Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Registry


  • Please log in to reply
23 replies to this topic

#1 mictamcody2000

mictamcody2000

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Location:Lansing, Michigan
  • Local time:11:14 AM

Posted 26 April 2007 - 03:43 PM

Everytime i go to do ctrl + alt + Delete i get the "Task Manager has been disabled by your Administrator" Message, also when i go to myspace it wont let me go there there may be a few more but those are the 2 that bug me the most.

And when i went into my registry and changed it back so i could use the task manager and i had to go restart and when i restarted the registry entries changed back so i could'nt use the task manager again.


Well heres my Hijack This log:


Logfile of HijackThis v1.99.1
Scan saved at 4:39:21 PM, on 4/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Windows folder: C:\WINDOWS
System folder: C:\WINDOWS\SYSTEM32
Hosts file: C:\WINDOWS\System32\drivers\etc\hosts

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Cain\Abel.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\apache\APACHE.EXE
c:\apache\APACHE.EXE
C:\Program Files\WinPcap\rpcapd.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Yahoo!\YCentral\YahooCentral.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\bcmntray.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HPQ\Shared\hpqwmi.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Xfire\xfire.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\StealthBot\StealthBot v2.6R3.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Diablo II\RedVex21\RedVex.exe
C:\Program Files\bots\StealthBot v2.6R3.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Mike\Desktop\hijackthis_199\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:4001
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: World Tv Center Toolbar - {e077da94-6314-41f1-9f08-6607df65952e} - C:\Program Files\World_Tv_Center\tbWor1.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exeC:\WINDOWS\system32\Userinit.exe
O1 - Hosts: 69.49.130.252 www.eepybird.com
O1 - Hosts: 82.94.237.219 wiki.python.org
O1 - Hosts: 216.213.19.27 www.bleepingcomputer.com
O1 - Hosts: 216.144.1.8 www.nthelp.com
O1 - Hosts: 208.97.163.111 www.criticalsecurity.net
O1 - Hosts: 216.152.67.223 forums.d2jsp.org
O1 - Hosts: 216.152.67.223 forums.d2jsp.org
O1 - Hosts: 69.17.116.124 www.rohitab.com
O1 - Hosts: 72.247.29.49 support.f-secure.com
O1 - Hosts: 147.202.84.254 www.windowsecurity.com
O1 - Hosts: 67.15.10.83 www.free2code.net
O1 - Hosts: 216.183.112.222 www.cheatcc.com
O1 - Hosts: 24.106.94.101 www.make-a-web-site.com
O1 - Hosts: 207.210.115.178 www.pagetutor.com
O1 - Hosts: 209.85.48.3 z6.invisionfree.com
O1 - Hosts: 66.230.200.100 en.wikipedia.org
O1 - Hosts: 207.46.244.190 v4.windowsupdate.microsoft.com
O1 - Hosts: 209.85.48.3 z6.invisionfree.com
O1 - Hosts: 216.178.32.49 www.myspace.com
O1 - Hosts: 161.109.100.105 www.networksecuritytech.com
O1 - Hosts: 72.32.70.167 www.sherv.net
O1 - Hosts: 209.190.85.251 rpgforums.byethost9.com
O1 - Hosts: 205.234.192.222 www.security-forums.com
O1 - Hosts: 72.32.70.167 www.sherv.net
O1 - Hosts: 207.126.123.20 inventors.about.com
O1 - Hosts: 66.230.204.174 www.consolecheatcodes.com
O1 - Hosts: 209.87.178.244 nct.symantecstore.com
O1 - Hosts: 64.207.135.66 www.tech-recipes.com
O1 - Hosts: 216.148.223.71 www.battle.net
O1 - Hosts: 67.19.175.66 www.mp3bleeps.com
O1 - Hosts: 72.36.167.51 utterlyboring.com
O1 - Hosts: 209.87.209.44 www.zonelabs.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (filesize 59032 bytes, MD5 4EA3A6CD9D20584FFAFDB1E47DBF0E20)
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL (filesize 2210608 bytes, MD5 786DD1892B553EFE5A004AC39775C851)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll (filesize 501400 bytes, MD5 70FD57D6EDBED8D80C1995257C99D27E)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (filesize 324416 bytes, MD5 52A70C80A446FA3BBCDAF59A9AB26AF4)
O2 - BHO: World Tv Center Toolbar - {e077da94-6314-41f1-9f08-6607df65952e} - C:\Program Files\World_Tv_Center\tbWor1.dll (filesize 1297432 bytes, MD5 387BEECCBC28FE61336E3FE1F3D3F21D)
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: World Tv Center Toolbar - {e077da94-6314-41f1-9f08-6607df65952e} - C:\Program Files\World_Tv_Center\tbWor1.dll (filesize 1297432 bytes, MD5 387BEECCBC28FE61336E3FE1F3D3F21D)
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exeC:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" (filesize 83608 bytes, MD5 9C1C80BBF8E6044980890E2D2D91091C)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe" (filesize 24104 bytes, MD5 B95CAC6DD903338C2DA88ADCA85151FD)
O4 - HKLM\..\Run: [YCentral] C:\Program Files\Yahoo!\YCentral\YahooCentral.exeC:\Program Files\Yahoo!\YCentral\YahooCentral.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC (filesize 59392 bytes, MD5 1B17E09C1223F6D17336D2DD7A1AF4F4)
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 (filesize 208952 bytes, MD5 7BBE4CF421AECC7F0226EDD75F12079F)
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exeC:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exeC:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeC:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\bcmntray (filesize 1044480 bytes, MD5 5A4557451D70524F78200D63D7BB0F6B)
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exeC:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (filesize 282624 bytes, MD5 30E1F03DCC8825988528D9058312EDE2)
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" (filesize 257088 bytes, MD5 B0E9EFADF04E9E25C0001B48757F3E71)
O4 - HKLM\..\Run: [CoreComponent] krnl32.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" (filesize 31016 bytes, MD5 38D198A2DD54A67120040566A38103BA)
O4 - HKLM\..\Run: [Startup32512] C:\WINDOWS\system32\taskmagr.exe
O4 - HKLM\..\Run: [OGAutoStart] C:\WINDOWS\system32\taskmagr.exe
O4 - HKLM\..\RunServices: [Kernel32] krnl32.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet (filesize 4670968 bytes, MD5 81BCD9B9A86C3559F5BCFE56519A9A19)
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO (filesize 603016 bytes, MD5 86F6CC239F7D981B7E399D6C3055035A)
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background (filesize 5674352 bytes, MD5 C4281AD865739E71FD1E4DAC19A68D60)
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (filesize 1694208 bytes, MD5 74E6E96C6F0E2ECA4EDBB7F7A468F259)
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exeC:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (filesize 113664 bytes, MD5 C2FF17734176CD15221C10044EF0BA1A)
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (filesize 98632 bytes, MD5 D91AFB6D2A0DA7539B74FB5838775D94)
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe (filesize 2702928 bytes, MD5 B648CE6C7E3DD2596D7629AEADEC6450)
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll (filesize 501400 bytes, MD5 70FD57D6EDBED8D80C1995257C99D27E)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll (filesize 501400 bytes, MD5 70FD57D6EDBED8D80C1995257C99D27E)
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll (filesize 604000 bytes, MD5 80C412B3E7304FE87C9CDB1836F0160A)
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll (filesize 604000 bytes, MD5 80C412B3E7304FE87C9CDB1836F0160A)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL (filesize 40424 bytes, MD5 7FC19DA1DC70C78D2FBD7A1D10942051)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (filesize 4670968 bytes, MD5 81BCD9B9A86C3559F5BCFE56519A9A19)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (filesize 4670968 bytes, MD5 81BCD9B9A86C3559F5BCFE56519A9A19)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (filesize 1694208 bytes, MD5 74E6E96C6F0E2ECA4EDBB7F7A468F259)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (filesize 1694208 bytes, MD5 74E6E96C6F0E2ECA4EDBB7F7A468F259)
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h20278.www2.hp.com/HPISWeb/Customer...DataManager.CAB
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/contr...vex/TmHcmsX.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.2.100.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/support/includes/cabs/si.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1139051276125
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://129.15.200.151/activex/AMC.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...anner371420.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} - http://lg.home.microsoft.com/search/lobby/searchsettings.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...907/mcfscan.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL (filesize 222512 bytes, MD5 BD25E3537B54C1BFF40335992B3686FD)
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL (filesize 63344 bytes, MD5 CD241D38F4B0777A6381EA23C8CAF427)
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (filesize 873216 bytes, MD5 9E7370CC3D6A43942433F85D0E2BBDD8)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL (filesize 63344 bytes, MD5 CD241D38F4B0777A6381EA23C8CAF427)
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL (filesize 44344 bytes, MD5 1264F787E46DC572FA274CA09B446E01)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dllC:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll (filesize 133632 bytes, MD5 045E228F71C31901084B64BE59093499)
O23 - Service: Abel - oxid.it - C:\Program Files\Cain\Abel.exeC:\Program Files\Cain\Abel.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeC:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exeC:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exeC:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeC:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exeC:\Program Files\HPQ\Shared\hpqwmi.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exeC:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeC:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeC:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exeC:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exeC:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXEC:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: PHPGeekUtil - Unknown owner - c:\apache\APACHE.EXE" --ntservice (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exeC:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeC:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exeC:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exeC:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exeC:\WINDOWS\System32\wltrysvc.exe


