsiExec.exe /I{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
World of Warcraft --> C:\Program Files\Common Files\Blizzard Entertainment\World of Warcraft (3)\Uninstall.exe
Worms2 --> C:\WINDOWS\IsUninst.exe -fC:\Team17\Worms2\Uninst.isu
Yahoo! Toolbar --> C:\PROGRA~1\Yahoo!\Common\unyt.exe


-- End of Deckard's System Scanner: finished at 2007-04-13 at 19:01:22 ---------



blacklight

04/13/07 19:14:58 [Info]: BlackLight Engine 1.0.61 initialized
04/13/07 19:14:58 [Info]: OS: 5.1 build 2600 (Service Pack 2)
04/13/07 19:14:58 [Note]: 7019 4
04/13/07 19:14:58 [Note]: 7005 0
04/13/07 19:15:03 [Note]: 7006 0
04/13/07 19:15:03 [Note]: 7022 0
04/13/07 19:15:03 [Note]: 7011 1524
04/13/07 19:15:03 [Note]: 7026 0
04/13/07 19:15:03 [Note]: 7026 0
04/13/07 19:15:08 [Note]: FSRAW library version 1.7.1021
04/13/07 19:24:25 [Note]: 2000 1012
04/13/07 19:24:45 [Note]: 7007 0

#7 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,522 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:57 PM

Posted 14 April 2007 - 09:54 PM

OK, sorry for your wait, there is a lot to go over in these logs. You do have signs of having been infected, but it is hard to tel if anything is still active or not. I have to be honest here, there are some very creative infections that target World of Warcraft users, that are well nigh impossible to find and remove. Before we proceed, I strongly suggest you backup any important data as you may be looking at a reformat and attempts at removal could result in loss of data.

AVGAS removed Burn4Free because it is rated as an Adware program: http://www.sophos.com/virusinfo/analyses/burn4free.html

Please go to Add/Remove programs and uninstall Burn4Free CD and DVD then delete the folder at D:\Program Files II\Burn4Free.

Then check the following link for safe and free replacement: http://www.bleepingcomputer.com/forums/topic3616.html

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the browse button and navigate to the following file and click Submit.

C:\WINDOWS\system32\90BAB9B612.sys

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virus Total: http://www.virustotal.com/flash/index_en.html

It appears your file Association for reg files has been altered. If you have not done this yourself, check to see if you can open your registry editor by going to START>Run type in regedit and hit Enter.

To repair this file association, download Doug Knox's xp_regfile.reg file atttached below and save it to your desktop. Then double-click the file and allow it to merge with your registry. Since this is a regfile association, you may not be able to merge it successfully, so try this if so:

Press CTRL-ALT-DEL and open Task Manager. Once there, click File, then hold down the CTRL key and click New Task (Run). This will open a Command Prompt window. Enter REGEDIT.EXE and press Enter. Then go to File> Import. Navigate to the xp_regfile.reg file on you desktop and click on Open. Let me know how that goes.

The DSS log show some folders and files added recently. It is unclear if they have been created by you or not. I also notice some programming tools in your log so please go thru the following list and let me know if they are known to you.

2007-04-08 20:55:37 0 d-------- C:\LD
2007-03-28 00:06:56 0 d-------- C:\helppppp
2007-03-27 23:55:22 0 d-------- C:\asdf
2007-03-27 19:05:25 65582 --a------ C:\Documents and Settings\Aaron\hisave
2007-03-26 21:24:34 0 d-------- C:\web
2007-03-18 09:03:04 0 d-------- C:\music2

Also do you know what this program is in your Add/Remove list:

Nalu

Now please download Combofix to your desktop.
Doubleclick combo.exe to launch the application.
Follow the prompts that will be displayed on the screen.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.
Post this log in your next reply together with a new HijackThis log.

Let me know if any of these steps have helped.

