Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus?


  • Please log in to reply
22 replies to this topic

#1 SaGe14

SaGe14

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:02 PM

Posted 06 May 2007 - 09:40 AM

Alright, well I have Windows XP Pro SP2 and recently my computer has just been doing a lot of weird things.

I constantly have extremely high CPU usage and a ton of processes running that I can't close or identify (about 5-6 svchost.exe's, lsass.exe, winlogon.exe, csrss.exe, MsgSvr.exe, smss.exe, PXAgent.exe, nvsvc32.exe, and alg.exe) These open the second I turn on the computer.

Also, sometimes when I'm in a program (usually Photoshop or Cinema 4D), it just stops allowing me to use some tools, like for example I'll try to save something and it just won't work. Or I won't be able to open something, I click File>Open... and no box comes up.

Also, sometimes websites don't allow me to do things, like www.imageshack.us sometimes does not allow me to click the "Browse" button so I can search for images to host on my computer. Usually if I close firefox and end a couple of random processes, or occasionally log off and back on, it will then work.

I have the following programs, and have the following programs and have used them all a couple of times:

Ad-Aware SE Personal, HijackThis, Spybot - Search & Destroy, Procexp, Prevx1, and Ewido anti-spyware.

And regarding the svchost.exe problem, my automatic updates are set to off (but i did update a couple of days ago), and I downloaded a patch windows released recently that was supposed to fix it.

I don't know if this will help or if I'm supposed to post it outside of the specified forum, but here's my HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 10:21:37 AM, on 5/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Prevx1\PXAgent.exe
C:\Program Files\Promise Technology, Inc\Promise Array Management\MsgSvr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Eric\Desktop\Unused Desktop Shortcuts\HijackThis.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Firewall auto setup] C:\DOCUME~1\Eric\LOCALS~1\Temp\winlogon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: Promise Array Message Server (RAIDmSvr) - Unknown owner - C:\Program Files\Promise Technology, Inc.\Promise Array Management\MsgSvr.exe

Thanks.


Moved from the XP Forum. ~acklan~

Edited by acklan, 06 May 2007 - 10:39 AM.


BC AdBot (Login to Remove)

 


m

#2 SaGe14

SaGe14
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:02 PM

Posted 07 May 2007 - 12:46 PM

*Bump*

:thumbsup: This is the entire log, I think the problem may be getting worse.

#3 tink536

tink536

    **pixie in training**


  • Members
  • 1,853 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Honolulu, Hawaii
  • Local time:09:02 AM

Posted 10 May 2007 - 07:29 AM

Hi SaGe14,
Welcome to the forums & sorry for the delay.

I am looking over your log at the moment and will post back soon.

Please do not make any changes to your system while you are waiting.

Thanks
:thumbsup: Tink

Posted Image
Posted Image
I search for Sjogrens Syndrome Foundation...Who will you search for?


#4 tink536

tink536

    **pixie in training**


  • Members
  • 1,853 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Honolulu, Hawaii
  • Local time:09:02 AM

Posted 11 May 2007 - 01:37 AM

Hi again SaGe14,
Tink here, I'll be helping you with your log. :huh:

Please follow these instruction in the order they are written. If you have any problems with any of the steps, please let me know before moving on.

Please print out these instructions or save it to Notepad as this page may not be readily available during the fix.

:thumbsup: Make sure that you can see hidden files.
  • Click Start.
  • Click My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Uncheck the Hide file extensions for known file types.
  • Click OK.
:huh: Uninstall your ewido anti-malware via Add or Remove, it is an outdated version of the program. The latest version is AVG Anti-Spyware.
After uninstalling, delete the ewido folder:
C:\Program Files\ewido

Download and install AVG Anti-Spyware v7.5.
  • After download, double click on the file to launch the install process.
  • Choose a language, click "OK" and then click "Next".
  • Read the "License Agreement" and click "I Agree".
  • Accept default installation path: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5, click "Next", then click "Install".
  • After setup completes, click "Finish" to start the program automatically or launch AVG Anti-Spyware by double-clicking its icon on your desktop or in the system tray.
  • Connect to the Internet, go back to AVG Anti-Spyware, select the "Update" button and click "Start update". Wait until you see the "Update successful" message. If you are having problems with the updater, manually update with the AVG Anti-Spyware Full database installer from here.
  • Exit AVG Anti-Spyware when done - DO NOT perform a scan yet.
:flowers: Run HijackThis and check the boxes next to the following entries:

O4 - HKCU\..\Run: [Firewall auto setup] C:\DOCUME~1\Eric\LOCALS~1\Temp\winlogon.exe


Close all other browsers and windows and hit "Fix Checked"

:huh: Boot Your Computer into Safe Mode
  • Shut down the computer
  • Wait 20 seconds.
  • Turn on the computer and immediately press the F8 key on the keyboard, once every second. If you get a keyboard error, press the F1 key and continue pressing the F8 key once every second.
  • The Windows Startup Menu appears.
  • Select option #3 (Safe Mode).
  • Press the Enter key. A dialog box confirms that Windows is in Safe Mode
  • Click OK. Note: This may take longer than a normal boot.
:huh: Find and delete the file(s) in bold if they are still present:
C:\Documents and Settings\Eric\Local Settings\Temp\winlogon.exe