Edited by mictamcody2000, 26 April 2007 - 03:47 PM.


BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:04:14 PM

Posted 27 April 2007 - 06:49 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum mictamcody2000 :thumbsup:

Please download Combofix and save to the desktop:
http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.


*****************************************

Download HostsXpert 3.8:
http://www.funkytoad.com/download/HostsXpert.zip
1. Extract the zip file to your desktop or a permanent folder on your hard drive.
2. Open the folder and double-click on the Hoster.exe
3. Press "Restore Microsofts Original Hosts File"
4. Press "OK" and exit the program.

Go to:
C:\WINDOWS\System32\drivers\etc\HOSTS.
1) Right-click on the HOSTS file
2) Click Properties
3) You will see a window open,at the bottom of the window to the right of Attributes,check the box that says 'Read-only'.
4) Click Apply/OK.

*****************************************

Download SDFix and save it to your desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.zip

Please then reboot your computer into Safe Mode by doing the following :

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, a menu with options should appear;
* Select the first option, to run Windows in Safe Mode, then press "Enter".
* Choose your usual account.

* In Safe Mode, right click the SDFix.zip folder and choose Extract All,
* Open the extracted folder and double click RunThis.bat to start the script.
* Type Y to begin the script.
* It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* Your system will take longer that normal to restart as the fixtool will be running and removing files.
* When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
* Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt into your next reply.
* Also post the C:\ComboFix.txt and a new Hijackthis log please.

Posted Image
Posted Image

#3 mictamcody2000

mictamcody2000
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Location:Lansing, Michigan
  • Local time:11:14 AM

Posted 28 April 2007 - 02:27 PM

I have also been getting error's for svchost.exe and vsmon.exe when i start the computer.

but anyways here is the logs:


SDFIX:


SDFix: Version 1.80

Run by Mike - Sat 04/28/2007 - 14:40:03.15

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\DOCUME~1\Mike\Desktop\SDFix

Safe Mode:
Checking Services:






Modified mswsock.dll Found!

File Locations:

C:\WINDOWS\system32\mswsock.dll

Infected files:



Restoring Windows Registry Values
Restoring Windows Default Hosts File


Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\odbc.INI - Deleted
C:\WINDOWS\system32\fservice.exe - Deleted
C:\WINDOWS\system32\plugin1.dat - Deleted
C:\WINDOWS\system32\SysPr.prx - Deleted



Removing Temp Files

ADS Check:

Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"


Remaining Files:
---------------

Backups Folder: - C:\DOCUME~1\Mike\Desktop\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes:

C:\Documents and Settings\Mike\Local Settings\Application Data\Microsoft\Messenger\mictamcody2000@yahoo.com\Sharing Folders\shooterpk2003@yahoo.com\Thumbs.db
C:\Documents and Settings\Mike\Local Settings\Application Data\Microsoft\Messenger\mictamcody2000@yahoo.com\Sharing Folders\silent_striker@hackstrike.tk\Thumbs.db
C:\WINDOWS\system\sservice.exe
C:\Documents and Settings\All Users\DRM\Cache\Indiv04.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\3ddf7f7b5e8dafb08f6bc3b8de43d62d\download\BITB.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\fc94d0b172a81f3a4285a7e7df8ee3cd\download\BITA.tmp

Finished



#4 mictamcody2000

mictamcody2000
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Location:Lansing, Michigan
  • Local time:11:14 AM

Posted 28 April 2007 - 02:29 PM

COMBOFIX:

"Mike" - 07-04-28 13:56:24 Service Pack 2
ComboFix 07-04-28.V - Running from: "C:\Documents and Settings\Mike\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\ntoskrnl.exe.exe


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\nm


((((((((((((((((((((((((((((((( Files Created from 2007-03-28 to 2007-04-28 ))))))))))))))))))))))))))))))))))