You mentioned that the computer was beeping. Sounds like it could be a POST TEST beep code--review the following page and let me know what the pattern is if so: http://www.computerhope.com/beep.htm

Also could you give me a bit better idea of your setup. You have one hard drive divided into three partitions, correct? If you could tell me what you use the partitions for, if you only partitioned recently and have always had this problem, or if it started when you installed something like burn4free, etc. the more details you can remember will only help.

The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#8 rat2255

rat2255
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:57 PM

Posted 15 April 2007 - 12:16 AM

I removed Burn for free CD and DVD in Add/Remove programs but I couldnt delete it from program files II becaues there is no program files II because I have re-formated my D: many times.

here is the jotti scan

Scan taken on 15 Apr 2007 04:38:07 (GMT)
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing


I can open regedit but I didn't change any of those files but I was unclear if I was suposed to run xp_regfile.reg if I couldn't open regedit or if I didn't change the regedit files my self, so I did not run it.

I know all of the folders except hisave
and Nalu is a Nivida demo that came with the grafics card.

also the combofix link led to a 404 error :thumbsup:

about the beeping, my computer dosent beep but sounds more like it is trying to access my hard drive with staccato sound for hours on end (very annoying) until I re-format.

also my computer has two hard drives the first one has C:/ and the second had D:/. after exiting world of warcraft the problem started. after about 20 reformats, I finnaly decided to see if it was hardware problems so I partioned my second drive into D:/ and E:/, after the problem came back I couldnt get into the D:/ drive but E:/ was perfectly fine. so I assumed it was not hardware or D:/ and E:/ would have both been corupted.

the only files that may have caused it was a free audio converter which I got off of the net about a week befor it happened then uninstalled after using it. I do not though, remember what it was called.

If I cant get rid of of the virus then I might just take out my D:/ drive but then (if it is a virus)it might go after my C:/ drive which has all of my remaning files on it, and if that happened I probably would just reinstall my computer from scratch (which would not be good).

I hope this helps.

Edited by rat2255, 15 April 2007 - 12:20 AM.


#9 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,522 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:57 PM

Posted 15 April 2007 - 12:50 AM

My bad on both the attachment and the link. Find the attachment below. Run it unless you have a good reason not to that you know of.

Here's the good link to ComboFix: http://download.bleepingcomputer.com/sUBs/ComboFix.exe

I'll get back with you on the rest when I see the log.

Attached Files


The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#10 rat2255

rat2255
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:57 PM

Posted 15 April 2007 - 09:44 PM

xp_regfile worked and merged

here is hackthis file

Logfile of HijackThis v1.99.1
Scan saved at 9:38:20 PM, on 4/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\ATI Multimedia\main\ATISched.EXE
C:\PROGRA~1\AIM\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\CompuServe 7.0\cstray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\palmOne\HOTSYNC.EXE
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\Aaron.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: VMN Toolbar - {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} - C:\PROGRA~1\VMNTOO~1\VMNTOO~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: VMN Toolbar - {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} - C:\PROGRA~1\VMNTOO~1\VMNTOO~1.DLL
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] D:\Program Files II\nero\InCD\InCD.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\main\ATISched.EXE
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: CompuServe 7.0 Tray Icon.lnk = C:\Program Files\CompuServe 7.0\cstray.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files II\MS Office 2000\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = D:\Program Files II\MS Office 2000\Office\1033\OLFSNT40.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {2250C29C-C5E9-4F55-BE4E-01E45A40FCF1} (CMediaMix Object) - http://musicmix.messenger.msn.com/Medialogic.CAB
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1135775985904
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1173303152968
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab55579.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h cltCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Unknown owner - D:\Program Files II\nero\InCD\InCDsrv.exe (file missing)
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WMP54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe" "WMP54Gv4.exe (file missing)



combofix

"Aaron" - 07-04-15 21:15:13 Service Pack 2
ComboFix 07-04-05.Rev3 - Running from: "C:\Documents and Settings\Aaron\Desktop"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\screensavers.com\Wallpaper\swpstart.exe
C:\DOCUME~1\Aaron\Desktop.\internet explorer.lnk
C:\WINDOWS\system32\vbzip11.dll
C:\WINDOWS\hosts
C:\Program Files\screensavers.com