:huh: Scan with AVG Anti-Spyware as follows:
  • Click on the "Scanner" button and choose the "Settings" tab.
  • Under "How to act?", click on "Recommended actions" and choose "Quarantine" to set default action for detected malware.
  • Under "How to Scan?", "Possibly unwanted software", and What to Scan?" leave all the default settings.
  • Under "Reports" select "Automatically generate report after every scan" and UNcheck "Only if threats were found".
  • Click the "Scan" tab to return to scanning options.
  • Click "Complete System Scan" to start.
  • When the scan has finished, it should automatically be set to Quarantine--if not click on Recommended Action and set it there.
  • You will also be presented with a list of infected objects found. Click "Apply all actions" to place the files in Quarantine.
IMPORTANT! Do not save the report before you have clicked the Apply all actions button. If you do, the log that is created will indicate "No action taken", making it more difficult to interpret the report. So be sure you save it only AFTER clicking the "Apply all actions" button.
  • Click on "Save Report" to view all completed scans. Click on the most recent scan you just performed and select "Save report as" - the default file name will be in date/time format as follows: Report-Scan-20060620-142816.txt. Save to your desktop. A copy of each report will also be saved in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Reports\
  • Exit AVG Anti-Spyware when done, reboot normally and submit the log report in your next response.
Note: Close all open windows, programs, and DO NOT USE the computer while AVG Anti-Spyware is scanning. Doing so can hamper AVG Anti-Spyware's ability to clean properly and may result in reinfection.

AVG Anti-Spyware is free for 30 days and all the extensions of the full version will be activated. After the 30 day trial, active protection extensions will be deactivated and the program will turn into a feature-limited freeware version that you can can continue to use as an on-demand scanner or you may purchase a license to use the full version.

You may have to use separate posts for your AVG log.

In your next reply, please include:
  • a new HijackThis log
  • AVG anti-spyware log
Thanks,
:o Tink

Posted Image
Posted Image
I search for Sjogrens Syndrome Foundation...Who will you search for?


#5 SaGe14

SaGe14
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:02 PM

Posted 11 May 2007 - 10:07 PM

Hey thanks a lot for the reply, I'm very impressed with this website so far :thumbsup:

Now, here's a Hijack This! logfile I saved just now after completing the steps you outlined for me:

Logfile of HijackThis v1.99.1
Scan saved at 10:59:42 PM, on 5/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Promise Technology, Inc\Promise Array Management\MsgSvr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Eric\Desktop\Unused Desktop Shortcuts\HijackThis.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Promise Array Message Server (RAIDmSvr) - Unknown owner - C:\Program Files\Promise Technology, Inc.\Promise Array Management\MsgSvr.exe

And here's the AVG Anti-Spyware Logfile:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 9:18:33 PM 5/11/2007

+ Scan result:



C:\Documents and Settings\Eric\Desktop\Unused Desktop Shortcuts\backups\backup-20070429-135023-628.dll -> Adware.BHO : Cleaned with backup (quarantined).
C:\U.exe -> Downloader.Agent.axs : Cleaned with backup (quarantined).
C:\WINDOWS\system32\uvnx.exe -> Downloader.Agent.axs : Cleaned with backup (quarantined).
C:\WINDOWS\system32\user_32.dll -> Downloader.VB.asx : Cleaned with backup (quarantined).
C:\WINDOWS\loader.exe -> Not-A-Virus.Hoax.Win32.Renos.dk : Cleaned with backup (quarantined).
C:\WINDOWS\system32\idleserv.exe -> Not-A-Virus.Hoax.Win32.Renos.fn : Cleaned with backup (quarantined).
C:\WINDOWS\200.exe -> Proxy.Small.du : Cleaned with backup (quarantined).
:mozilla.331:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.247realmedia : Cleaned.
:mozilla.332:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.247realmedia : Cleaned.
:mozilla.232:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.233:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.234:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.235:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.236:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.237:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.238:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.239:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.240:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.241:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.242:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.187:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.188:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.194:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.26:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.27:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.28:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.29:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.30:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.37:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.40:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.81:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.82:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.83:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.84:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.85:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Eric\Cookies\eric@advertising[2].txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.41:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Eric\Cookies\eric@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.282:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.86:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.87:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.88:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.89:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.90:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.91:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.92:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.180:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned.
:mozilla.184:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned.
:mozilla.185:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned.
:mozilla.186:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned.
:mozilla.52:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.334:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.335:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.336:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.337:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.42:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.43:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.44:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.45:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.46:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.47:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.48:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.49:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.50:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.253:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.283:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned.
:mozilla.284:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned.
:mozilla.60:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.277:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.157:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Paypal : Cleaned.
:mozilla.124:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.125:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.126:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.127:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.190:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.191:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\Eric\Cookies\eric@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.269:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.270:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.271:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.272:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.273:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.274:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
C:\Documents and Settings\Eric\Cookies\eric@revsci[1].txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.31:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.32:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.33:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.143:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.144:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.145:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.146:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.147:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.148:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.149:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Skype : Cleaned.
:mozilla.132:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.133:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.134:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.135:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.136:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.137:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.138:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.139:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.140:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.141:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.142:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.118:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.120:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.121:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.122:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.169:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.171:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.172:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.176:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.289:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.290:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.291:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.292:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.293:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.294:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.295:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.296:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.297:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.53:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.54:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.366:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Webtrends : Cleaned.
:mozilla.123:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned.
:mozilla.34:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.35:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.38:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.39:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.173:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.174:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.175:C:\Documents and Settings\Eric\Application Data\Mozilla\Firefox\Profiles\a8uu5ihd.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
C:\WINDOWS\system32\mhypjuyd.dll -> Trojan.BHO.g : Cleaned with backup (quarantined).