2007-04-27 15:42 <DIR> d----c--- C:\Program Files\Peretek
2007-04-25 12:19 <DIR> d-a--c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-04-25 12:19 <DIR> d-------- C:\Fraps
2007-04-23 14:20 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\FLEXnet
2007-04-22 16:08 <DIR> d----c--- C:\Program Files\Bonjour
2007-04-22 15:48 <DIR> d----c--- C:\Program Files\Common Files\Macrovision Shared
2007-04-20 06:14 <DIR> d----c--- C:\Program Files\Copy of Copy of Copy of Copy of bots2
2007-04-20 06:09 <DIR> d----c--- C:\Program Files\Copy of Copy of Copy of bots2
2007-04-20 04:31 <DIR> d----c--- C:\Program Files\Copy of Copy of bots2
2007-04-20 04:29 <DIR> d----c--- C:\Program Files\Copy of bots2
2007-04-14 14:24 <DIR> d----c--- C:\Program Files\Copy (2) of Diablo II
2007-04-14 03:31 <DIR> d----c--- C:\WINDOWS\mm.BOT
2007-04-14 01:43 <DIR> d----c--- C:\Program Files\Stealthbot Beta 7 #2
2007-04-14 01:05 <DIR> d----c--- C:\Program Files\Stealthbot 7 beta
2007-04-13 05:56 32,592 --a--c--- C:\WINDOWS\system32\msonpmon.dll
2007-04-13 05:19 <DIR> d----c--- C:\Program Files\Microsoft Visual Studio 8
2007-04-13 05:16 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft Help
2007-04-10 14:24 <DIR> d---sc--- C:\Program Files\Xfire
2007-04-10 14:24 <DIR> d----c--- C:\DOCUME~1\Mike\APPLIC~1\Xfire
2007-04-09 22:12 <DIR> d----c--- C:\Program Files\Microsoft Office 2007
2007-04-09 20:20 <DIR> d----c--- C:\Program Files\Copy of Diablo II
2007-04-08 18:41 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Adobe Systems
2007-04-08 18:34 <DIR> d----c--- C:\Program Files\Common Files\Adobe Systems Shared
2007-04-08 16:48 <DIR> d----c--- C:\DOCUME~1\Mike\APPLIC~1\Ventrilo
2007-04-08 16:36 <DIR> d----c--- C:\Program Files\Common Files\Wise Installation Wizard
2007-04-06 17:57 <DIR> d----c--- C:\Program Files\ArtMoney
2007-04-03 02:25 <DIR> d----c--- C:\Program Files\Copy of Copy of D22
2007-04-01 02:31 <DIR> d----c--- C:\Program Files\iTunes
2007-04-01 02:31 <DIR> d----c--- C:\Program Files\iPod
2007-04-01 01:50 <DIR> d----c--- C:\Program Files\Apple Software Update
2007-03-28 23:28 <DIR> d----c--- C:\Program Files\AutoIt3


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-28 00:52 -------- d----c--- C:\Program Files\diablo ii
2007-04-28 00:35 -------- d----c--- C:\Program Files\Common Files\symantec shared
2007-04-27 23:07 43520 --a--c--- C:\WINDOWS\system32\cmdlineext03.dll
2007-04-27 22:28 -------- d-------- C:\Program Files\stealthbot
2007-04-27 12:32 1573131 --a--c--- C:\Program Files\dx-ball.zip
2007-04-27 12:30 -------- d----c--- C:\Program Files\dx-ball
2007-04-26 15:36 -------- d----c--- C:\Program Files\bots3
2007-04-26 15:30 -------- d----c--- C:\Program Files\bots
2007-04-20 14:09 -------- d----c--- C:\Program Files\bots2
2007-04-18 12:02 -------- d----c--- C:\Program Files\d22
2007-04-13 05:52 -------- d-------- C:\Program Files\microsoft works
2007-04-13 05:51 -------- d----c--- C:\Program Files\msbuild
2007-04-11 15:28 -------- d----c--- C:\Program Files\zune
2007-04-09 20:46 41684 --a--c--- C:\WINDOWS\diiunin.dat
2007-04-08 23:16 -------- d--h----- C:\Program Files\installshield installation information
2007-04-01 02:01 -------- d----c--- C:\Program Files\quicktime
2007-03-30 17:57 -------- d----c--- C:\Program Files\world_tv_center
2007-03-28 20:59 -------- d-------- C:\Program Files\hp
2007-03-28 20:59 -------- d-------- C:\Program Files\hewlett-packard
2007-03-27 00:12 -------- d----c--- C:\DOCUME~1\Mike\APPLIC~1\utorrent
2007-03-23 20:31 -------- d----c--- C:\Program Files\cain
2007-03-23 06:07 583504 -----c--- C:\WINDOWS\system32\xpsshhdr.dll
2007-03-23 06:07 1683280 -----c--- C:\WINDOWS\system32\xpssvcs.dll
2007-03-22 20:25 124928 -----c--- C:\WINDOWS\system32\prntvpt.dll
2007-03-22 14:47 -------- d----c--- C:\DOCUME~1\Mike\APPLIC~1\winrar
2007-03-21 20:54 77312 --a--c--- C:\WINDOWS\system32\twain_32.dll
2007-03-21 20:54 69632 --a--c--- C:\WINDOWS\system32\twunk_32.exe
2007-03-21 20:54 48560 --a--c--- C:\WINDOWS\system32\twunk_16.exe
2007-03-17 20:30 352256 --ahsc--- C:\WINDOWS\system32\fservice.exe
2007-03-17 19:02 -------- d-------- C:\Program Files\viewpoint
2007-03-17 19:01 -------- d----c--- C:\Program Files\motherboard monitor 5
2007-03-17 09:43 292864 --a--c--- C:\WINDOWS\system32\winsrv.dll
2007-03-10 22:37 -------- d----c--- C:\Program Files\msxml 4.0
2007-03-10 22:12 -------- d----c--- C:\Program Files\microsoft games
2007-03-10 00:52 -------- d----c--- C:\DOCUME~1\Mike\APPLIC~1\tor
2007-03-09 04:10 17801 --a--c--- C:\WINDOWS\system32\drivers\AegisP.sys
2007-03-09 04:07 -------- d----c--- C:\Program Files\sp33698
2007-03-09 01:52 -------- d----c--- C:\Program Files\copy of d22
2007-03-08 11:36 577536 --a--c--- C:\WINDOWS\system32\user32.dll
2007-03-08 11:36 40960 --a--c--- C:\WINDOWS\system32\mf3216.dll
2007-03-08 11:36 281600 --a--c--- C:\WINDOWS\system32\gdi32.dll
2007-03-08 09:47 1843584 --a--c--- C:\WINDOWS\system32\win32k.sys
2007-03-07 05:47 22016 --a--c--- C:\WINDOWS\system32\yxgsd.dll
2007-03-03 01:34 73216 --a--c--- C:\WINDOWS\st6unst.exe
2007-03-03 01:34 249856 -----c--- C:\WINDOWS\setup1.exe
2007-03-01 12:18 -------- d----c--- C:\Program Files\windows live safety center
2007-02-24 16:40 51733 --a--c--- C:\WINDOWS\system32\plugin1.dat
2007-02-18 23:08 2180224 --a--c--- C:\WINDOWS\system32\kernel1.exe
2007-02-09 20:02 4212 ---h-c--- C:\WINDOWS\system32\zllictbl.dat
2007-02-05 16:17 185344 --a--c--- C:\WINDOWS\system32\upnphost.dll
2007-02-05 01:35 720896 --a--c--- C:\WINDOWS\iun6002.exe
2007-02-02 13:16 100844734 --a--c--- C:\BackupRegistry(20070202).reg


