Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Go On Vacation And This Happens.


  • Please log in to reply
9 replies to this topic

#1 hockeypill

hockeypill

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:36 PM

Posted 05 June 2007 - 12:58 PM

The symptom is unwanted IE windows opening whenever IE is already open.

The HJT log follows. Thanks.

Logfile of HijackThis v1.99.1
Scan saved at 1:45:11 PM, on 6/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Dassault Systemes\B17\intel_a\code\bin\CATSysDemon.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\System32\PGPserv.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\AOL\1138030376\ee\AOLSoftware.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINNT\System32\rundll32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\PGP Corporation\PGP for Windows XP\PGPtray.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\wisptis.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gatewaybiz.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {CD3447D4-CA39-4377-8084-30E86331D74C} - C:\WINNT\system32\onrsebao.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CalCompUtil] ccwtup32.exe
O4 - HKLM\..\Run: [GTCO.wtxpload] C:\WINNT\GTCO\wtxpload.exe GTCO
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1138030376\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINNT\system32\enjglhpq.dll",realset
O4 - HKLM\..\Run: [j1231335] rundll32 C:\WINNT\system32\j1231335.dll sook
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Microsoft Office Shortcut Bar.lnk = ?
O4 - Startup: Microsoft Outlook.lnk = ?
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: PGPtray.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/games/clients/y/xt0_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {4F96CE92-09EA-49D3-B478-F1892F6DCB6D} - http://imgfarm.com/images/nocache/funwebpr...etup1.0.0.6.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.2) - http://jplugin.cat.com/jre142_10.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = schwartzprecision.net
O17 - HKLM\Software\..\Telephony: DomainName = schwartzprecision.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = schwartzprecision.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = schwartzprecision.net
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINNT\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Backbone Service (BBDemon) - Unknown owner - C:\Program Files\Dassault Systemes\B17\intel_a\code\bin\CATSysDemon.exe" -service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: PGPserv - PGP Corporation - C:\WINNT\System32\PGPserv.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: Sentinel Keys Server (SentinelKeysServer) - SafeNet, Inc. - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

Edited by hockeypill, 05 June 2007 - 01:03 PM.


BC AdBot (Login to Remove)

 


#2 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:10:36 PM

Posted 07 June 2007 - 04:32 PM

Hello hockeypill and welcome to BC :thumbsup:

Sorry for the late reply, but as you can see we handle more than our fair share of logs. If you still have problems please post a fresh HijackThis log and we can begin the cleaning process.


Regards,
SNOWHITE
Posted Image

#3 hockeypill

hockeypill
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:36 PM

Posted 08 June 2007 - 01:37 PM

I think I have most of the problems cleaned up. I just researched what looked out of place and compared it to others logs. The main culprit was Vundo. I have added a recent log for your review anyway.

Logfile of HijackThis v1.99.1
Scan saved at 2:30:23 PM, on 6/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Dassault Systemes\B17\intel_a\code\bin\CATSysDemon.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\System32\PGPserv.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
C:\WINNT\System32\alg.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\WINNT\System32\rundll32.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\PGP Corporation\PGP for Windows XP\PGPtray.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINNT\explorer.exe
C:\Program Files\Common Files\Microsoft Shared\Speech\sapisvr.exe
C:\WINNT\system32\ntvdm.exe
C:\WINNT\System32\wisptis.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINNT\msagent\AgentSvr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gatewaybiz.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CalCompUtil] ccwtup32.exe
O4 - HKLM\..\Run: [GTCO.wtxpload] C:\WINNT\GTCO\wtxpload.exe GTCO
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1138030376\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [j1231335] rundll32 C:\WINNT\system32\j1231335.dll sook
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Microsoft Office Shortcut Bar.lnk = ?
O4 - Startup: Microsoft Outlook.lnk = ?
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: PGPtray.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/games/clients/y/xt0_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {4F96CE92-09EA-49D3-B478-F1892F6DCB6D} - http://imgfarm.com/images/nocache/funwebpr...etup1.0.0.6.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.2) - http://jplugin.cat.com/jre142_10.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = schwartzprecision.net
O17 - HKLM\Software\..\Telephony: DomainName = schwartzprecision.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = schwartzprecision.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = schwartzprecision.net
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINNT\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Backbone Service (BBDemon) - Unknown owner - C:\Program Files\Dassault Systemes\B17\intel_a\code\bin\CATSysDemon.exe" -service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: PGPserv - PGP Corporation - C:\WINNT\System32\PGPserv.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: Sentinel Keys Server (SentinelKeysServer) - SafeNet, Inc. - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

#4 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:10:36 PM

Posted 10 June 2007 - 12:23 PM

Hello hockeypill :thumbsup:

I think I have most of the problems cleaned up. I just researched what looked out of place and compared it to others logs. The main culprit was Vundo. I have added a recent log for your review anyway.


Your computer is still infected. Follow the steps below.

PLEASE READ THIS POST COMPLETELY, IT MAY MAKE IT EASIER FOR YOU IF YOU COPY AND PASTE THIS POST INTO A NEW TEXT DOCUMENT OR PRINT IT FOR REFERENCE LATER

Please follow the steps below exactly in the order they are written:

Step 1

a.) Download AVG Anti-Spyware from HERE and save that file to your desktop.
  • Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.