::Report end

#6 tink536

tink536

    **pixie in training**


  • Members
  • 1,853 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Honolulu, Hawaii
  • Local time:09:02 AM

Posted 13 May 2007 - 03:39 AM

Hi again SaGe14,
Your log looks a little short, so I need you to rename the HijackThis application.

Go to the folder where Hijackthis is kept and rename the hijackthis application to "HJT".
This can be done by right clicking on the program and clicking "rename".
Press enter, then open "HJT.exe" by double clicking.
Post a new Hijackthis log from the newly named application.

Please download Combofix to your desktop.
Doubleclick combo.exe to launch the application.
Follow the prompts that will be displayed on the screen.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.
Post this log in your next reply together with a new HijackThis log.

In your next reply, please include:
  • a new HijackThis log
  • combofix.txt

Posted Image
Posted Image
I search for Sjogrens Syndrome Foundation...Who will you search for?


#7 SaGe14

SaGe14
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:02 PM

Posted 13 May 2007 - 11:17 AM

Alright, here's the new Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 12:10:58 PM, on 5/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Promise Technology, Inc\Promise Array Management\MsgSvr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Eric\Desktop\HijackThis\HJT.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Promise Array Message Server (RAIDmSvr) - Unknown owner - C:\Program Files\Promise Technology, Inc.\Promise Array Management\MsgSvr.exe

Also, I don't know what would cause the log to be so short, but it's definitely possible that I have deleted things I shouldn't have using HJT. I've generally used tutorials and whatnot when running it, but I tend to be a little overzealous when it comes to spyware/adware/viruses. So if that could cause the short log, it could definitely be the reason.

Here's the Combofix log:

"Eric" - 2007-05-13 12:00:47 Service Pack 2
ComboFix 07-05.13.V - Running from: "C:\Documents and Settings\Eric\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\mst.sys
C:\WINDOWS\system32\winsys.exe
C:\Program Files\winupdates
C:\WINDOWS\system32\components


((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-13 ))))))))))))))))))))))))))))))))))


2007-05-13 00:35 <DIR> d----c--- C:\Take Off Your Pants And Jacket
2007-05-13 00:20 <DIR> d----c--- C:\Blink 182 - Discography
2007-05-12 21:46 <DIR> d----c--- C:\Jimmy Eat World - Bleed American-SoOTi
2007-05-12 17:36 <DIR> d----c--- C:\The Decemberists - Her Majesty [2003]
2007-05-12 17:28 <DIR> d----c--- C:\The Decemberists - Castaways And Cutouts [2002]
2007-05-12 17:24 <DIR> d-------- C:\Program Files\QuickTime
2007-05-12 17:24 <DIR> d-------- C:\Program Files\iTunes
2007-05-12 17:24 <DIR> d-------- C:\Program Files\iPod
2007-05-12 17:23 <DIR> d-------- C:\Program Files\Apple Software Update
2007-05-11 20:04 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-05-11 19:39 <DIR> d-------- C:\Program Files\Camtech
2007-05-08 20:46 <DIR> d-------- C:\Program Files\Joost
2007-05-08 20:46 <DIR> d-------- C:\DOCUME~1\Eric\APPLIC~1\Joost
2007-05-07 19:48 <DIR> d-------- C:\Program Files\msn gaming zone
2007-05-07 19:48 <DIR> d-------- C:\Program Files\movie maker
2007-05-07 19:48 <DIR> d-------- C:\Program Files\microsoft frontpage
2007-05-07 19:46 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Vso
2007-05-07 19:32 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\KillProcess
2007-05-06 11:27 <DIR> d-------- C:\DOCUME~1\Eric\APPLIC~1\KillProcess
2007-05-06 11:04 <DIR> d-------- C:\Program Files\F-Group
2007-05-06 10:05 <DIR> d----c--- C:\Che Guevara - Guerrilla Warfare (pdf)
2007-05-05 15:13 <DIR> d----c--- C:\You MUST browse to the host program plugin dir
2007-05-02 16:23 <DIR> d----c--- C:\Futurama - S04E03 - Anthology Of Interest II
2007-04-29 20:52 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SecTaskMan
2007-04-29 16:27 <DIR> d-------- C:\Program Files\PeerGuardian2
2007-04-29 13:43 112,375 --a------ C:\Program Files\CnCPatch.exe
2007-04-29 13:39 140 --a------ C:\WINDOWS\regres.bat
2007-04-29 13:39 <DIR> d-------- C:\Program Files\Elrise
2007-04-29 13:37 <DIR> d-------- C:\Program Files\Silents
2007-04-29 13:31 5,300,467 --a--c--- C:\Registry Booster.exe
2007-04-29 13:25 <DIR> d-------- C:\DOCUME~1\Eric\APPLIC~1\Uniblue
2007-04-29 13:16 <DIR> d-------- C:\DOCUME~1\Eric\APPLIC~1\USBSafelyRemove
2007-04-29 13:02 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2007-04-28 10:53 <DIR> d----c--- C:\Futurama season 1-5 (complete) + extras
2007-04-28 10:47 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Azureus
2007-04-26 18:16 <DIR> d----c--- C:\Seven Samurai - Akira Kurosawa - 1954 [Strife]
2007-04-26 18:16 <DIR> d----c--- C:\8.1963.ITA.DVDRip.XviD-LT-1
2007-04-26 18:16 <DIR> d----c--- C:\8.1963.ITA.DVDRip.XviD-LT
2007-04-26 18:16 <DIR> d----c--- C:\1966 - Andrei Rublev (Andrei Tarkovsky)
2007-04-26 18:14 <DIR> d----c--- C:\Blink 182 Discography
2007-04-26 15:15 <DIR> d----c--- C:\futurama s1
2007-04-20 20:40 <DIR> d-------- C:\WINDOWS\9DD3BF8E03994B15878BCE48CE4961F9.TMP
2007-04-17 16:18 <DIR> d-------- C:\Program Files\MAXON