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
"{1E8A6170-7264-4D0F-BEAE-D42A53123C75}"="C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll"
"{72853161-30C5-4D22-B7F9-0BBC1D38A37E}"="C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL"
"{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}"="C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll"
"{9030D464-4C02-4ABF-8ECC-5164760863C6}"="C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll"
"{e077da94-6314-41f1-9f08-6607df65952e}"="C:\Program Files\World_Tv_Center\tbWor1.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"Zune Launcher"="\"C:\\Program Files\\Zune\\ZuneLauncher.exe\""
"YCentral"="C:\\Program Files\\Yahoo!\\YCentral\\YahooCentral.exe"
"MSPY2002"="C:\\WINDOWS\\system32\\IME\\PINTLGNT\\ImScInst.exe /SYNC"
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"hpWirelessAssistant"="C:\\Program Files\\hpq\\HP Wireless Assistant\\HP Wireless Assistant.exe"
"Cpqset"="C:\\Program Files\\HPQ\\Default Settings\\cpqset.exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"Broadcom Wireless Manager UI"="C:\\WINDOWS\\system32\\bcmntray"
"HP Software Update"="C:\\Program Files\\Hp\\HP Software Update\\HPWuSchd2.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"CoreComponent"="krnl32.exe"
"GrooveMonitor"="\"C:\\Program Files\\Microsoft Office\\Office12\\GrooveMonitor.exe\""
"Startup32512"="C:\\WINDOWS\\system32\\taskmagr.exe"
"OGAutoStart"="C:\\WINDOWS\\system32\\taskmagr.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
"ccleaner"="\"C:\\Program Files\\CCleaner\\ccleaner.exe\" /AUTO"
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"WMPNSCFG"="C:\\Program Files\\Windows Media Player\\WMPNSCFG.exe"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\AdobeUpdater]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"Kernel32"="krnl32.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"=dword:00000000
"SynchronousUserGroupPolicy"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"=dword:00000000
"NoClose"=dword:00000000
"NoFileMenu"=dword:00000000
"NoCommonGroups"=dword:00000000
"_NoDriveTypeAutoRun"=dword:00000091
"NoSMHelp"=hex:01,00,00,00
"ClearRecentDocsOnExit"=hex:01,00,00,00
"NoLowDiskSpaceChecks"=dword:00000001
"StartMenuLogoff"=dword:00000001
"MaxRecentDocs"=dword:0000000f
"NoStartMenuMFUprogramsList"=dword:00000001
"NoDesktopCleanupWizard"=dword:00000001
"NoToolbarCustomize"=dword:00000000
"NoBandCustomize"=dword:00000000
"NoSaveSettings"=dword:00000000
"NoTrayItemsDisplay"=hex:00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source REG_SZ file:///C:/DOCUME~1/Mike/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"="C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"{e57ce738-33e8-4c51-8354-bb4de9d215d1}"="C:\WINDOWS\system32\upnpui.dll"


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~2.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\HP Digital Imaging Monitor.lnk"
"backup"="C:\\WINDOWS\\pss\\HP Digital Imaging Monitor.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Hp\\DIGITA~1\\bin\\hpqtra08.exe "
"item"="HP Digital Imaging Monitor"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 2000 Series.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\hp psc 2000 Series.lnk"
"backup"="C:\\WINDOWS\\pss\\hp psc 2000 Series.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Hp\\DIGITA~1\\bin\\hpobnz08.exe "
"item"="hp psc 2000 Series"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\hpoddt01.exe.lnk"
"backup"="C:\\WINDOWS\\pss\\hpoddt01.exe.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\HP\\DIGITA~1\\bin\\hpotdd01.exe "
"item"="hpoddt01.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoTBar]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AUTOTBAR"
"hkey"="HKLM"
"command"="AUTOTBAR.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CoreComponent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="krnl32"
"hkey"="HKLM"
"command"="krnl32.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eabconfg.cpl]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="EabServr"
"hkey"="HKLM"
"command"="C:\\Program Files\\HPQ\\Quick Launch Buttons\\EabServr.exe /Start"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igndlm.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DLM"
"hkey"="HKCU"
"command"="C:\\Program Files\\IGN\\Download Manager\\DLM.exe /windowsstart /startifwork"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="lsburnwatcher"
"hkey"="HKLM"
"command"="c:\\hp\\drivers\\hplsbwatcher\\lsburnwatcher.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mobrfksr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="cllhxvfi"
"hkey"="HKLM"
"command"="C:\\cllhxvfi.bat"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="osCheck"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Norton Internet Security\\osCheck.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TINTSETP"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TINTSETP"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
"key"="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows"
"item"="???
?"
"hkey"="HKCU"
"command"="???
?"
"inimapping"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SIDEBAR]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="sidebar"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\Resources\\Themes\\DameK UltraBlue\\Desktop Sidebar\\sidebar.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\STYLEXP]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="StyleXP"
"hkey"="HKCU"
"command"="C:\\Program Files\\TGTSoft\\StyleXP\\StyleXP.exe -Hide"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinVNC]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="WinVNC"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\UltraVNC\\WinVNC.exe\" -servicehelper"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
Shell\AutoRun\command D:\SETUP.EXE

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{067666ef-736b-11da-8462-806d6172696f}]
Shell\AutoRun\command D:\SETUP.EXE
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_COMHOST


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\Norton Internet Security - Run Full System Scan - Mike.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-04-28 14:01:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe???????????????|?????? ???B?????????????hLC? ??????
CoreComponent = krnl32.exe??????????????
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Kernel32 = krnl32.exe??????????????

scanning hidden files ...

