Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hjt Log Please Analyze


  • Please log in to reply
1 reply to this topic

#1 Protege

Protege

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:40 PM

Posted 04 May 2007 - 11:55 PM

Hi I recently posted to a different non-HJT related forum. Originally this was my issue:

CPU always busy (loading gun now)

hi,
It didn't seem like a few months ago my laptop was always so busy. Just to let you know I'm a onsite hardware tech- which makes it even harder asking for help, but I need this machine to play video without getting all choppy on me. And forget about having a chat program and a small game working at the same time.

Now I've run disk clean-up, defragmented, checked the hdd usage (8GB out of 55). I know about programs that use up clock cycles because they are in the sys tray. I've even removed any unnecessary programs from the HDD. I've got 512MB of ram which has always been enough to say, play a "youtube" video or something along that line. I've scanned for viruses and what-not using Norton, spybot search & destroy and adaware SE... still the load on my CPU is beyond what it should be in my opinion.

I can have a browser up and not do anything with it and watch the resource meter shoot from 4% to 90+%! Some-thing (program-wise) is keeping this machine busy and It's killin' me that I can't get at it.

Since this post. I have installed Panda antivirus (wouldn't work) and found a few spyware hits (with SB S&D and Adaware SE updates) that have since been removed. It's only made the situation worse; I can now only have "real" control over my laptop when I'm in safe mode with networking. I'm absolutely disgusted with my antivirus choices so I tried to remove NAV and Panda, but apparently I can't do this in safe mode.

In normal mode the computer quickly begins increasing the PF size (sometimes to over 400MB) until I lose the power to really affect anything as it continues to load things. When I tried earlier to play hardball with this stuff and do a system restore I had noticed that my settings were not where I left them, at 4% of total disk space (usually enough for 2 or 3 system restore points). And instead was set to "maximum" and yet there were no restore points available except the very day I was trying to restore from...@%#*&! Here is my HJT log and combofix log as well, maybe someone out there can save me from wiping this machine and hunting for computer drivers :thumbsup:

------------------------------------------------------------------------------------------------------------------

StartupList report, 4/29/2007, 5:02:30 PM
StartupList version: 1.52.2
Started from : C:\hjt\HJT-TEMP\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v7.00 (7.00.6000.16414)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hjt\HJT-TEMP\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Owner\Start Menu\Programs\Startup]
Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

PPFW = c:\program files\panda software\panda platinum 2006 internet security\firewall\PPFW.EXE PPFW.EXE /cmd:allowpandarules /prod:platinum /mod:3 /flg:2 /ver:10.2.0
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
TPSMain = TPSMain.exe
TouchED = C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
SynTPLpr = C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
SynTPEnh = C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
Symantec NetDriver Monitor = C:\PROGRA~1\SYMNET~1\SNDMon.exe
SunJavaUpdateSched = C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
SigmaTel StacMon = C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
NAV CfgWiz = C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
ezShieldProtector for Px = C:\WINDOWS\System32\ezSP_Px.exe
DLA = C:\WINDOWS\System32\DLA\DLACTRLW.EXE
DellMCM = "C:\Program Files\Dell Photo AIO Printer 942\memcard.exe"
Dell Photo AIO Printer 942 = "C:\Program Files\Dell Photo AIO Printer 942\dlbubmgr.exe"
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
AGRSMMSG = AGRSMMSG.exe
MSConfig = C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
UpgConfVer = "C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\UpgConf.exe" /v:10.02.00

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
SpybotSD TeaTimer = C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
SRS Audio Sandbox = "C:\Program Files\SRS Labs\Audio Sandbox\SRSSSC.exe" /hideme
MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - C:\WINDOWS\System32\DLA\DLASHX_W.DLL - {5CA3D70E-1895-11CF-8E15-001234567890}
(no name) - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
(no name) - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[Office Update Installation Engine]
InProcServer32 = C:\WINDOWS\opuc.dll
CODEBASE = http://office.microsoft.com/officeupdate/content/opuc3.cab

[Java Plug-in 1.4.2_03]
InProcServer32 = C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

[Java Plug-in 1.5.0_06]
InProcServer32 = C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

[Java Plug-in 1.5.0_08]
InProcServer32 = C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

[Java Plug-in 1.5.0_09]
InProcServer32 = C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

[Java Plug-in 1.5.0_10]
InProcServer32 = C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

[Java Plug-in 1.5.0_11]
InProcServer32 = C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 6,198 bytes
Report generated in 0.020 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
====================================================================

"Owner" - 07-04-29 20:55:34 Service Pack 2 [SAFE MODE]
ComboFix 07-04-25.4V - Running from: "C:\Program Files\Mozilla Firefox\"