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\nm


((((((((((((((((((((((((((((((( Files Created from 2007-03-15 to 2007-04-15 ))))))))))))))))))))))))))))))))))


2007-04-14 11:37 <DIR> d-------- C:\WINDOWS\system32\New Folder
2007-04-13 10:01 <DIR> d-------- C:\testffr
2007-04-13 09:50 <DIR> d-------- C:\movies
2007-04-13 07:14 899,952 --a------ C:\fsbl.exe
2007-04-13 06:56 <DIR> d-------- C:\Deckard
2007-04-13 03:10 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-04-13 01:29 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-04-08 08:55 <DIR> d-------- C:\LD
2007-04-07 12:34 <DIR> d-------- C:\HJT
2007-04-07 10:47 <DIR> d-------- C:\qbasic
2007-04-03 08:28 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-04-03 03:43 1,843,584 --------- C:\WINDOWS\system32\win32k.sys
2007-03-31 12:40 <DIR> d-------- C:\Program Files\Maxtor
2007-03-31 12:39 <DIR> d-------- C:\DOCUME~1\PATRIC~1\APPLIC~1\Adobe
2007-03-31 10:50 <DIR> d-------- C:\DOCUME~1\PATRIC~1\APPLIC~1\VMNTOOLBAR
2007-03-28 12:06 <DIR> d-------- C:\helppppp
2007-03-28 12:03 <DIR> d-------- C:\Program Files\Visicom Media
2007-03-27 11:55 <DIR> d-------- C:\asdf
2007-03-27 11:29 <DIR> d-------- C:\DOCUME~1\Aaron\APPLIC~1\Visicom Media
2007-03-27 11:28 <DIR> d-------- C:\Program Files\vmntoolbar
2007-03-27 11:28 <DIR> d-------- C:\Program Files\VMN
2007-03-27 11:28 <DIR> d-------- C:\DOCUME~1\Aaron\APPLIC~1\vmntoolbar
2007-03-26 09:24 <DIR> d-------- C:\web
2007-03-26 09:19 84,992 --a------ C:\WINDOWS\system32\Ledit32.dll
2007-03-26 09:19 70,656 --a------ C:\WINDOWS\system32\vspell32.dll
2007-03-26 09:19 102,912 --a------ C:\WINDOWS\system32\Vb6stkit.dll
2007-03-23 08:11 <DIR> d-------- C:\Program Files\World of Warcraft
2007-03-18 09:03 <DIR> d-------- C:\music2