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-05-13 08:27:10 -------- d-----w C:\DOCUME~1\Eric\APPLIC~1\Azureus
2007-05-13 00:27:38 -------- d-----w C:\Program Files\Azureus
2007-05-06 02:52:31 -------- d-----w C:\Program Files\Starcraft
2007-05-05 01:07:47 -------- d-----w C:\Program Files\Steam
2007-05-03 04:26:06 -------- d-----w C:\DOCUME~1\Eric\APPLIC~1\Vso
2007-04-29 20:58:04 -------- d-----w C:\DOCUME~1\Eric\APPLIC~1\Prevx
2007-04-21 03:42:59 -------- d-----w C:\Program Files\Common Files\Ahead
2007-04-21 03:41:27 -------- d-----w C:\Program Files\Avi2Dvd
2007-04-21 03:41:00 -------- d-----w C:\Program Files\AMD
2007-04-08 00:23:45 -------- d--h--w C:\DOCUME~1\Eric\APPLIC~1\Move Networks
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
2007-02-28 03:57:33 335 -c--a-w C:\WINDOWS\nsreg.dat
2007-02-14 15:28:09 967 ----a-w C:\WINDOWS\ScUnin.pif
2007-02-14 15:28:09 94,208 ----a-w C:\WINDOWS\ScUnin.exe
2007-02-14 15:28:09 25,423 ----a-w C:\WINDOWS\scunin.dat
2007-02-05 20:17:02 185,344 ----a-w C:\WINDOWS\system32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-11-17 18:29]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2006-10-07 05:20]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-04-27 11:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispAppearancePage"=dword:00000000
"NoColorChoice"=dword:00000000
"NoSizeChoice"=dword:00000000
"NoDispBackgroundPage"=dword:00000000
"NoDispScrSavPage"=dword:00000000
"NoDispCPL"=dword:00000000
"NoVisualStyleChoice"=dword:00000000
"NoDispSettingsPage"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"=dword:00000001
"AllowUnhashedWebView"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSaveSettings"=dword:00000000
"NoThemesTab"=dword:00000000
"NoFavoritesMenu"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{03A80B1D-5C6A-42c2-9DFB-81B6005D8023}"="C:\Program Files\Trend Micro\Tmas\sshook.dll" [2006-08-26 13:26]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 13:55]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 07:13]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"appinit_dlls"="wbsys.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages msv1_0\0\0
Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages scecli\0\0


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PREVXAgent"=dword:00000002

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService DnsCache\0\0
rpcss RpcSs\0\0
imgsvc StiSvc\0\0
termsvcs TermService\0\0
HTTPFilter HTTPFilter\0\0
DcomLaunch DcomLaunch\0TermService\0\0
WudfServiceGroup WUDFSvc\0\0

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E]
Shell\AutoRun\command E:\SETUP.EXE

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\HP Usg Daily.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-13 12:01:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 2007-05-13 12:01:54
C:\ComboFix-quarantined-files.txt ... 2007-05-13 12:01

There are also 2 previously hidden files on my desktop called ~WRL0004.tmp and ~WRL1953.tmp

Thanks!

#8 tink536

tink536

    **pixie in training**


  • Members
  • 1,853 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Honolulu, Hawaii
  • Local time:09:02 AM

Posted 15 May 2007 - 07:10 AM

Hi again SaGe14,
Sorry for the delay in response. I'm getting a little more information and I'll post back soon. :thumbsup:

Tink

Posted Image
Posted Image
I search for Sjogrens Syndrome Foundation...Who will you search for?


#9 tink536

tink536

    **pixie in training**


  • Members
  • 1,853 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Honolulu, Hawaii
  • Local time:09:02 AM

Posted 16 May 2007 - 08:18 AM

Hi SaGe14,
I apologize again for the delay.

Thanks for letting me know about the entries you fixed in HijackThis.
I would like to review them just to be safe, so can you please follow the directions below.

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, DSS will open two Notepads: main.txt and extra.txt
  • Use Save As to save both Notepad files to your Desktop.
  • Copy and paster the contents of main.txt & extra.txt in your next response.
Thanks,
:thumbsup: Tink

Edited by tink536, 16 May 2007 - 08:18 AM.

Posted Image
Posted Image
I search for Sjogrens Syndrome Foundation...Who will you search for?


#10 SaGe14

SaGe14
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:02 PM

Posted 16 May 2007 - 02:21 PM

Alright, I probably should have mentioned that earlier, sorry.

Here's main.txt:

Deckard's System Scanner v20070426.43
Run by Eric on 2007-05-16 at 15:12:00
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2007-05-16 22:12:02 UTC - RP1 - System Checkpoint


Backed up registry hives.

Performed disk cleanup.