((((((((((((((((((((((((((((((( Files Created from 2007-03-28 to 2007-04-29 ))))))))))))))))))))))))))))))))))


2007-04-27 18:35 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2007-04-27 18:20 <DIR> d-------- C:\hjt
2007-04-24 18:23 71,424 --a------ C:\WINDOWS\system32\drivers\pavdrv51.sys
2007-04-24 18:21 9,488 --a------ C:\WINDOWS\system32\sporder.dll
2007-04-24 18:21 9,216 --a-s--t- C:\WINDOWS\system32\drivers\fnetmon.sys
2007-04-24 18:21 61,440 --a-s--t- C:\WINDOWS\system32\PAVIPC.DLL
2007-04-24 18:21 499,712 --a------ C:\WINDOWS\system32\MSVCP71.DLL
2007-04-24 18:21 45,056 --a------ C:\WINDOWS\system32\avldr.dll
2007-04-24 18:21 446,464 --a------ C:\WINDOWS\system32\HHActiveX.dll
2007-04-24 18:21 44,928 --a------ C:\WINDOWS\system32\drivers\APPFLT.SYS
2007-04-24 18:21 36,224 --a-s--t- C:\WINDOWS\system32\drivers\NETFLTDI.SYS
2007-04-24 18:21 348,160 --a------ C:\WINDOWS\system32\MSVCR71.DLL
2007-04-24 18:21 29,824 --a------ C:\WINDOWS\system32\drivers\dsaflt.sys
2007-04-24 18:21 253,952 --a-s--t- C:\WINDOWS\system32\PAVSHOOK.DLL
2007-04-24 18:21 24,576 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-04-24 18:21 174,848 --a-s--t- C:\WINDOWS\system32\drivers\idsflt.sys
2007-04-24 18:21 17,536 --a------ C:\WINDOWS\system32\drivers\smsflt.sys
2007-04-24 18:21 16,640 --a------ C:\WINDOWS\system32\drivers\cpoint.sys
2007-04-24 18:21 146,748 --a------ C:\WINDOWS\system32\drivers\APPFCONT.DAT
2007-04-24 18:21 131,072 --a-s--t- C:\WINDOWS\system32\TPUTIL.DLL
2007-04-24 18:21 115,072 --a-s--t- C:\WINDOWS\system32\drivers\netflt.sys
2007-04-24 18:21 11,264 --a------ C:\WINDOWS\system32\drivers\wnmflt.sys
2007-04-24 18:21 102,400 --a------ C:\WINDOWS\system32\SYSTOOLS.DLL
2007-04-24 18:21 <DIR> d-------- C:\WINDOWS\system32\PAV
2007-04-24 18:20 <DIR> d-------- C:\Program Files\Panda Software
2007-04-24 17:53 26,752 -ra------ C:\WINDOWS\system32\drivers\ShldDrv.sys
2007-04-24 17:53 163,856 -ra------ C:\WINDOWS\system32\drivers\PavProc.sys
2007-04-24 17:53 <DIR> d-------- C:\Program Files\Common Files\Panda Software
2007-04-24 17:52 786,432 --ah----- C:\DOCUME~1\ADMINI~1.TOS\NTUSER.DAT
2007-04-23 01:25 <DIR> d-------- C:\Program Files\CCleaner
2007-04-22 19:08 <DIR> d-------- C:\Program Files\SymNetDrv
2007-04-22 13:49 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\PlayFirst
2007-04-14 10:33 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo!
2007-04-10 19:18 <DIR> d-------- C:\Program Files\Oberon Media