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-15 12:27 -------- d-------- C:\Program Files\compuserve 7.0
2007-04-15 12:19 -------- d-------- C:\Program Files\toolkit3
2007-04-15 09:14 -------- d-------- C:\Program Files\Common Files\symantec shared
2007-04-07 02:24 -------- d-------- C:\Program Files\stepmania
2007-04-03 10:36 -------- d-------- C:\Program Files\quicktime
2007-04-03 10:35 -------- d-------- C:\Program Files\palmone
2007-04-03 10:32 -------- d-------- C:\Program Files\norton internet security
2007-04-03 10:32 -------- d-------- C:\Program Files\msn messenger
2007-04-03 10:19 -------- d-------- C:\Program Files\linksys wireless-g pci wireless network monitor
2007-04-03 09:57 -------- d-------- C:\Program Files\itunes
2007-04-03 09:53 -------- d-------- C:\Program Files\google
2007-03-31 12:40 -------- d--h----- C:\Program Files\installshield installation information
2007-03-31 01:59 -------- d-------- C:\Program Files\snapshot viewer
2007-03-27 09:38 -------- d-------- C:\Program Files\msn games
2007-03-27 09:34 -------- d-------- C:\Program Files\bittorrent
2007-03-17 08:43 292864 --a------ C:\WINDOWS\system32\winsrv.dll
2007-03-08 11:00 -------- d-------- C:\Program Files\debugmode
2007-03-08 10:36 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 10:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 10:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 08:12 -------- d--h----- C:\Program Files\windowsupdate
2007-03-07 04:46 -------- d-------- C:\Program Files\movie maker
2007-03-06 10:13 -------- d-------- C:\DOCUME~1\Aaron\APPLIC~1\uniblue
2007-03-06 09:00 76560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-03-02 12:20 56 -r-hs---- C:\WINDOWS\system32\90bab9b612.sys
2007-03-02 12:20 1056 --ahs---- C:\WINDOWS\system32\kgygaavl.sys
2007-03-02 12:18 -------- d-------- C:\Program Files\Common Files\enterbrain
2007-03-02 01:27 -------- d-------- C:\Program Files\game_maker7
2007-03-01 11:08 8552 --a------ C:\WINDOWS\system32\drivers\asctrm.sys
2007-03-01 01:49 -------- d-------- C:\Program Files\copy of stepmania
2007-02-24 10:18 48776 --a------ C:\WINDOWS\system32\s32evnt1.dll
2007-02-24 10:18 115000 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-02-24 10:18 -------- d-------- C:\Program Files\symantec
2007-02-24 10:11 -------- d-------- C:\Program Files\norton antivirus
2007-02-20 09:32 -------- d-------- C:\DOCUME~1\Aaron\APPLIC~1\hamachi
2007-02-20 09:25 17480 --a------ C:\WINDOWS\system32\drivers\hamachi.sys
2007-02-19 06:05 -------- d-------- C:\Program Files\game_maker6
2007-02-17 10:17 -------- d-------- C:\DOCUME~1\Aaron\APPLIC~1\teamspeak2
2007-02-05 03:17 185344 --a------ C:\WINDOWS\system32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"ATI Launchpad"=""
"ATI Scheduler"="C:\\Program Files\\ATI Multimedia\\main\\ATISched.EXE"
"LogitechSoftwareUpdate"="\"C:\\Program Files\\Logitech\\Video\\ManifestEngine.exe\" boot"
"BitTorrent"="\"C:\\Program Files\\BitTorrent\\bittorrent.exe\" --force_start_minimized"
"AIM"="C:\\PROGRA~1\\AIM\\aim.exe -cnetwait.odl"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"NBJ"="\"C:\\Program Files\\Ahead\\Nero BackItUp\\NBJ.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"InCD"="D:\\Program Files II\\nero\\InCD\\InCD.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"LVCOMSX"="C:\\WINDOWS\\system32\\LVCOMSX.EXE"
"LogitechVideoRepair"="C:\\Program Files\\Logitech\\Video\\ISStart.exe"
"LogitechVideoTray"="C:\\Program Files\\Logitech\\Video\\LogiTray.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0\\bin\\jusched.exe\""
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"osCheck"="\"C:\\Program Files\\Norton Internet Security\\osCheck.exe\""
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"="Narrator.exe"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"=dword:00000001
"AllowUnhashedWebView"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"_NoDriveTypeAutoRun"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0

*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_COMHOST
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_GTNDIS5



~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20070413-132600-337
O3 - Toolbar: (no name) - {2ECB7FB2-0333-416F-92FD-4904AD49252B} - (no file)

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton Internet Security - Run Full System Scan - Patrick F Angert.job


********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-04-15 21:32:29
C:\ComboFix-quarantined-files.txt ... 07-04-15 09:32

#11 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,522 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:57 PM

Posted 17 April 2007 - 12:59 AM

OK, ComboFix didn't find any WOW related infections, but did delete some other low level baddies.

I don't see C:\Documents and Settings\Aaron\hisave in the ist of recent files anymore. Did you delete it? Was it a file or folder?