-- HijackThis (run as Eric.exe) ------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 3:13:09 PM, on 5/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Promise Technology, Inc\Promise Array Management\MsgSvr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Eric\Desktop\dss.exe
C:\DOCUME~1\Eric\Desktop\UNUSED~1\HijackThis\Eric.exe

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSN Messenger\msgrapp.8.1.0178.00.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Promise Array Message Server (RAIDmSvr) - Unknown owner - C:\Program Files\Promise Technology, Inc.\Promise Array Management\MsgSvr.exe


-- File Associations -----------------------------------------------------------

.vbs - VBSFile - shell\open\command - unable to read value


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 aslm75 - c:\windows\system32\drivers\aslm75.sys
R1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys
R1 SASKUTIL - c:\program files\superantispyware\saskutil.sys
R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>
R1 vcdrom (Virtual CD-ROM Device Driver) - c:\windows\system32\drivers\vcdrom.sys <Not Verified; Microsoft Corporation; VirtualCdRom>
R2 Dev_UNIDRV - c:\windows\system32\drivers\unidrv.sys <Not Verified; TwinSSoft Co.; ChipCfg/HWConfig NT direct hardware access driver>
R3 Pcouffin (VSO Software pcouffin) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>

S1 DumaNT (NVIDIA Stereo Helper Service) - c:\windows\system32\drivers\dumant.sys (file missing)
S3 AMDPCI - c:\docume~1\eric\locals~1\temp\amdpci.sys (file missing)
S3 amdtools (AMD Special Tools Driver) - c:\windows\system32\drivers\amdtools.sys (file missing)
S3 ENTECH - c:\windows\system32\drivers\entech.sys <Not Verified; EnTech Taiwan; PowerStrip>
S3 GMSIPCI - d:\install\gmsipci.sys (file missing)
S3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>
S3 TIEHDUSB - c:\windows\system32\drivers\tiehdusb.sys <Not Verified; Texas Instruments Incorporated; Texas Instruments Incorporated Educational Handheld Device>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 RAIDmSvr (Promise Array Message Server) - c:\program files\promise technology, inc.\promise array management\msgsvr.exe <Not Verified; ; Promise Message Server>

S4 ipxmontr - "c:\windows\ipxmontr.exe" (file missing)
S4 NMSAccess - c:\program files\cheetah burner\cheetah cd burner\nmsaccess.exe


-- Scheduled Tasks -------------------------------------------------------------

2007-05-15 21:40:00 340 --a------ C:\WINDOWS\Tasks\HP Usg Daily.job
2007-05-12 17:23:34 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2007-04-16 and 2007-05-16 -----------------------------

2007-05-14 17:24:15 0 d------c- C:\The Decemberists - The Crane Wife [2006]
2007-05-14 15:51:55 0 d------c- C:\The_Decemberists_-_Picaresque[2004]
2007-05-13 20:10:45 0 d------c- C:\Crack
2007-05-13 20:10:41 28604928 --a----c- C:\RCSetup.exe
2007-05-13 19:26:22 135168 --a------ C:\WINDOWS\system32\DSKernel2.dll <Not Verified; LEAD Technologies, Inc.; LEADTOOLS Multimedia Filter Pack>
2007-05-13 19:25:59 0 d-------- C:\Program Files\Replay Converter
2007-05-13 16:34:14 0 d-------- C:\Documents and Settings\Eric\Contacts
2007-05-13 16:33:48 0 d------c- C:\WINDOWS\system32\DRVSTORE
2007-05-13 16:33:43 0 d-------- C:\Program Files\MSN Messenger
2007-05-13 16:14:34 0 d------c- C:\Amerika
2007-05-13 00:35:29 0 d------c- C:\Take Off Your Pants And Jacket
2007-05-13 00:20:29 0 d------c- C:\Blink 182 - Discography
2007-05-12 21:46:25 0 d------c- C:\Jimmy Eat World - Bleed American-SoOTi
2007-05-12 17:36:51 0 d------c- C:\The Decemberists - Her Majesty [2003]
2007-05-12 17:28:43 0 d------c- C:\The Decemberists - Castaways And Cutouts [2002]
2007-05-12 17:24:41 0 d-------- C:\Program Files\iPod
2007-05-12 17:24:38 0 d-------- C:\Program Files\iTunes
2007-05-12 17:24:07 0 d-------- C:\Program Files\QuickTime
2007-05-12 17:23:33 0 d-------- C:\Program Files\Apple Software Update
2007-05-11 20:03:47 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2007-05-11 19:39:41 0 d-------- C:\Program Files\Camtech
2007-05-08 20:46:23 0 d-------- C:\Documents and Settings\Eric\Application Data\Joost
2007-05-08 20:46:12 0 d-------- C:\Program Files\Joost
2007-05-07 19:48:01 0 d-------- C:\Program Files\msn gaming zone
2007-05-07 19:48:01 0 d-------- C:\Program Files\movie maker
2007-05-07 19:48:01 0 d-------- C:\Program Files\microsoft frontpage
2007-05-07 19:46:25 0 d-------- C:\Documents and Settings\Administrator\Application Data\Vso
2007-05-07 19:32:06 0 d-------- C:\Documents and Settings\Administrator\Application Data\KillProcess
2007-05-07 19:25:20 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2007-05-06 11:27:25 0 d-------- C:\Documents and Settings\Eric\Application Data\KillProcess
2007-05-06 11:04:13 0 d-------- C:\Program Files\F-Group
2007-05-06 10:05:36 0 d------c- C:\Che Guevara - Guerrilla Warfare (pdf)
2007-05-05 15:13:38 0 d------c- C:\You MUST browse to the host program plugin dir
2007-05-02 16:23:54 0 d------c- C:\Futurama - S04E03 - Anthology Of Interest II
2007-04-29 20:52:48 0 d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2007-04-29 16:27:00 0 d-------- C:\Program Files\PeerGuardian2
2007-04-29 13:43:17 112375 --a------ C:\Program Files\CnCPatch.exe
2007-04-29 13:39:17 140 --a------ C:\WINDOWS\regres.bat
2007-04-29 13:39:15 0 d-------- C:\Program Files\Elrise
2007-04-29 13:37:10 0 d-------- C:\Program Files\Silents
2007-04-29 13:31:52 5300467 --a----c- C:\Registry Booster.exe
2007-04-29 13:25:14 0 d-------- C:\Documents and Settings\Eric\Application Data\Uniblue
2007-04-29 13:16:19 0 d-------- C:\Documents and Settings\Eric\Application Data\USBSafelyRemove
2007-04-29 13:02:15 0 d--h----- C:\WINDOWS\system32\GroupPolicy
2007-04-28 10:53:45 0 d------c- C:\Futurama season 1-5 (complete) + extras
2007-04-28 10:47:18 0 d-------- C:\Documents and Settings\All Users\Application Data\Azureus
2007-04-26 18:16:51 0 d------c- C:\Seven Samurai - Akira Kurosawa - 1954 [Strife]
2007-04-26 18:16:26 0 d------c- C:\1966 - Andrei Rublev (Andrei Tarkovsky)
2007-04-26 18:16:14 0 d------c- C:\8.1963.ITA.DVDRip.XviD-LT
2007-04-26 18:16:08 0 d------c- C:\8.1963.ITA.DVDRip.XviD-LT-1
2007-04-26 18:14:57 0 d------c- C:\Blink 182 Discography
2007-04-26 15:15:17 0 d------c- C:\futurama s1
2007-04-20 20:40:12 0 d-------- C:\WINDOWS\9DD3BF8E03994B15878BCE48CE4961F9.TMP
2007-04-17 16:18:22 0 d-------- C:\Program Files\MAXON