NOTE: if you are unable to update the definition files, you can perform manual update by going to the following site http://www.ewido.net/en/download/updates/

b.) Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only
  • Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
    • Double-click ATF-Cleaner.exe to run the program.
      Under Main choose: Select All
      Click the Empty Selected button.
    If you use Firefox browserClick Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browserClick Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main menu to close the program.
    For Technical Support, double-click the e-mail address located at the bottom of each menu.

    IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
  • Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close AVG Anti-Spyware and reboot your system back into Normal Mode and post the results of the AVG Anti-Spyware report scan.
Step 2

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.
Please post back with this reports:
  • AVG Anti-Spyware report scan
  • dss scan reports main.txt and extra.txt
Regards,
SNOWHITE
Posted Image

#5 hockeypill

hockeypill
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:36 PM

Posted 12 June 2007 - 07:00 AM

avg

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 6:57:20 AM 6/12/2007

+ Scan result:



HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\nCASE -> Adware.180Solutions : Cleaned with backup (quarantined).
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Adware.Aws : Cleaned with backup (quarantined).
C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll -> Adware.Viewpoint : Cleaned with backup (quarantined).
C:\WINNT\system32\cbxyywu.dll.vir -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\Program Files\WebEx\ieatgpc.dll -> Adware.WebEx : Cleaned with backup (quarantined).
C:\Program Files\WebEx\ieatgpc.tmp/ieatgpc.dll -> Adware.WebEx : Cleaned with backup (quarantined).
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Quarantine\dlwr.exe.Vir -> Downloader.Agent.brf : Cleaned with backup (quarantined).
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Quarantine\ebqeqnpj.exe.Vir -> Hijacker.Small.mw : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-602162358-362288127-682003330-1168\Dc3\Cookies\crountree@aavalue[2].txt -> TrackingCookie.Aavalue : Cleaned.
C:\RECYCLER\S-1-5-21-602162358-362288127-682003330-1168\Dc3\Cookies\crountree@atlascreditgroup.aavalue[1].txt -> TrackingCookie.Aavalue : Cleaned.
C:\RECYCLER\S-1-5-21-602162358-362288127-682003330-1168\Dc3\Cookies\crountree@grouplotto.aavalue[2].txt -> TrackingCookie.Aavalue : Cleaned.
C:\RECYCLER\S-1-5-21-602162358-362288127-682003330-1168\Dc3\Cookies\crountree@www.adobe[2].txt -> TrackingCookie.Adobe : Cleaned.
C:\RECYCLER\S-1-5-21-602162358-362288127-682003330-1168\Dc1\Cookies\quality@www.burstbeacon[2].txt -> TrackingCookie.Burstbeacon : Cleaned.
C:\RECYCLER\S-1-5-21-602162358-362288127-682003330-1168\Dc3\Cookies\crountree@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned.
C:\RECYCLER\S-1-5-21-602162358-362288127-682003330-1168\Dc1\Cookies\quality@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\RECYCLER\S-1-5-21-602162358-362288127-682003330-1168\Dc3\Cookies\crountree@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\RECYCLER\S-1-5-21-602162358-362288127-682003330-1168\Dc3\Cookies\crountree@burstnet[3].txt -> TrackingCookie.Burstnet : Cleaned.
C:\RECYCLER\S-1-5-21-602162358-362288127-682003330-1168\Dc3\Cookies\crountree@burstnet[4].txt -> TrackingCookie.Burstnet : Cleaned.
C:\RECYCLER\S-1-5-21-602162358-362288127-682003330-1168\Dc3\Cookies\crountree@ads.cnn[1].txt -> TrackingCookie.Cnn : Cleaned.
C:\RECYCLER\S-1-5-21-602162358-362288127-682003330-1168\Dc1\Cookies\quality@ehg-dig.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\RECYCLER\S-1-5-21-602162358-362288127-682003330-1168\Dc1\Cookies\quality@sales.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned.