C:\SYSTEM.SAV\info.bom 16384 bytes
C:\SYSTEM.SAV\INFO.US 4096 bytes
C:\SYSTEM.SAV\ISLOGCHK.LOG 4096 bytes
C:\SYSTEM.SAV\Logs
C:\SYSTEM.SAV\Logs\Cia.ini 155648 bytes
C:\SYSTEM.SAV\Logs\Info.bom 16384 bytes
C:\SYSTEM.SAV\Logs\Install.log 368640 bytes
C:\SYSTEM.SAV\Logs\Preinchk.log 4096 bytes
C:\SYSTEM.SAV\Logs\Sysinfo.log 294912 bytes
C:\SYSTEM.SAV\Logs\UIADUMP.EUE 4096 bytes
C:\SYSTEM.SAV\Logs\UIADUMP.FPP 4096 bytes
C:\SYSTEM.SAV\mszone.log 16384 bytes
C:\SYSTEM.SAV\PREINCHK.log 4096 bytes
C:\SYSTEM.SAV\REBOOT.ME 48 bytes
C:\SYSTEM.SAV\REGFLUSH.LOG 4096 bytes
C:\SYSTEM.SAV\RmDev.log 20480 bytes
C:\SYSTEM.SAV\SYSINFO.LOG 294912 bytes
C:\SYSTEM.SAV\SysInfo.US 294912 bytes
C:\SYSTEM.SAV\UTIL
C:\SYSTEM.SAV\UTIL\BOOTSEC.NT4 512 bytes
C:\SYSTEM.SAV\UTIL\BrandIt.Log 16384 bytes
C:\SYSTEM.SAV\UTIL\CHKIMAGE.exe 126976 bytes
C:\SYSTEM.SAV\UTIL\CIA.CDC 69632 bytes
C:\SYSTEM.SAV\UTIL\CIA.INI 81920 bytes
C:\SYSTEM.SAV\UTIL\cpqci.dll 122880 bytes
C:\SYSTEM.SAV\UTIL\cvacompg.exe 118784 bytes
C:\SYSTEM.SAV\UTIL\deldir.log 648 bytes
C:\SYSTEM.SAV\UTIL\delmodem.ini 184 bytes
C:\SYSTEM.SAV\UTIL\DELMPLNK.bat 88 bytes
C:\SYSTEM.SAV\UTIL\DELMPLNK.js 480 bytes
C:\SYSTEM.SAV\UTIL\DETECTOS.INI 408 bytes
C:\SYSTEM.SAV\UTIL\DNSP1.LOG 16384 bytes
C:\SYSTEM.SAV\UTIL\EISDTICON.log 32 bytes
C:\SYSTEM.SAV\UTIL\EVENTDEL.VBS 208 bytes
C:\SYSTEM.SAV\UTIL\FB_EIS.log 32 bytes
C:\SYSTEM.SAV\UTIL\hpqnt.dll 77824 bytes
C:\SYSTEM.SAV\UTIL\INSTALL.LOG 368640 bytes
C:\SYSTEM.SAV\UTIL\ISLOGCHK.EXE 110592 bytes
C:\SYSTEM.SAV\UTIL\ISLOGCHK.INI 4096 bytes
C:\SYSTEM.SAV\UTIL\mscu.log 168 bytes
C:\SYSTEM.SAV\UTIL\PININST.EXE 110592 bytes
C:\SYSTEM.SAV\UTIL\PININST.INI 4096 bytes
C:\SYSTEM.SAV\UTIL\PININST.LOG 4096 bytes
C:\SYSTEM.SAV\UTIL\POSTOOBE.LOG 24 bytes
C:\SYSTEM.SAV\UTIL\postproc.ini 536 bytes
C:\SYSTEM.SAV\UTIL\powerset.log 88 bytes
C:\SYSTEM.SAV\UTIL\PREINCHK.BAT 216 bytes
C:\SYSTEM.SAV\UTIL\PREINFO.INI 224 bytes
C:\SYSTEM.SAV\UTIL\PREINFO2.EXE 86016 bytes
C:\SYSTEM.SAV\UTIL\qlb.log 176 bytes
C:\SYSTEM.SAV\UTIL\random.ini 40 bytes
C:\SYSTEM.SAV\UTIL\REGDEV.EXE 106496 bytes
C:\SYSTEM.SAV\UTIL\REGDEV.INI 560 bytes
C:\SYSTEM.SAV\UTIL\sedinst.log 168 bytes
C:\SYSTEM.SAV\UTIL\STRTMENU.EXE 24576 bytes
C:\SYSTEM.SAV\UTIL\SWSET_B.INI 4096 bytes
C:\SYSTEM.SAV\UTIL\ticrdbus.log 32 bytes
C:\SYSTEM.SAV\UTIL\touchpad.log 192 bytes
C:\SYSTEM.SAV\UTIL\WINDVD.LOG 168 bytes
C:\SYSTEM.SAV\UTIL\wlassistant.log 176 bytes

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 60


********************************************************************

Completion time: 07-04-28 14:01:18
C:\ComboFix-quarantined-files.txt ... 07-04-28 14:01



#5 mictamcody2000

mictamcody2000
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Location:Lansing, Michigan
  • Local time:11:14 AM

Posted 28 April 2007 - 02:32 PM

and HiJackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 3:28:57 PM, on 4/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Windows folder: C:\WINDOWS
System folder: C:\WINDOWS\SYSTEM32
Hosts file: C:\WINDOWS\System32\drivers\etc\hosts

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Cain\Abel.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\apache\APACHE.EXE
c:\apache\APACHE.EXE
C:\Program Files\WinPcap\rpcapd.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Yahoo!\YCentral\YahooCentral.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\bcmntray.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HPQ\Shared\hpqwmi.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Xfire\xfire.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\StealthBot\StealthBot v2.6R3.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Documents and Settings\Mike\Desktop\hijackthis_199\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:4001
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: World Tv Center Toolbar - {e077da94-6314-41f1-9f08-6607df65952e} - C:\Program Files\World_Tv_Center\tbWor1.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (filesize 59032 bytes, MD5 4EA3A6CD9D20584FFAFDB1E47DBF0E20)
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL (filesize 2210608 bytes, MD5 786DD1892B553EFE5A004AC39775C851)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll (filesize 501400 bytes, MD5 70FD57D6EDBED8D80C1995257C99D27E)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (filesize 324416 bytes, MD5 52A70C80A446FA3BBCDAF59A9AB26AF4)
O2 - BHO: World Tv Center Toolbar - {e077da94-6314-41f1-9f08-6607df65952e} - C:\Program Files\World_Tv_Center\tbWor1.dll (filesize 1297432 bytes, MD5 387BEECCBC28FE61336E3FE1F3D3F21D)
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: World Tv Center Toolbar - {e077da94-6314-41f1-9f08-6607df65952e} - C:\Program Files\World_Tv_Center\tbWor1.dll (filesize 1297432 bytes, MD5 387BEECCBC28FE61336E3FE1F3D3F21D)
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exeC:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" (filesize 83608 bytes, MD5 9C1C80BBF8E6044980890E2D2D91091C)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe" (filesize 24104 bytes, MD5 B95CAC6DD903338C2DA88ADCA85151FD)
O4 - HKLM\..\Run: [YCentral] C:\Program Files\Yahoo!\YCentral\YahooCentral.exeC:\Program Files\Yahoo!\YCentral\YahooCentral.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC (filesize 59392 bytes, MD5 1B17E09C1223F6D17336D2DD7A1AF4F4)
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 (filesize 208952 bytes, MD5 7BBE4CF421AECC7F0226EDD75F12079F)
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exeC:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exeC:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeC:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\bcmntray (filesize 1044480 bytes, MD5 5A4557451D70524F78200D63D7BB0F6B)
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exeC:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (filesize 282624 bytes, MD5 30E1F03DCC8825988528D9058312EDE2)
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" (filesize 257088 bytes, MD5 B0E9EFADF04E9E25C0001B48757F3E71)
O4 - HKLM\..\Run: [CoreComponent] krnl32.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" (filesize 31016 bytes, MD5 38D198A2DD54A67120040566A38103BA)
O4 - HKLM\..\Run: [Startup32512] C:\WINDOWS\system32\taskmagr.exe
O4 - HKLM\..\Run: [OGAutoStart] C:\WINDOWS\system32\taskmagr.exe
O4 - HKLM\..\RunServices: [Kernel32] krnl32.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet (filesize 4670968 bytes, MD5 81BCD9B9A86C3559F5BCFE56519A9A19)
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO (filesize 603016 bytes, MD5 86F6CC239F7D981B7E399D6C3055035A)
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background (filesize 5674352 bytes, MD5 C4281AD865739E71FD1E4DAC19A68D60)
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (filesize 1694208 bytes, MD5 74E6E96C6F0E2ECA4EDBB7F7A468F259)
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exeC:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (filesize 113664 bytes, MD5 C2FF17734176CD15221C10044EF0BA1A)
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (filesize 98632 bytes, MD5 D91AFB6D2A0DA7539B74FB5838775D94)
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe (filesize 2702928 bytes, MD5 B648CE6C7E3DD2596D7629AEADEC6450)
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll (filesize 501400 bytes, MD5 70FD57D6EDBED8D80C1995257C99D27E)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll (filesize 501400 bytes, MD5 70FD57D6EDBED8D80C1995257C99D27E)
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll (filesize 604000 bytes, MD5 80C412B3E7304FE87C9CDB1836F0160A)
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll (filesize 604000 bytes, MD5 80C412B3E7304FE87C9CDB1836F0160A)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL (filesize 40424 bytes, MD5 7FC19DA1DC70C78D2FBD7A1D10942051)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (filesize 1694208 bytes, MD5 74E6E96C6F0E2ECA4EDBB7F7A468F259)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (filesize 1694208 bytes, MD5 74E6E96C6F0E2ECA4EDBB7F7A468F259)
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h20278.www2.hp.com/HPISWeb/Customer...DataManager.CAB
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/contr...vex/TmHcmsX.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.2.100.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/support/includes/cabs/si.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1139051276125
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://129.15.200.151/activex/AMC.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...anner371420.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} - http://lg.home.microsoft.com/search/lobby/searchsettings.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...907/mcfscan.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL (filesize 222512 bytes, MD5 BD25E3537B54C1BFF40335992B3686FD)
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL (filesize 63344 bytes, MD5 CD241D38F4B0777A6381EA23C8CAF427)
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (filesize 873216 bytes, MD5 9E7370CC3D6A43942433F85D0E2BBDD8)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL (filesize 63344 bytes, MD5 CD241D38F4B0777A6381EA23C8CAF427)
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL (filesize 44344 bytes, MD5 1264F787E46DC572FA274CA09B446E01)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dllC:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll (filesize 133632 bytes, MD5 045E228F71C31901084B64BE59093499)
O23 - Service: Abel - oxid.it - C:\Program Files\Cain\Abel.exeC:\Program Files\Cain\Abel.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeC:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exeC:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exeC:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeC:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exeC:\Program Files\HPQ\Shared\hpqwmi.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exeC:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeC:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeC:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exeC:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exeC:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXEC:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: PHPGeekUtil - Unknown owner - c:\apache\APACHE.EXE" --ntservice (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exeC:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeC:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exeC:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exeC:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exeC:\WINDOWS\System32\wltrysvc.exe