Also two new folders. Do you know about these as well?

C:\WINDOWS\system32\New Folder
C:\testffr

Jotti seems to think the file you submitted is clean but I would like to check it out a bit more and get some more info on it.

Download this program:

submit files packer

Highlight the file listed below in bold and right-click and select copy.

C:\WINDOWS\system32\90BAB9B612.sys

Then start the file packer program and right click in the white box and select paste to paste the copied file names in the field.

Then press the Continue button.

It will create an archive with these files and a small log on your Desktop that starts with a name like requested-file[date].cab.

Make sure file extensions are still showing and then rename this file to rat2255.cab.

Then go to:
http://www.bleepingcomputer.com/submit-malware.php
and fill in the required fields and browse to this file on your desktop. Finally click on the Send File button.

Download Registry Search.

- Create a new folder on your desktop named Regsearch
- Extract regsearch.zip file to the newly created folder.
- Open the Regsearch folder and double click regsearch.exe to start the program.
- Use copy and paste to enter the following bold text to search for and click OK. Note: Enter each search term one at a time so that each one is on a seperate line in RegSearch.

C:\WINDOWS\system32\90BAB9B612.sys
TypingMaster.exe


- Notepad will be opened with text in it (the file will also be saved in the Regsearch folder as well).

Post this text in your next reply. If the Notepad file is very long you can attach it, but I prefer to see it posted.

Please run a GMER Rootkit scan:

Download GMER from here:
http://www.gmer.net/gmer.zip

Unzip it to the desktop and start GMER.exe
Click the Rootkit tab and click the Scan button.

Warning! Please do not select the "Show all" checkbox during the scan.

Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results here in your next reply.

If you're having problems with running GMER.exe, try it in safe mode.

Regarding the D drive problem--did you use Windows Disk Management tool or something else to create the partitions? I see Maxtor as a recent addition so perhaps you used MaxBlast? Is Maxtor your second hard drive and the one you originally had the D and E drives set up on? Some of these WOW infections do some pretty bizarre things, but if we don't find anything it may be a problem with the software or how you set up the partitions, even if the hard drive itself is OK. So still may be hardware related, which is not my strong suite. I'll be asking some hardware guys to have a look in here and think they could use the additional information.

The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#12 rat2255

rat2255
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:57 PM

Posted 17 April 2007 - 05:07 PM

I did not delete hisave and it was a file.
I do knoe testffr and New Folder

I uploded the file as rat2255.cab

here is the regsearch

Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.2.0

; Results at 4/17/2007 3:32:27 PM for strings:
; 'c:\windows\system32\90bab9b612.sys'
; 'typingmaster.exe'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\sys]
"a"="C:\\WINDOWS\\system32\\90BAB9B612.sys"

; End Of The Log...


heer is the gmer


GMER 1.0.12.12244 - http://www.gmer.net
Rootkit scan 2007-04-17 16:57:42
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.12 ----

SSDT 822380C0 ZwAlertResumeThread
SSDT 8218B0E0 ZwAlertThread
SSDT 821AD960 ZwAllocateVirtualMemory
SSDT 82161400 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS ZwCreateKey
SSDT 82283AD0 ZwCreateMutant
SSDT 8218E670 ZwCreateThread
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS ZwDeleteKey
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS ZwDeleteValueKey
SSDT 8219F788 ZwFreeVirtualMemory
SSDT 822A1718 ZwImpersonateAnonymousToken
SSDT 82202BA0 ZwImpersonateThread
SSDT 8218E9C0 ZwMapViewOfSection
SSDT 82208CE8 ZwOpenEvent
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess
SSDT 82160BF8 ZwOpenProcessToken
SSDT 8219D678 ZwOpenThreadToken
SSDT 820C7280 ZwResumeThread
SSDT 821B1C08 ZwSetContextThread
SSDT 821A3428 ZwSetInformationProcess
SSDT 82286338 ZwSetInformationThread
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS ZwSetValueKey
SSDT 82173900 ZwSuspendProcess
SSDT 8222FB78 ZwSuspendThread
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess
SSDT 821FE0B8 ZwTerminateThread
SSDT 821BA870 ZwUnmapViewOfSection
SSDT 821A75A0 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.12 ----