-- Find3M Report ---------------------------------------------------------------

2007-05-14 21:11:22 0 d-------- C:\Program Files\Steam
2007-05-14 17:49:14 0 d-------- C:\Documents and Settings\Eric\Application Data\Azureus
2007-05-13 19:25:59 737280 --a------ C:\WINDOWS\iun6002.exe <Not Verified; Indigo Rose Corporation; Setup Factory 6.0 Runtime Module>
2007-05-12 17:27:38 0 d-------- C:\Program Files\Azureus
2007-05-05 19:52:31 0 d-------- C:\Program Files\Starcraft
2007-05-02 21:26:06 0 d-------- C:\Documents and Settings\Eric\Application Data\Vso
2007-04-29 13:58:04 0 d-------- C:\Documents and Settings\Eric\Application Data\Prevx
2007-04-20 20:42:59 0 d-------- C:\Program Files\Common Files\Ahead
2007-04-20 20:41:27 0 d-------- C:\Program Files\Avi2Dvd
2007-04-20 20:41:00 0 d-------- C:\Program Files\AMD
2007-04-20 20:36:53 8754 --a------ C:\Documents and Settings\Eric\Application Data\.googlewebacchosts
2007-04-15 13:42:18 0 d-------- C:\Documents and Settings\Eric\Application Data\Adobe
2007-04-07 17:23:45 0 d--h----- C:\Documents and Settings\Eric\Application Data\Move Networks
2007-03-09 00:12:32 27648 --ahs---- C:\WINDOWS\system32\AVSredirect.dll
2007-03-06 02:13:09 10752 --a------ C:\WINDOWS\system32\ff_vfw.dll
2007-03-04 04:55:40 719872 --a------ C:\WINDOWS\system32\devil.dll <Not Verified; Abysmal Software; Developer's Image Library (DevIL)>
2007-03-04 04:55:31 308224 --a------ C:\WINDOWS\system32\avisynth.dll <Not Verified; The Public; Avisynth 2.5>
2007-02-27 20:57:33 335 --a----c- C:\WINDOWS\nsreg.dat


-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispAppearancePage"=dword:00000000
"NoColorChoice"=dword:00000000
"NoSizeChoice"=dword:00000000
"NoDispBackgroundPage"=dword:00000000
"NoDispScrSavPage"=dword:00000000
"NoDispCPL"=dword:00000000
"NoVisualStyleChoice"=dword:00000000
"NoDispSettingsPage"=dword:00000000
"DisableRegistryTools"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"=dword:00000001
"AllowUnhashedWebView"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSaveSettings"=dword:00000000
"NoThemesTab"=dword:00000000
"NoFavoritesMenu"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{03A80B1D-5C6A-42c2-9DFB-81B6005D8023}"="Trend Micro Anti-Spyware Shell Extension"
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"appinit_dlls"="wbsys.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PREVXAgent"=dword:00000002

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E]
Shell\AutoRun\command E:\SETUP.EXE


-- End of Deckard's System Scanner: finished at 2007-05-16 at 15:13:34 ---------




And here's extra.txt:

Deckard's System Scanner v20070426.43
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Athlon™ 64 Processor 3500+
Percentage of Memory in Use: 28%
Physical Memory (total/avail): 1023.22 MiB / 729.61 MiB
Pagefile Memory (total/avail): 2459.79 MiB / 2271 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1958.05 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 74.52 GiB total, 12.6 GiB free.
D: is CDROM (CDFS)
E: is CDROM (No Media)
F: is Removable (No Media)
G: is Fixed (NTFS) - 34.47 GiB total, 4.35 GiB free.