Just a reminder about that I'm still having problems With svchost.exe vsmon.exe and I just noticed another problem that i have been having when ever i go to Shut off or Turn on comp It says asp.net then cannot read click ok to terminate cancel to debug so i click cancel then it says samething except for it says it cannot write it

Edited by mictamcody2000, 28 April 2007 - 04:33 PM.


#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:04:14 PM

Posted 29 April 2007 - 02:09 AM

Copy and paste the following bold blue text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as..Save as Type: 'All Files' File name: fix.reg to your desktop.
Then double click on the fix.reg file on your desktop and agree to merge it into the registry,then reboot.

REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"Kernel32"=-

**************************

Please make sure all hidden files are showing:

* Click 'Start'.
* Open 'My Computer'.
* Select the 'Tools' menu and click 'Folder Options'.
* Select the 'View' tab.
* Under the 'Hidden files and folders' heading select 'Show hidden files and folders'.
* Uncheck the 'Hide file extensions for known types' option.
* Uncheck the 'Hide protected operating system files (recommended)' option.
* Click Yes to confirm.
* Click OK.

*******************************

Download/install AVG Anti-Spyware 7.5.

Please follow these instructions very carefully.

Launch/start up AVG Anti-Spyware.
On the main page click the 'Update' tab,and then 'Start Update'.
Note:
If you have any problems running the update process prior to running the scan,download/install the 'Full Database' from here:
http://download.ewido.net/avgas-signatures-full-current.exe

Once the updates have been installed,do the following:
Select the 'Scanner' icon at the top of the screen, then select the 'Settings' tab.
Once in the 'Settings' screen,under 'How to act?',then under 'Set default action for detected malware to:', click on 'Recommended actions',then click on 'Quarantine'.
Under 'Reports' select 'Automatically generate report after every scan' and unselect 'Only if threats were found'.
Exit AVG Anti-Spyware,don't run the scan just yet.

You might want to print/copy the following as you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Have Hijack This fix the following [If still present], by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:

O4 - HKLM\..\Run: [CoreComponent] krnl32.exe
O4 - HKLM\..\Run: [Startup32512] C:\WINDOWS\system32\taskmagr.exe
O4 - HKLM\..\Run: [OGAutoStart] C:\WINDOWS\system32\taskmagr.exe
O4 - HKLM\..\RunServices: [Kernel32] krnl32.exe


Find and delete:
C:\WINDOWS\system32\taskmagr.exe

Still in Safe Mode launch AVG Anti-Spyware.
Click the 'Scanner' icon at the top.
To start the scan click on 'Complete System Scan'.
Please be patient,it takes a while for the scan to finish.

Once the scan is complete,do the following.
If AVG Anti-Spyware detected any infected objects:,click on 'Apply All Actions'.

Next click on 'Save Report'.
Copy and paste that report into your next reply.
The report can be found under the 'Reports' tab at the top.
Close AVG Anti-Spyware when you've done.
Reboot normally.

*****************************

Run 'BitDefender Online Scanner' using Internet Explorer:
http://www.bitdefender.com/scan8/ie.html
Read the 'END USER SOFTWARE LICENSE AGREEMENT' then click 'I agree'.
You'll be prompted to install the activex control,please do so.
Once installed,disable your current antivirus program,then click the 'Click here to scan' button.
The virus signatures will then load.
Once loaded the scan will start.
The scan will take quite some time so please be patient.
Once the scan has finished select the 'Detected Problems' tab.
Click on 'Click here to export scan'.
Save the file as an HTML file to your desktop.
Then click on the saved file and allow it to open with your browser.
Go to 'Edit'/'Select All' then copy and paste that log into your next reply.
*Note*
Don't forget to re-enable your antivirus program.