.text ntoskrnl.exe!_abnormal_termination + C9 804E2725 3 Bytes [ 14, 16, 82 ]
? C:\WINDOWS\System32\DRIVERS\update.sys

---- User code sections - GMER 1.0.12 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[2268] USER32.dll!SetWindowLongA 7E41D60D 5 Bytes JMP 00B5FFBA C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2268] USER32.dll!SetWindowLongW 7E41D62B 5 Bytes JMP 00B5FFEB C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2268] USER32.dll!DialogBoxParamW 7E42555F 5 Bytes JMP 009CF205 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2268] USER32.dll!DialogBoxIndirectParamW 7E432032 5 Bytes JMP 00B5FEBF C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2268] USER32.dll!MessageBoxIndirectA 7E43A04A 5 Bytes JMP 00B5FE40 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2268] USER32.dll!DialogBoxParamA 7E43B10C 5 Bytes JMP 00B5FE84 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2268] USER32.dll!MessageBoxExW 7E4505D8 5 Bytes JMP 00B5FDCC C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2268] USER32.dll!MessageBoxExA 7E4505FC 5 Bytes JMP 00B5FE06 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2268] USER32.dll!DialogBoxIndirectParamA 7E456B50 5 Bytes JMP 00B5FEFA C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2268] USER32.dll!MessageBoxIndirectW 7E4662AB 5 Bytes JMP 009F15DA C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3720] USER32.dll!SetWindowLongA 7E41D60D 5 Bytes JMP 00B5FFBA C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3720] USER32.dll!SetWindowLongW 7E41D62B 5 Bytes JMP 00B5FFEB C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3720] USER32.dll!DialogBoxParamW 7E42555F 5 Bytes JMP 009CF205 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3720] USER32.dll!DialogBoxIndirectParamW 7E432032 5 Bytes JMP 00B5FEBF C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3720] USER32.dll!MessageBoxIndirectA 7E43A04A 5 Bytes JMP 00B5FE40 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3720] USER32.dll!DialogBoxParamA 7E43B10C 5 Bytes JMP 00B5FE84 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3720] USER32.dll!MessageBoxExW 7E4505D8 5 Bytes JMP 00B5FDCC C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3720] USER32.dll!MessageBoxExA 7E4505FC 5 Bytes JMP 00B5FE06 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3720] USER32.dll!DialogBoxIndirectParamA 7E456B50 5 Bytes JMP 00B5FEFA C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3720] USER32.dll!MessageBoxIndirectW 7E4662AB 5 Bytes JMP 009F15DA C:\WINDOWS\system32\IEFRAME.dll

---- Registry - GMER 1.0.12 ----

Reg \Registry\USER\S-1-5-21-515967899-1454471165-839522115-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F4C61EA8-D2DC-BB5B-385A-A747C2A37799}@abgfoiedobjoblmaapklamhlngefpnfjpf 0x64 0x61 0x6D 0x66 ...
Reg \Registry\USER\S-1-5-21-515967899-1454471165-839522115-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F4C61EA8-D2DC-BB5B-385A-A747C2A37799}@bbgfoiedobjoblmaapbmhmpgmcjkmehgapca 0x67 0x61 0x63 0x67 ...

---- EOF - GMER 1.0.12 ----




Also I usually re-format my D:/ drive under my computer, but the one time I did use MaxBlast to re-format and partion it but it still had the problem.
Maxtor is the second hard drive I originally had my D:/ drive on then partioned to D:/ and E:/ with Maxblast.

I hope theis helps.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users