C:\RECYCLER\S-1-5-21-602162358-362288127-682003330-1168\Dc3\Cookies\crountree@sales.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned.
C:\RECYCLER\S-1-5-21-602162358-362288127-682003330-1168\Dc1\Cookies\kclark@search.msn[2].txt -> TrackingCookie.Msn : Cleaned.
C:\RECYCLER\S-1-5-21-602162358-362288127-682003330-1168\Dc1\Cookies\quality@search.msn[1].txt -> TrackingCookie.Msn : Cleaned.
C:\RECYCLER\S-1-5-21-602162358-362288127-682003330-1168\Dc2\Cookies\receptionist@search.msn[1].txt -> TrackingCookie.Msn : Cleaned.
C:\RECYCLER\S-1-5-21-602162358-362288127-682003330-1168\Dc2\Cookies\receptionist@search.msn[2].txt -> TrackingCookie.Msn : Cleaned.
C:\RECYCLER\S-1-5-21-602162358-362288127-682003330-1168\Dc3\Cookies\crountree@beta.search.msn[4].txt -> TrackingCookie.Msn : Cleaned.
C:\RECYCLER\S-1-5-21-602162358-362288127-682003330-1168\Dc3\Cookies\crountree@search.msn[3].txt -> TrackingCookie.Msn : Cleaned.
C:\RECYCLER\S-1-5-21-602162358-362288127-682003330-1168\Dc3\Cookies\crountree@search.msn[4].txt -> TrackingCookie.Msn : Cleaned.
C:\RECYCLER\S-1-5-21-602162358-362288127-682003330-1168\Dc3\Cookies\crountree@search.msn[5].txt -> TrackingCookie.Msn : Cleaned.
C:\RECYCLER\S-1-5-21-602162358-362288127-682003330-1168\Dc3\Cookies\crountree@search.msn[7].txt -> TrackingCookie.Msn : Cleaned.
C:\RECYCLER\S-1-5-21-602162358-362288127-682003330-1168\Dc3\Cookies\crountree@search.msn[8].txt -> TrackingCookie.Msn : Cleaned.
C:\RECYCLER\S-1-5-21-602162358-362288127-682003330-1168\Dc4\Cookies\sjoyner@search.msn[1].txt -> TrackingCookie.Msn : Cleaned.
C:\RECYCLER\S-1-5-21-602162358-362288127-682003330-1168\Dc4\Cookies\sjoyner@search.msn[2].txt -> TrackingCookie.Msn : Cleaned.
C:\RECYCLER\S-1-5-21-602162358-362288127-682003330-1168\Dc4\Cookies\sjoyner@www.myaffiliateprogram[1].txt -> TrackingCookie.Myaffiliateprogram : Cleaned.
C:\RECYCLER\S-1-5-21-602162358-362288127-682003330-1168\Dc4\Cookies\sjoyner@www.paypal[1].txt -> TrackingCookie.Paypal : Cleaned.
C:\RECYCLER\S-1-5-21-602162358-362288127-682003330-1168\Dc1\Cookies\quality@www.res99[1].txt -> TrackingCookie.Res99 : Cleaned.
C:\RECYCLER\S-1-5-21-602162358-362288127-682003330-1168\Dc3\Cookies\crountree@res99[1].txt -> TrackingCookie.Res99 : Cleaned.
C:\RECYCLER\S-1-5-21-602162358-362288127-682003330-1168\Dc3\Cookies\crountree@edge.ru4[4].txt -> TrackingCookie.Ru4 : Cleaned.
C:\RECYCLER\S-1-5-21-602162358-362288127-682003330-1168\Dc1\Cookies\quality@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned.
C:\RECYCLER\S-1-5-21-602162358-362288127-682003330-1168\Dc3\Cookies\crountree@adopt.specificclick[3].txt -> TrackingCookie.Specificclick : Cleaned.
C:\RECYCLER\S-1-5-21-602162358-362288127-682003330-1168\Dc3\Cookies\crountree@specificpop[2].txt -> TrackingCookie.Specificpop : Cleaned.
C:\RECYCLER\S-1-5-21-602162358-362288127-682003330-1168\Dc3\Cookies\crountree@starware[2].txt -> TrackingCookie.Starware : Cleaned.
C:\RECYCLER\S-1-5-21-602162358-362288127-682003330-1168\Dc4\Cookies\sjoyner@track-star[1].txt -> TrackingCookie.Track-star : Cleaned.
C:\RECYCLER\S-1-5-21-602162358-362288127-682003330-1168\Dc2\Cookies\receptionist@www.web-stat[2].txt -> TrackingCookie.Web-stat : Cleaned.
C:\RECYCLER\S-1-5-21-602162358-362288127-682003330-1168\Dc3\Cookies\crountree@server3.web-stat[2].txt -> TrackingCookie.Web-stat : Cleaned.
C:\RECYCLER\S-1-5-21-602162358-362288127-682003330-1168\Dc3\Cookies\crountree@www.web-stat[2].txt -> TrackingCookie.Web-stat : Cleaned.
C:\Program Files\Dassault Systemes\B13\intel_a\resources\msgcatalog\German\CATMMediaCaptureSizeDialog.CATNls -> Trojan.Runner.i : Cleaned with backup (quarantined).
C:\Program Files\Dassault Systemes\B17\intel_a\resources\msgcatalog\German\CATMMediaCaptureSizeDialog.CATNls -> Trojan.Runner.i : Cleaned with backup (quarantined).
C:\Program Files\DVD2SVCD\Tylo\D2SRoBa.exe -> Trojan.Starter.41 : Cleaned with backup (quarantined).
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Quarantine\T1QaSQ1065.exe.Vir -> Trojan.VB.nhr : Cleaned with backup (quarantined).