Post the AVG Anti Spyware report,the BitDefender Online Scanner log,and a new Hijackthis log into your next reply.
Let me know how your pc is running now please.
Posted Image
Posted Image

#7 mictamcody2000

mictamcody2000
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Location:Lansing, Michigan
  • Local time:11:14 AM

Posted 30 April 2007 - 02:07 AM

AVG:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 7:19:43 PM 4/29/2007

+ Scan result:



C:\Documents and Settings\Mike\My Documents\APoCLiPSe_TrOJaN.zip/Client.exe -> Backdoor.Armageddon.c : No action taken.
C:\Documents and Settings\Mike\My Documents\APoCLiPSe_TrOJaN.zip/Server.exe -> Backdoor.Armageddon.c : No action taken.
C:\Documents and Settings\Mike\Desktop\SDFix\backups\backups.zip/backups/fservice.exe -> Backdoor.Prorat.19.i : No action taken.
C:\WINDOWS\system\sservice.exe -> Backdoor.Prorat.19.i : No action taken.
C:\WINDOWS\system32\yxgsd.dll -> Logger.Delf.tk : No action taken.
C:\phptriad\tools\backup\backup.exe -> Not-A-Virus.Exploit.Win32.RealServer.b : No action taken.
C:\Documents and Settings\Mike\Cookies\mike@atdmt[2].txt -> TrackingCookie.Atdmt : No action taken.
C:\Documents and Settings\Mike\Cookies\mike@bluestreak[1].txt -> TrackingCookie.Bluestreak : No action taken.
C:\Documents and Settings\Mike\Cookies\mike@doubleclick[2].txt -> TrackingCookie.Doubleclick : No action taken.
C:\Documents and Settings\Mike\Cookies\mike@mediaplex[2].txt -> TrackingCookie.Mediaplex : No action taken.
C:\Documents and Settings\Mike\Cookies\mike@questionmarket[2].txt -> TrackingCookie.Questionmarket : No action taken.
C:\Documents and Settings\Mike\Shared\The Sims - Living Large Expansion.zip/install.exe -> Trojan.Install.d : No action taken.


::Report end



#8 mictamcody2000

mictamcody2000
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Location:Lansing, Michigan
  • Local time:11:14 AM

Posted 30 April 2007 - 02:10 AM

BitDefender:


BitDefender Online Scanner



Scan report generated at: Mon, Apr 30, 2007 - 00:41:44





Scan path: C:\;D:\;F:\;







Statistics

Time
04:18:14

Files
1590157

Folders
10843

Boot Sectors
3

Archives
23981

Packed Files
206283




Results

Identified Viruses
0

Infected Files
0

Suspect Files
4

Warnings
0

Disinfected
0

Deleted Files
0




Engines Info

Virus Definitions
362178

Engine build
AVCORE v1.0 (build 2397) (i386) (Feb 8 2007 14:24:08)

Scan plugins
14

Archive plugins
38

Unpack plugins
6

E-mail plugins
6

System plugins
1




Scan Settings

First Action
Prompt

Second Action
None

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions


Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes




Scanned File
Status

C:\Documents and Settings\Mike\Desktop\SDFix\Catchme.exe
Suspected of: Generic.Malware.GS.578DA1E6

C:\Documents and Settings\Mike\Desktop\SDFix\Catchme.exe
Suspected of: Generic.Malware.GS.578DA1E6

C:\Documents and Settings\Mike\Desktop\SDFix.exe=>(RAR Sfx o)=>SDFix\Catchme.exe
Suspected of: Generic.Malware.GS.578DA1E6

C:\Documents and Settings\Mike\Desktop\SDFix.exe=>(RAR Sfx o)=>SDFix\Catchme.exe
Suspected of: Generic.Malware.GS.578DA1E6

C:\Documents and Settings\Mike\My Documents\townkill\townkill.exe
Suspected of: Generic.Malware.G!g.10F59571

C:\Documents and Settings\Mike\My Documents\townkill\townkill.exe
Suspected of: Generic.Malware.G!g.10F59571

C:\Documents and Settings\Mike\My Documents\townkill.zip=>townkill.exe
Suspected of: Generic.Malware.G!g.10F59571

C:\Documents and Settings\Mike\My Documents\townkill.zip=>townkill.exe
Suspected of: Generic.Malware.G!g.10F59571



#9 mictamcody2000

mictamcody2000
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Location:Lansing, Michigan
  • Local time:11:14 AM

Posted 30 April 2007 - 02:34 AM

Also i found a file that looked suspicios it won't delete and when i delted it in safe mode it came back here are the contents of it...it is saved in notepad...:

19:49:31.781 69C:680 WARN :: module=lcapi flavor=fre version=1.7.256.0 (RTC Version 4.3.5371.0)
19:49:34.750 69C:680 INFO :: Initialize(0)
19:49:36.671 69C:680 INFO :: MUI not Enabled
19:49:52.187 69C:680 INFO :: SetDeviceDisabled[017A46D0] 0->0
19:49:52.187 69C:680 INFO :: SetDeviceDisabled[017A46D0] 0->1
19:49:52.187 69C:680 TRACE :: SetDevice[017A46D0] 00000000->00000000
19:49:52.187 69C:680 INFO :: SetDeviceDisabled[017A4704] 0->0
19:49:52.187 69C:680 TRACE :: SetDevice[017A4704] 00000000->0140186C
19:49:52.390 69C:680 INFO :: SetDeviceDisabled[017A4738] 0->0
19:49:52.390 69C:680 TRACE :: SetDevice[017A4738] 00000000->0140135C
19:49:52.390 69C:680 INFO :: SetDeviceDisabled[017A469C] 0->0
19:50:01.859 69C:680 TRACE :: client[017A1EC0] new sipStack[017A47D8]
19:50:09.296 69C:680 INFO :: No registry setting, using default: "Mode" = 2
19:50:09.296 69C:680 INFO :: No registry setting, using default: "NegotiateTimeout" = 5000
19:50:09.296 69C:680 INFO :: No registry setting, using default: "Threshold" = 128
19:50:09.312 69C:680 TRACE :: [017A1EC0]put_AnswerMode - type=0,mode=0
19:50:09.312 69C:680 TRACE :: [017A1EC0]put_EventFilter(507f)



#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:04:14 PM

Posted 30 April 2007 - 03:14 AM

Please do the following again because last time you ran it everything AVG Anti Spyware detected had 'No Action Taken' at the end of it.

Please follow these instructions again very carefully.

Launch/start up AVG Anti-Spyware.
On the main page click the 'Update' tab,and then 'Start Update'.
Note:
If you have any problems running the update process prior to running the scan,download/install the 'Full Database' from here:
http://download.ewido.net/avgas-signatures-full-current.exe

Once the updates have been installed,do the following:
Select the 'Scanner' icon at the top of the screen, then select the 'Settings' tab.
Once in the 'Settings' screen,under 'How to act?',then under 'Set default action for detected malware to:', click on 'Recommended actions',then click on 'Quarantine'.
Under 'Reports' select 'Automatically generate report after every scan' and unselect 'Only if threats were found'.
Exit AVG Anti-Spyware,don't run the scan just yet.

You might want to print/copy the following as you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Still in Safe Mode launch AVG Anti-Spyware.
Click the 'Scanner' icon at the top.
To start the scan click on 'Complete System Scan'.
Please be patient,it takes a while for the scan to finish.

Once the scan is complete,do the following.
If AVG Anti-Spyware detected any infected objects:,click on 'Apply All Actions'.

Next click on 'Save Report'.
Copy and paste that report into your next reply.
The report can be found under the 'Reports' tab at the top.
Close AVG Anti-Spyware when you've done.
Reboot normally.