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-27 18:55 -------- d-------- C:\Program Files\yahoo!
2007-04-24 18:20 -------- d--h----- C:\Program Files\installshield installation information
2007-04-23 16:00 -------- d-------- C:\Program Files\dell photo aio printer 942
2007-04-23 01:33 -------- d-------- C:\Program Files\peerguardian2
2007-04-22 23:33 -------- d-------- C:\Program Files\norton antivirus
2007-04-22 23:30 -------- d-------- C:\Program Files\messenger
2007-04-22 19:08 -------- d-------- C:\Program Files\symantec
2007-04-02 14:20 -------- d-------- C:\Program Files\winamp
2007-03-17 09:43 292864 --a------ C:\WINDOWS\system32\winsrv.dll
2007-03-12 11:15 38400 -ra------ C:\WINDOWS\system32\drivers\SRS_SSCFilter_i386.sys
2007-03-10 23:41 -------- d-------- C:\Program Files\srs labs
2007-03-08 11:36 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 11:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 11:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 09:47 1843584 --a------ C:\WINDOWS\system32\win32k.sys
2007-02-05 16:17 185344 --a------ C:\WINDOWS\system32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F} C:\PROGRA~1\SPYBOT~1\SDHelper.dll
{5CA3D70E-1895-11CF-8E15-001234567890} C:\WINDOWS\System32\DLA\DLASHX_W.DLL
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
{BDF3E430-B101-42AD-A544-FADC6B084872} C:\Program Files\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"PPFW"="c:\\program files\\panda software\\panda platinum 2006 internet security\\firewall\\PPFW.EXE PPFW.EXE /cmd:allowpandarules /prod:platinum /mod:3 /flg:2 /ver:10.2.0"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"TPSMain"="TPSMain.exe"
"TouchED"="C:\\Program Files\\TOSHIBA\\TouchED\\TouchED.Exe"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe"
"SigmaTel StacMon"="C:\\Program Files\\SigmaTel\\SigmaTel AC97 Audio Drivers\\stacmon.exe"
"NAV CfgWiz"="C:\\Program Files\\Common Files\\Symantec Shared\\CfgWiz.exe /GUID NAV /CMDLINE \"REBOOT\""
"ezShieldProtector for Px"="C:\\WINDOWS\\System32\\ezSP_Px.exe"
"DLA"="C:\\WINDOWS\\System32\\DLA\\DLACTRLW.EXE"
"DellMCM"="\"C:\\Program Files\\Dell Photo AIO Printer 942\\memcard.exe\""
"Dell Photo AIO Printer 942"="\"C:\\Program Files\\Dell Photo AIO Printer 942\\dlbubmgr.exe\""
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"AGRSMMSG"="AGRSMMSG.exe"
"MSConfig"="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\MSConfig.exe /auto"
"UpgConfVer"="\"C:\\Program Files\\Panda Software\\Panda Platinum 2006 Internet Security\\UpgConf.exe\" /v:10.02.00"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"
"SRS Audio Sandbox"="\"C:\\Program Files\\SRS Labs\\Audio Sandbox\\SRSSSC.exe\" /hideme"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\READER~1.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Synchronizer.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Synchronizer.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\READER~1.0\\Reader\\ADOBEC~1.EXE "
"item"="Adobe Reader Synchronizer"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\000StTHK]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="000StTHK"
"hkey"="HKLM"
"command"="000StTHK.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\00THotkey]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="00THotkey"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\00THotkey.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APVXDWIN]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="APVXDWIN"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Panda Software\\Panda Platinum 2006 Internet Security\\APVXDWIN.EXE\" /s"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Ares"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Ares\\Ares.exe\" -h"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\B'sCLiP]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="BSCLIP"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\B'SCLI~1\\Win2K\\BSCLIP.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwiz"
"hkey"="HKLM"
"command"="nwiz.exe /installquiet"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pinger]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="pinger"
"hkey"="HKLM"
"command"="C:\\TOSHIBA\\IVP\\ISM\\pinger.exe /run"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SCANINICIO]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Inicio"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Panda Software\\Panda Platinum 2006 Internet Security\\Inicio.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TFncKy]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TFncKy"
"hkey"="HKLM"
"command"="TFncKy.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TFNF5]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TFNF5"
"hkey"="HKLM"
"command"="TFNF5.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpgConfVer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="UpgConf"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Panda Software\\Panda Platinum 2006 Internet Security\\UpgConf.exe\" /v:10.02.00"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Symantec NetDetect.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-04-29 20:57:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 07-04-29 20:57:25
C:\ComboFix-quarantined-files.txt ... 07-04-29 20:57

BC AdBot (Login to Remove)

 


#2 Jintan

Jintan

  • Malware Response Team
  • 531 posts
  • OFFLINE
  •  
  • Local time:12:40 PM

Posted 10 May 2007 - 03:20 PM

Howdy Protege,

And welcome to BleepingComputer. That log paints a complex picture that is hard to work through, other than I don't seem to pick up any actual infection showing there. So I can understand your situation, you have Norton AV installed, then with that also installed a full version of Panda AV? I see you have tried to disable some of the Panda startups through msconfig, which actually may add to the problem, and also SpyBot's TeaTimer is enabled there, so it would be difficult to tell what pieces of any installs it stopped from occurring correctly, or subsequently what registry changes made were undone by it on reboot. If you did install a full Panda AV with an existing Norton AV installed, very likely chance both softwares have corrupted to a point where uninstalling either may not be an available option. Right off I would disable any AV softwares and TeaTimer, just to get clear of any activity from them.
Ad eundum quo no duck ante iit




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users