::Report end

main.txt

Deckard's System Scanner v20070610.48
Run by ppatton on 2007-06-12 at 07:00:54
Computer is in Safe Mode with Networking.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...failed; computer is in safe mode.


Backed up registry hives.

Performed disk cleanup.


-- HijackThis (run as ppatton.exe) ---------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 7:02:53 AM, on 6/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Documents and Settings\ppatton\Desktop\dss.exe
C:\PROGRA~1\HIJACK~1\ppatton.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gatewaybiz.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CalCompUtil] ccwtup32.exe
O4 - HKLM\..\Run: [GTCO.wtxpload] C:\WINNT\GTCO\wtxpload.exe GTCO
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1138030376\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [j1231335] rundll32 C:\WINNT\system32\j1231335.dll sook
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Microsoft Office Shortcut Bar.lnk = ?
O4 - Startup: Microsoft Outlook.lnk = ?
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: PGPtray.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/games/clients/y/xt0_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {4F96CE92-09EA-49D3-B478-F1892F6DCB6D} - http://imgfarm.com/images/nocache/funwebpr...etup1.0.0.6.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.2) - http://jplugin.cat.com/jre142_10.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = schwartzprecision.net
O17 - HKLM\Software\..\Telephony: DomainName = schwartzprecision.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = schwartzprecision.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = schwartzprecision.net
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINNT\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Backbone Service (BBDemon) - Unknown owner - C:\Program Files\Dassault Systemes\B17\intel_a\code\bin\CATSysDemon.exe" -service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: PGPserv - PGP Corporation - C:\WINNT\System32\PGPserv.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: Sentinel Keys Server (SentinelKeysServer) - SafeNet, Inc. - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)


-- File Associations -----------------------------------------------------------

.scr - AutoCADScriptFile - shell\open\command - "C:\WINNT\system32\NOTEPAD.EXE" "%1"


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 NaiAvTdi1 - c:\winnt\system32\drivers\mvstdi5x.sys <Not Verified; Network Associates, Inc.; VirusScan>
R2 PGPsdkDriver - c:\winnt\system32\drivers\pgpsdk.sys <Not Verified; PGP Corporation; PGPsdk>
R3 ElbyCDFL - c:\winnt\system32\drivers\elbycdfl.sys <Not Verified; SlySoft, Inc.; CloneCD>

S1 LUMDriver - c:\winnt\system32\drivers\lumdriver.sys <Not Verified; IBM; LUM application>
S2 DS1410D - c:\winnt\system32\drivers\ds1410d.sys <Not Verified; Dallas Semiconductor MAXIM; 1-Wire Drivers>
S2 ElbyCDIO (ElbyCDIO Driver) - c:\winnt\system32\drivers\elbycdio.sys <Not Verified; Elaborate Bytes AG; CDRTools>
S2 hardlock - c:\winnt\system32\drivers\hardlock.sys <Not Verified; Aladdin Knowledge Systems; Hardlock Device Driver for Windows NT>
S2 Haspnt - c:\winnt\system32\drivers\haspnt.sys <Not Verified; Aladdin Knowledge Systems; Windows NT HASP Kernel Device Driver>
S2 PGPdisk - c:\winnt\system32\drivers\pgpdisk.sys <Not Verified; PGP Corporation; PGP>
S2 RioPNP - c:\winnt\system32\drivers\riopnp.sys <Not Verified; RioPort.com; >
S2 Sentinel - c:\winnt\system32\drivers\sentinel.sys <Not Verified; Rainbow Technologies, Inc.; Sentinel System Driver>
S3 EntDrv51 - c:\winnt\system32\drivers\entdrv51.sys <Not Verified; Network Associates, Inc; Virus Scan Enterprise, Entercept>
S3 NaiAvFilter1 - c:\winnt\system32\drivers\naiavf5x.sys <Not Verified; Network Associates, Inc.; VirusScan>
S3 NMSCFG (NIC Management Service Configuration Driver) - c:\winnt\system32\drivers\nmscfg.sys <Not Verified; Intel Corporation; Intel® NMSCFG Driver>
S3 PCDRDRV (Pcdr Helper Driver) - c:\atf\qctest\pcdoc\pcdrdrv.sys (file missing)
S3 PcdrNt - c:\winnt\system32\drivers\pcdrnt.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S2 BBDemon (Backbone Service) - "c:\program files\dassault systemes\b17\intel_a\code\bin\catsysdemon.exe" -service <Not Verified; Dassault Systemes; Dassault Systemes Product>
S2 McAfeeFramework (McAfee Framework Service) - c:\program files\network associates\common framework\frameworkservice.exe /servicestart <Not Verified; Network Associates, Inc.; McAfee Common Framework>
S2 McTaskManager (Network Associates Task Manager) - "c:\program files\network associates\virusscan\vstskmgr.exe" <Not Verified; Network Associates, Inc.; VirusScan Enterprise>
S2 NMSSvc (Intel® NMS) - c:\winnt\system32\nmssvc.exe <Not Verified; Intel Corporation; NMS>
S2 PGPserv - c:\winnt\system32\pgpserv.exe <Not Verified; PGP Corporation; PGPsdk>
S3 x10nets (X10 Device Network Service) - c:\progra~1\atimul~1\remctrl\x10nets.exe (file missing)


-- Scheduled Tasks -------------------------------------------------------------

2007-06-11 15:12:15 330 --ah----- C:\WINNT\Tasks\MP Scheduled Scan.job
2007-06-11 05:01:00 202 --a------ C:\WINNT\Tasks\Fabritrak.job
2007-06-11 04:13:09 260 --a------ C:\WINNT\Tasks\Backup Database Now.job
2007-06-11 04:01:07 240 --a------ C:\WINNT\Tasks\XCOPYT.job
2007-06-11 03:30:03 240 --a------ C:\WINNT\Tasks\XCOPYZ.job
2007-06-11 03:01:45 240 --a------ C:\WINNT\Tasks\XCOPYR.job
2007-06-11 02:30:39 240 --a------ C:\WINNT\Tasks\XCOPYY.job
2007-06-11 02:00:14 240 --a------ C:\WINNT\Tasks\XCOPYM.job
2007-06-09 11:41:01 284 --a------ C:\WINNT\Tasks\AppleSoftwareUpdate.job