Post the AVG Anti Spyware report,and a new Hijackthis log into your next reply.
Let me know how your pc is running now please.
Posted Image
Posted Image

#11 mictamcody2000

mictamcody2000
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Location:Lansing, Michigan
  • Local time:11:14 AM

Posted 01 May 2007 - 02:38 PM

AVG:

+ Created at: 3:06:03 PM 5/1/2007

+ Scan result:



C:\Documents and Settings\Mike\Cookies\mike@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Mike\Cookies\mike@advertising[2].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Mike\Cookies\mike@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Mike\Cookies\mike@com[1].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\Mike\Cookies\mike@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Mike\Cookies\mike@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Mike\Cookies\mike@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Mike\Cookies\mike@www.paypal[1].txt -> TrackingCookie.Paypal : Cleaned.
C:\Documents and Settings\Mike\Cookies\mike@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\Mike\Cookies\mike@revsci[2].txt -> TrackingCookie.Revsci : Cleaned.
C:\Documents and Settings\Mike\Cookies\mike@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned.
C:\Documents and Settings\Mike\Cookies\mike@zedo[1].txt -> TrackingCookie.Zedo : Cleaned.


::Report end



#12 mictamcody2000

mictamcody2000
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Location:Lansing, Michigan
  • Local time:11:14 AM

Posted 01 May 2007 - 02:45 PM

Hijackthis log:


Logfile of HijackThis v1.99.1
Scan saved at 3:41:15 PM, on 5/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Cain\Abel.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Documents and Settings\Mike\My Documents\pvpgn\pvpgn-1.8.0rc2\d2csConsole.exe
C:\Program Files\PvPGN\D2GS\D2GSSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\apache\APACHE.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
c:\apache\APACHE.EXE
C:\Documents and Settings\Mike\My Documents\pvpgn\pvpgn-1.8.0rc2\PvPGNConsole.exe
C:\Program Files\WinPcap\rpcapd.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\StealthBot\StealthBot v2.6R3.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Yahoo!\YCentral\YahooCentral.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\bcmntray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HPQ\Shared\hpqwmi.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Xfire\xfire.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Documents and Settings\Mike\Desktop\hijackthis_199\HijackThis.exe
C:\Program Files\PvPGN\D2GS\D2GS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:4001
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: World Tv Center Toolbar - {e077da94-6314-41f1-9f08-6607df65952e} - C:\Program Files\World_Tv_Center\tbWor1.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: World Tv Center Toolbar - {e077da94-6314-41f1-9f08-6607df65952e} - C:\Program Files\World_Tv_Center\tbWor1.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: World Tv Center Toolbar - {e077da94-6314-41f1-9f08-6607df65952e} - C:\Program Files\World_Tv_Center\tbWor1.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [YCentral] C:\Program Files\Yahoo!\YCentral\YahooCentral.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\bcmntray
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h20278.www2.hp.com/HPISWeb/Customer...DataManager.CAB
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/contr...vex/TmHcmsX.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.2.100.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/support/includes/cabs/si.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1139051276125
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://129.15.200.151/activex/AMC.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...anner371420.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} - http://lg.home.microsoft.com/search/lobby/searchsettings.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...907/mcfscan.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Abel - oxid.it - C:\Program Files\Cain\Abel.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: d2cs service (d2cs) - Unknown owner - C:\Documents and Settings\Mike\My Documents\pvpgn\pvpgn-1.8.0rc2\d2csConsole.exe
O23 - Service: d2dbs service (d2dbs) - Unknown owner - C:\Documents and Settings\Mike\My Documents\pvpgn\pvpgn-1.8.0rc2\d2dbsConsole.exe
O23 - Service: Diablo II Close Game Server (D2GS) - Unknown owner - C:\Program Files\PvPGN\D2GS\D2GSSVC.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: PHPGeekUtil - Unknown owner - c:\apache\APACHE.EXE" --ntservice (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PvPGN service (pvpgn) - Unknown owner - C:\Documents and Settings\Mike\My Documents\pvpgn\pvpgn-1.8.0rc2\PvPGNConsole.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe



#13 mictamcody2000

mictamcody2000
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Location:Lansing, Michigan
  • Local time:11:14 AM

Posted 01 May 2007 - 02:48 PM

Also Still having Problems with Svchost.exe Vsmon.exe and aspnet_state During startup and shutdown also this file still concers me a little bit.

15:30:01.765 104C:1060 WARN :: module=lcapi flavor=fre version=1.7.256.0 (RTC Version 4.3.5371.0)
15:30:07.828 104C:1060 INFO :: Initialize(0)
15:30:09.406 104C:1060 INFO :: MUI not Enabled
15:30:28.296 104C:1060 INFO :: SetDeviceDisabled[016F46D0] 0->0
15:30:28.296 104C:1060 INFO :: SetDeviceDisabled[016F46D0] 0->1
15:30:28.296 104C:1060 TRACE :: SetDevice[016F46D0] 00000000->00000000
15:30:28.296 104C:1060 INFO :: SetDeviceDisabled[016F4704] 0->0
15:30:28.296 104C:1060 TRACE :: SetDevice[016F4704] 00000000->013C1A1C
15:30:28.421 104C:1060 INFO :: SetDeviceDisabled[016F4738] 0->0
15:30:28.421 104C:1060 TRACE :: SetDevice[016F4738] 00000000->013C150C
15:30:28.421 104C:1060 INFO :: SetDeviceDisabled[016F469C] 0->0
15:30:34.718 104C:1060 TRACE :: client[016F1EC0] new sipStack[016F47D8]
15:30:41.890 104C:1060 INFO :: No registry setting, using default: "Mode" = 2
15:30:41.890 104C:1060 INFO :: No registry setting, using default: "NegotiateTimeout" = 5000
15:30:41.890 104C:1060 INFO :: No registry setting, using default: "Threshold" = 128
15:30:41.906 104C:1060 TRACE :: [016F1EC0]put_AnswerMode - type=0,mode=0
15:30:41.906 104C:1060 TRACE :: [016F1EC0]put_EventFilter(507f)



#14 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:04:14 PM

Posted 01 May 2007 - 02:52 PM

Also Still having Problems with Svchost.exe Vsmon.exe and aspnet_state During startup and shutdown also this file still concers me a little bit.


Vsmon.exe is related to Zone Alarm firewall,try uninstalling/reinstalling Zone Alarm.

aspnet_state is related to Microsoft® .NET Framework,check on Windows Update,see if there are any updates available relating to .NET Framework

If you have the MS Windows XP install disk.
Click Start>Run,type sfc /scannow then press Ok.
Leave a space in between sfc and /scannow
Reboot when you've done.

Edited by RichieUK, 01 May 2007 - 03:24 PM.

Posted Image
Posted Image

#15 mictamcody2000

mictamcody2000
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Location:Lansing, Michigan
  • Local time:11:14 AM

Posted 02 May 2007 - 01:46 AM

Zonealarm wont let me UnInstall/ReInstall

I have all Current from Microsoft

I dont have my Windows Install Disc.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users