-- Security Center -------------------------------------------------------------

AUOptions is disabled.
Windows Internal Firewall is enabled.

AntiVirusDisableNotify is set.
UpdatesDisableNotify is set.



-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Eric\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=ERIC2
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Eric
LOGONSERVER=\\ERIC2
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\Adobe\AGL;C:\Program Files\FastSum;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 15 Stepping 0, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0f00
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Eric\LOCALS~1\Temp
TMP=C:\DOCUME~1\Eric\LOCALS~1\Temp
USERDOMAIN=ERIC2
USERNAME=Eric
USERPROFILE=C:\Documents and Settings\Eric
windir=C:\WINDOWS
__COMPAT_LAYER=EnableNXShowUI


-- User Profiles ---------------------------------------------------------------

Eric (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\Uninst.isu"
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\Ad-Aware SE Personal\UNWISE.EXE C:\PROGRA~1\Lavasoft\Ad-Aware SE Personal\INSTALL.LOG
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
Adobe Illustrator CS2 --> msiexec /I {B2F5D08C-7E79-4FCD-AAF4-57AD35FF0601}
Adobe Photoshop CS2 --> msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}
Adobe Reader 7.0.5 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70500000002}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
AMD Power Monitor --> MsiExec.exe /X{9DD3BF8E-0399-4B15-878B-CE48CE4961F9}
AOL Instant Messenger --> C:\Program Files\AIM\uninstll.exe -LOG= C:\Program Files\AIM\install.log -OEM=
Apple Software Update --> MsiExec.exe /I{A260B422-70E1-41E2-957D-F76FA21266D5}
Athlon 64 Processor Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C151CE54-E7EA-4804-854B-F515368B0798}\setup.exe" -l0x9
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
Azureus --> C:\Program Files\Azureus\Uninstall.exe
Azureus Vuze --> C:\Program Files\Azureus\uninstall.exe
CINEMA 4D Release 10 --> C:\WINDOWS\unvise32.exe C:\Program Files\MAXON\CINEMA 4D R10\uninstal_C4D.log
ConvertXtoDVD 2.1.14.223 --> "C:\Program Files\vso\ConvertXtoDVD\unins000.exe"
Cool & Quiet --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1ADE1AA0-7F82-4BB1-B1BD-727DE438057B}\Setup.exe" -l0x9
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DVD Shrink 3.2 --> "C:\Program Files\DVD Shrink\unins000.exe"
ffdshow (remove only) --> "C:\Program Files\ffdshow\uninstall.exe"
HijackThis 1.99.1 --> C:\Documents and Settings\Eric\Desktop\HijackThis\HijackThis.exe /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
HP Memories Disc --> MsiExec.exe /X{B376402D-58EA-45EA-BD50-DD924EB67A70}
HP PrecisionScan --> MsiExec.exe /I{96F4FC6E-4F73-11D3-B4DC-00C04F6BE078}
HP Software Update --> MsiExec.exe /X{15EE79F4-4ED1-4267-9B0F-351009325D7D}
InterVideo WinDVD 5 --> "C:\Program Files\InstallShield Installation Information\{1B399A41-C1D0-40A2-9E4F-095868EFAF01}\setup.exe" REMOVEALL
iTunes --> MsiExec.exe /I{3592F5CB-B524-43AA-92F2-2377268199CC}
J2SE Runtime Environment 5.0 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150010}
J2SE Runtime Environment 5.0 Update 4 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150040}
J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
Joost ™ 0.10.1 --> C:\Program Files\Joost\uninst.exe
lcc-win32 version 3.2 (base system) --> C:\lcc\unins000.exe
Marvell Miniport Driver --> MsiExec.exe /X{C950420B-4182-49EA-850A-A6A2ABF06C6B}
Matroska Pack - Lazy Man's MKV 0.9.9 --> "C:\Program Files\LD-Anime\unins000.exe"
Microsoft Base Smart Card Cryptographic Service Provider Package --> "C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office 2000 Professional --> MsiExec.exe /I{00010409-78E1-11D2-B60F-006097C998E7}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Move Networks Player for Firefox --> "C:\Program Files\Mozilla Firefox\plugins\unins000.exe"
Mozilla Firefox (2.0.0.2) --> C:\PROGRA~1\Mozilla Firefox\uninstall\helper.exe
Mozilla Firefox (2.0.0.3) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 6.0 Parser --> MsiExec.exe /I{A43BF6A5-D5F0-4AAA-BF41-65995063EC44}
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
PeerGuardian 2.0 --> "C:\Program Files\PeerGuardian2\unins000.exe"
Photosmart 140,240,7200,7600,7700,7900 Series --> C:\Program Files\Hewlett-Packard\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\setup\hpzscr01.exe -datfile hphscr01.dat
PowerISO --> "C:\Program Files\PowerISO\uninstall.exe"
PowerSettings --> C:\WINDOWS\uninst.exe -f"C:\Program Files\Silents\PowerSettings\DeIsL1.isu" -c"C:\Program Files\Silents\PowerSettings\_ISREG32.DLL"
Promise Array Management (PAM) --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FC9D4665-8553-4EBB-9456-31FD98D8C62D}\Setup.exe" -l0x9
QuickTime --> MsiExec.exe /I{08094E03-AFE4-4853-9D31-6D0743DF5328}
Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
Registry Compactor 1.1 --> "C:\Program Files\Elrise\Registry Compactor\unins000.exe"
Replay Converter 2.8 --> C:\WINDOWS\iun6002.exe "C:\Program Files\Replay Converter\iruninRCV.ini"
skiStunt --> C:\Program Files\skiStunt\Uninstall.EXE /u:"Ski Stunt Simulator"
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Starcraft --> C:\WINDOWS\scunin.exe C:\WINDOWS\scunin.dat
Steam --> C:\PROGRA~1\Steam\UNWISE.EXE C:\PROGRA~1\Steam\INSTALL.LOG
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Systweak Advanced Registry Optimizer (Shareware Release) --> "C:\Program Files\Advanced Registry Optimizer\unins000.exe"
TI Connect 1.6 --> MsiExec.exe /I{A8B94669-8654-4126-BD28-D0D2412CDED6}
Topaz Vivacity --> MsiExec.exe /I{C13A8E73-7E98-4295-BA94-6931701CD1F9}
Trend Micro Anti-Spyware --> C:\Program Files\Trend Micro\Tmas\tmas.exe -uninstall
Ultimate Startup Manager --> C:\PROGRA~1\Camtech\Ultimate Startup Manager\UNWISE.EXE C:\PROGRA~1\Camtech\Ultimate Startup Manager\INSTALL.LOG
VideoLAN VLC media player 0.8.5 --> C:\Program Files\VideoLAN\VLC\uninstall.exe
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Format SDK Hotfix - KB891122 --> "C:\WINDOWS\$NtUninstallKB891122$\spuninst\spuninst.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WinTasks Trial --> MsiExec.exe /X{8C92D38B-C1DE-490A-B6D1-AAAA8E17DCE2}
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall


-- End of Deckard's System Scanner: finished at 2007-05-16 at 15:13:34 ---------


Thanks.

Edited by SaGe14, 16 May 2007 - 02:22 PM.


#11 tink536

tink536

    **pixie in training**


  • Members
  • 1,853 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Honolulu, Hawaii
  • Local time:09:02 AM

Posted 18 May 2007 - 02:06 AM

Hi again SaGe14,
Sorry again for the delay. :thumbsup:

You need to install an antivirus program as soon as you can and run a complete scan of the computer. Choose one of these free anti-virus programs:Boot Your Computer into Safe Mode
  • Shut down the computer
  • Wait 20 seconds.
  • Turn on the computer and immediately press the F8 key on the keyboard, once every second. If you get a keyboard error, press the F1 key and continue pressing the F8 key once every second.
  • The Windows Startup Menu appears.
  • Select option #3 (Safe Mode).
  • Press the Enter key. A dialog box confirms that Windows is in Safe Mode
  • Click OK. Note: This may take longer than a normal boot.
Run a full system scan with the antivirus you chose.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6u1..
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications". (Should be the fourth box down.)
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java:
    J2SE Runtime Environment 5.0 Update 1
    J2SE Runtime Environment 5.0 Update 4
    J2SE Runtime Environment 5.0 Update 6
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u1-windows-i586-p.exe
    to install the newest version.

There are also 2 previously hidden files on my desktop called ~WRL0004.tmp and ~WRL1953.tmp

In regards to this, I believe those are Word temp files. If you have any Word files on your Desktop, opening/editing etc. them would create those temp files where the original file is located.

Also, let us know how your system is running.
:flowers: Tink

Posted Image
Posted Image
I search for Sjogrens Syndrome Foundation...Who will you search for?


#12 SaGe14

SaGe14
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:02 PM

Posted 18 May 2007 - 11:14 PM

Alright I downloaded Antivir and ran it in safe mode, it didn't find anything.

And I unfortunately had trouble updating Java. I downloaded the latest version and went to Add/Remove programs, but when I tried to remove the older versions I got a message that said "Fatal error during installation." Each of the three had the same error, I tried restarting and I googled it but couldn't really find anything, so I didn't install the new Java Runtime Environment.

But I think my computer is running a little better actually, I haven't recently been unable to save anything in a program or click the browse button on imageshack.us, so thanks a lot :thumbsup:

#13 tink536

tink536

    **pixie in training**


  • Members
  • 1,853 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Honolulu, Hawaii
  • Local time:09:02 AM

Posted 19 May 2007 - 11:17 PM

Hi SaGe14,

Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

Posted Image
Posted Image
I search for Sjogrens Syndrome Foundation...Who will you search for?


#14 SaGe14

SaGe14
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:02 PM

Posted 20 May 2007 - 08:12 AM

Alright here's the SmitFraudFix log:

SmitFraudFix v2.183

Scan done at 9:06:08.95, Sun 05/20/2007
Run from C:\Documents and Settings\Eric\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Promise Technology, Inc\Promise Array Management\MsgSvr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\cmd.exe

hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32

Thanks.

#15 tink536

tink536

    **pixie in training**


  • Members
  • 1,853 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Honolulu, Hawaii
  • Local time:09:02 AM

Posted 21 May 2007 - 02:05 AM

Hello again,

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, double-click SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new HijackThis log.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

Posted Image
Posted Image
I search for Sjogrens Syndrome Foundation...Who will you search for?





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users