-- Files created between 2007-05-12 and 2007-06-12 -----------------------------

2007-06-05 14:20:06 0 d-------- C:\VundoFix Backups
2007-06-04 09:37:07 0 d-------- C:\Documents and Settings\ppatton\Application Data\Lavasoft
2007-06-04 09:36:35 0 d-------- C:\Program Files\Lavasoft
2007-06-04 09:35:51 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-06-01 12:00:22 4434 --a------ C:\WINNT\system32\tmp.reg
2007-06-01 11:03:37 0 d-------- C:\SDAT
2007-05-31 09:35:04 0 d-------- C:\Program Files\Enigma Software Group
2007-05-31 07:34:58 0 d-------- C:\Program Files\Windows Defender
2007-05-30 13:39:03 1557636 ---hs---- C:\WINNT\system32\kjllm.bak2
2007-05-29 13:38:52 1542808 ---hs---- C:\WINNT\system32\kjllm.bak1
2007-05-29 13:33:17 42473 --a------ C:\WINNT\WpAJTrYf67HazytRD.exe
2007-05-29 13:33:16 0 d-------- C:\quarantine
2007-05-29 13:33:05 0 d-------- C:\WINNT\system32\T6
2007-05-29 13:33:05 0 d-------- C:\WINNT\system32\T4
2007-05-29 13:33:05 0 d-------- C:\WINNT\system32\T3
2007-05-29 13:32:59 0 d-------- C:\WINNT\system32\TQ0
2007-05-29 13:32:59 0 d-------- C:\WINNT\system32\pog
2007-05-29 13:32:49 40183 ---hs---- C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
2007-05-29 13:32:43 0 d-------- C:\WINNT\system32\T1QaSQ
2007-05-14 11:57:42 0 d-------- C:\Program Files\UGS


-- Find3M Report ---------------------------------------------------------------

2007-06-11 15:09:41 24 --a------ C:\WINNT\system32\DVCStateBkp-{00000002-00000000-0000000C-00001102-00000004-00581102}.dat
2007-06-11 15:09:41 24 --a------ C:\WINNT\system32\DVCState-{00000002-00000000-0000000C-00001102-00000004-00581102}.dat
2007-06-11 14:03:52 0 d-------- C:\Documents and Settings\ppatton\Application Data\AdobeUM
2007-06-11 10:56:53 648 --a------ C:\WINNT\system32\winsusrm.dll
2007-06-11 10:41:17 0 d-------- C:\Program Files\MMI
2007-06-11 07:34:48 4096 --a----c- C:\WINNT\system32\crash
2007-06-07 07:19:08 0 d-------- C:\Documents and Settings\ppatton\Application Data\Viewpoint
2007-06-07 07:18:45 0 d-------- C:\Program Files\AIM6
2007-06-07 07:18:30 0 d-------- C:\Program Files\Viewpoint
2007-05-31 09:30:53 0 d-------- C:\Program Files\Dassault Systemes
2007-05-31 07:28:05 0 d-------- C:\Program Files\Messenger
2007-05-08 12:55:23 0 d-------- C:\Program Files\ACAD2000
2007-05-07 13:55:29 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-04-26 11:21:54 0 d-------- C:\Program Files\Dassault Systemes 3D XML Player
2007-04-26 10:36:37 0 d-------- C:\Program Files\Dassault Systemes 3D PrintScreen
2007-04-12 07:55:29 0 d-------- C:\Program Files\7-Zip


-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
{53707962-6F74-2D53-2644-206D7942484F} C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"CTHelper"="CTHELPER.EXE"
"UpdReg"="C:\\WINNT\\UpdReg.EXE"
"Jet Detection"="C:\\Program Files\\Creative\\SBAudigy\\PROGRAM\\ADGJDet.exe"
"AdaptecDirectCD"="\"C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"CalCompUtil"="ccwtup32.exe"
"GTCO.wtxpload"="C:\\WINNT\\GTCO\\wtxpload.exe GTCO"
"Synchronization Manager"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,\
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"ATI DeviceDetect"="C:\\Program Files\\ATI Multimedia\\\\Program Files\\ATI Multimedia\\main\\ATIDtct.EXE"
@=""
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime"
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1138030376\\ee\\AOLSoftware.exe"
"ShStatEXE"="\"C:\\Program Files\\Network Associates\\VirusScan\\SHSTAT.EXE\" /STANDALONE"
"McAfeeUpdaterUI"="\"C:\\Program Files\\Network Associates\\Common Framework\\UpdaterUI.exe\" /StartedFromRunKey"
"Network Associates Error Reporting Service"="\"C:\\Program Files\\Common Files\\Network Associates\\TalkBack\\TBMon.exe\""
"CloneCDTray"="\"C:\\Program Files\\SlySoft\\CloneCD\\CloneCDTray.exe\" /s"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"j1231335"="rundll32 C:\\WINNT\\system32\\j1231335.dll sook"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINNT\\system32\\ctfmon.exe"
@=""
"ATI Launchpad"=""
"ATI Remote Control"="C:\\Program Files\\ATI Multimedia\\RemCtrl\\ATIRW.exe"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"Aim6"="\"C:\\Program Files\\AIM6\\aim6.exe\" /d locale=en-US ee://aol/imApp"
"SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINNT\\system32\\ctfmon.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisablePersonalDirChange"=dword:00000001
"ForceStartMenuLogOff"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{2432F099-F8E2-43C9-B765-3AF002FFC6A7}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\s-1-5-21-602162358-362288127-682003330-1126\scripts\logon\0\0
script REG_SZ \\Spm2-server\Profiles\logon.cmd

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\s-1-5-21-602162358-362288127-682003330-1129\scripts\logon\0\0
script REG_SZ \\Spm2-server\Profiles\logon.cmd

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\s-1-5-21-602162358-362288127-682003330-1134\scripts\logon\0\0
script REG_SZ \\Spm2-server\Profiles\logon.cmd

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\s-1-5-21-602162358-362288127-682003330-1137\scripts\logon\0\0
script REG_SZ \\Spm2-server\Profiles\logon.cmd


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
Usnsvc REG_MULTI_SZ usnsvc\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0

*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_NMSSVC


-- End of Deckard's System Scanner: finished at 2007-06-12 at 07:03:24 ---------


extra.txt

Deckard's System Scanner v20070610.48
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 2.66GHz
Percentage of Memory in Use: 36%
Physical Memory (total/avail): 1023.3 MiB / 653.63 MiB
Pagefile Memory (total/avail): 1696.26 MiB / 1508.43 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1975.04 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 57.27 GiB total, 18.78 GiB free.
D: is Removable (No Media)
E: is CDROM (No Media)
F: is Network (NTFS)
G: is Network (NTFS)
H: is Network (NTFS)
I: is Network (NTFS)
M: is Network (NTFS)
R: is Network (NTFS)
S: is Network (NTFS)
T: is Network (NTFS)
Y: is Network (NTFS)
Z: is Network (NTFS)


-- Security Center -------------------------------------------------------------

AUOptions is set to notify before download.
Windows Internal Firewall is enabled.


[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Dassault Systemes\B16\intel_a\code\bin\CNEXT.exe"="C:\Program Files\Dassault Systemes\B16\intel_a\code\bin\CNEXT.exe:*:Enabled:CATIA"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Program Files\AIM95\aim.exe"="C:\Program Files\AIM95\aim.exe:*:Disabled:AOL Instant Messenger"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0"
"C:\Program Files\MSN Messenger\msncall.exe"="C:\Program Files\MSN Messenger\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\Program Files\Common Files\AOL\1138030376\ee\aim6.exe"="C:\Program Files\Common Files\AOL\1138030376\ee\aim6.exe:*:Enabled:AIM"
"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader"
"C:\Program Files\Common Files\AOL\1138030376\ee\aolsoftware.exe"="C:\Program Files\Common Files\AOL\1138030376\ee\aolsoftware.exe:*:Enabled:AOL Services"
"C:\Program Files\Dassault Systemes\B17\intel_a\code\bin\orbixd.exe"="C:\Program Files\Dassault Systemes\B17\intel_a\code\bin\orbixd.exe:*:Disabled:orbixd"
"C:\Program Files\Dassault Systemes\B17\intel_a\code\bin\CNEXT.exe"="C:\Program Files\Dassault Systemes\B17\intel_a\code\bin\CNEXT.exe:*:Enabled:CATIA"
"C:\Program Files\Dassault Systemes\B17\intel_a\code\bin\CATBatch.exe"="C:\Program Files\Dassault Systemes\B17\intel_a\code\bin\CATBatch.exe:*:Enabled:BatchInfrastructure"
"C:\Program Files\Dassault Systemes\B17\intel_a\code\bin\CATUTIL.exe"="C:\Program Files\Dassault Systemes\B17\intel_a\code\bin\CATUTIL.exe:*:Enabled:V5 Batch Management"
"C:\Program Files\Dassault Systemes\B13\intel_a\code\bin\CNEXT.exe"="C:\Program Files\Dassault Systemes\B13\intel_a\code\bin\CNEXT.exe:*:Enabled:CATIA"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\ppatton\Application Data
CLASSPATH=.;C:\Program Files\Java\j2re1.4.2_10\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=SPM0117
ComSpec=C:\WINNT\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\ppatton
LOGONSERVER=\\SPM2-SERVER
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINNT\system32;C:\WINNT;C:\WINNT\System32\Wbem;C:\Program Files\Common Files\Adaptec Shared\System;C:\PROGRA~1\COMMON~1\AUTODE~1;C:\Program Files\Common Files\Autodesk Shared\;C:\PROGRA~1\Actify\Kernel;C:\PROGRA~1\Actify\Importers;C:\PROGRA~1\Actify\Importers\MDTCMP;C:\PROGRA~1\Actify\Apprentice;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\ATI Technologies\ATI.ACE\;C:\Program Files\Autodesk\DWG TrueView\;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 7, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0207
ProgramFiles=C:\Program Files
PROMPT=$P$G
PVX_INSTALL_DIR=C:\Program Files\ProductViewExpress\
QTJAVA=C:\Program Files\Java\j2re1.4.2_10\lib\ext\QTJava.zip
SAFEBOOT_OPTION=NETWORK
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINNT
TEMP=C:\DOCUME~1\ppatton\LOCALS~1\Temp
TMP=C:\DOCUME~1\ppatton\LOCALS~1\Temp
USERDNSDOMAIN=SCHWARTZPRECISION.NET
USERDOMAIN=SPMAD
USERNAME=ppatton
USERPROFILE=C:\Documents and Settings\ppatton
windir=C:\WINNT
__COMPAT_LAYER=EnableNXShowUI


-- User Profiles ---------------------------------------------------------------

Administrator (admin)
rmarks (new local, update central)
kclark (new local, update central)
kclark (new local, update central)
ppatton (update central, admin)
ndudley (admin)
ppadmin (admin)
jnsadmin (admin)
receptionist (new local, update central, profile directory not found)
jjones (update central, profile directory not found)


-- Add/Remove Programs ---------------------------------------------------------

--> "C:\Program Files\Creative\SBAudigy\Program\Ctzapxx.EXE" /U /S /R
--> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
--> C:\WINNT\IsUninst.exe -fC:\WINNT\orun32.isu
--> MsiExec.exe /I{9A346205-EA92-4406-B1AB-50379DA3F057}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINNT\INF\PCHealth.inf
1-Wire Drivers --> MsiExec.exe /I{42BE9142-81EE-4B0B-9013-DCF42C8F304E}
7-Zip 4.42 --> "C:\Program Files\7-Zip\Uninstall.exe"
Actify Parasolid Importer --> C:\PROGRA~1\Actify\IMPORT~1\UNWISE.EXE C:\PROGRA~1\Actify\IMPORT~1\ParasolidInst.log
Actify ProE Importer --> C:\PROGRA~1\Actify\IMPORT~1\UNWISE.EXE C:\PROGRA~1\Actify\IMPORT~1\ProeInst.log
Actify SolidEdge™ Importer --> C:\PROGRA~1\Actify\IMPORT~1\UNWISE.EXE C:\PROGRA~1\Actify\IMPORT~1\SolidEdgeImp.LOG
Actify SolidWorks™ Importer --> C:\PROGRA~1\Actify\IMPORT~1\UNWISE.EXE C:\PROGRA~1\Actify\IMPORT~1\SolidWorksImp.LOG
Actify Step Importer --> C:\PROGRA~1\Actify\IMPORT~1\UNWISE.EXE C:\PROGRA~1\Actify\IMPORT~1\StepInst.log
Actify Tiff Importer --> C:\PROGRA~1\Actify\IMPORT~1\UNWISE.EXE C:\PROGRA~1\Actify\IMPORT~1\TiffInst.log
Actify Unigraphic Importer --> C:\PROGRA~1\Actify\IMPORT~1\UNWISE.EXE C:\PROGRA~1\Actify\IMPORT~1\UGInst.log
Actify VRML 1 and 2 Importer --> C:\PROGRA~1\Actify\IMPORT~1\UNWISE.EXE C:\PROGRA~1\Actify\IMPORT~1\VrmlInst.log
Actify XVL Importer --> C:\PROGRA~1\Actify\IMPORT~1\UNWISE.EXE C:\PROGRA~1\Actify\IMPORT~1\XVLInst.log
ActivePerl 5.8.0 Build 805 --> MsiExec.exe /I{8B63F6AD-3DBF-4585-A5FC-CB73CE793D53}
Ad-Aware SE Personal --> MsiExec.exe /X{78CC3BAB-DE2A-4FB4-8FBB-E4DADDC26747}
Adobe Acrobat 5.0 --> C:\WINNT\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Acrobat and Reader 6.0.3 Update --> MsiExec.exe /I{AC76BA86-0000-7EC8-7489-000000000603}
Adobe Acrobat and Reader 6.0.4 Update --> MsiExec.exe /I{AC76BA86-0000-7EC8-7489-000000000604}
Adobe Acrobat and Reader 6.0.5 Update --> MsiExec.exe /I{AC76BA86-0000-7EC8-7489-000000000605}
Adobe Acrobat and Reader 6.0.6 Update --> MsiExec.exe /I{AC76BA86-0000-7EC8-7489-000000000606}
Adobe Flash Player 9 ActiveX --> C:\WINNT\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Reader 6.0.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A00000000002}
Adobe Reader Korean Fonts --> MsiExec.exe /I{AC76BA86-7AD7-5676-5A64-7E8A45000001}
Age of Empires II - The Conquerors - 1.0e Patch FINAL --> "C:\Program Files\Microsoft Games\Age of Empires II\unins000.exe"
Age of Empires III --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{7B9CC60A-9B81-46A3-A953-76B6BF9EEC97}
AIM 6 --> C:\Program Files\AIM6\uninst.exe
AnswerWorks Runtime --> C:\WINNT\IsUninst.exe -f"C:\Program Files\WexTech\AnswerWorks\Uninst.isu"
AOL Instant Messenger --> C:\Program Files\AIM95\uninstll.exe -LOG= C:\Program Files\AIM95\install.log -OEM=
Apple Software Update --> MsiExec.exe /I{A260B422-70E1-41E2-957D-F76FA21266D5}
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Catalyst Control Center --> MsiExec.exe /I{01D21D16-B246-4E9A-B4B1-0E37F2AD3446}
ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Decoder --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{EB452503-A684-4F89-9138-2E590D60478B} /l1033
ATI Display Driver --> rundll32 C:\WINNT\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
ATI HYDRAVISION --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3EA9D975-BFDC-4E8E-B88B-0446FBC8CA66}\setup.exe"
ATI Multimedia Center 9.0.0.0 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{56E005A4-2921-4C77-A4EB-9FF21C1438B5} /l1033
ATI Remote Wonder 2.3 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{3347F781-9C89-4C9B-B471-B1FFC3BC4A84} /l1033
AutoCAD 2002 --> MsiExec.exe /I{5783F2D7-0101-0409-0000-0060B0CE6BBA}
AutoCAD 2007 - English --> MsiExec.exe /I{5783F2D7-5001-0409-0002-0060B0CE6BBA}
Autodesk Deployment Wizard --> MsiExec.exe /X{04AE4390-AC57-44A1-9165-FAF5C6BFB14E}
Autodesk DWF Viewer 7 --> MsiExec.exe /I{9A346205-EA92-4406-B1AB-50379DA3F057}
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
AviSynth 2.5 --> "C:\Program Files\AviSynth 2.5\Uninstall.exe"
Cadra View Express --> MsiExec.exe /I{23E65A58-B8F7-11D6-8B6B-0008C7434C5A}
CDRWIN --> C:\PROGRA~1\CDRWIN\UNWISE.EXE C:\PROGRA~1\CDRWIN\INSTALL.LOG
CloneCD --> "C:\Program Files\SlySoft\CloneCD\ccd-uninst.exe" /D="C:\Program Files\SlySoft\CloneCD"
Creative Driver --> C:\WINNT\System32\ctdrvins /s /u /g
Creative Jukebox Driver --> C:\Program Files\Creative\Jukebox Driver\DrvUnins.exe /s
Creative NOMAD II Driver --> C:\Program Files\Creative\NOMAD2 Driver\DrvUnins.exe /s
D2SRoBa 3.60 --> "C:\Program Files\DVD2SVCD\Tylo\uninstall.exe"
DAO --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{C88E49AA-41C5-4420-A08D-BE1B6C5A3A74}
Dassault Systemes 3D PrintScreen --> C:\Program Files\Dassault Systemes 3D PrintScreen\intel_a\code\bin\3D_PrintScreen_Uninstall.exe
Dassault Systemes 3D XML Player --> C:\Program Files\Dassault Systemes 3D XML Player\intel_a\code\bin\3DXMLPlayerUninstall.exe
Dassault Systemes Doc English CATIA_P3 B17 --> "C:\Program Files\Dassault Systemes\B17doc\English\intel_a\code\bin\UNINSTALLDoc.exe" "C:\Program Files\Dassault Systemes\B17doc\English" "CATIA_P3-EnglishDocumentation" "V5R17" "B17"
Dassault Systemes Software B13 --> "C:\Program Files\Dassault Systemes\B13\intel_a\code\bin\Uninstall.exe" "C:\Program Files\Dassault Systemes\B13" "CODE" "IS" "C:\WINNT\ISUNINST.EXE" "C:\Program Files\Dassault Systemes\B13\intel_a\Uninst.isu" "B13" "0"
Dassault Systemes Software B17 --> "C:\Program Files\Dassault Systemes\B17\intel_a\code\bin\Uninstall.exe" "C:\Program Files\Dassault Systemes\B17" "CODE" "GUI" "B17" "0"
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter --> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Dominoes, Win42, and WinMoon --> C:\PROGRA~1\Games\Dominoes\UNWISE.EXE C:\PROGRA~1\Games\Dominoes\INSTALL.LOG
DVD --> "C:\Program Files\InstallShield Installation Information\{98E8A2EF-4EAE-43B8-A172-74842B764777}\setup.exe" REMOVEALL
DVD2SVCD 1.2.2 Build 3 --> "C:\Program Files\DVD2SVCD\unins000.exe"
DWG TrueConvert™ --> MsiExec.exe /X{5783F2D7-0221-0409-0000-0060B0CE6BBA}
DWG TrueView --> MsiExec.exe /I{2CD6BBA0-17C8-4789-9B9B-B36F7E815F6A}
Easy CD Creator 5 Basic --> MsiExec.exe /I{609F7AC8-C510-11D4-A788-009027ABA5D0}
eDrawings 2005 --> MsiExec.exe /I{E3751B88-FED4-4EB7-AC28-9B03AD3234D1}
eDrawings 2006 --> MsiExec.exe /I{B8EA2D6A-3EC4-4DC4-B588-123B7D38B493}
ESPNMotion --> C:\PROGRA~1\ESPNMO~1\UNWISE.EXE /u C:\PROGRA~1\ESPNMO~1\INSTALL.LOG
EZ-CAM --> MsiExec.exe /I{9C887CF4-B248-4E8A-86A4-5F4F8B74A685}
FabriTRAK 9.1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8E98BF09-44D9-4DE5-B43C-B4E8879EA85B}\setup.exe" -l0x9
FabriTRAK32 --> C:\WINNT\uninst.exe -ff:\vtfw\DeIsL20.isu
Free DWG Viewer 5.3 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B8B4D43C-EAA0-4EEC-B93E-D4D012316286}\Setup.exe" -l0x9
GIF Movie Gear 4.1.2 --> "C:\Program Files\GIF Movie Gear\unins000.exe"
HASP Device Driver --> C:\WINNT\System32\UNWISE.EXE C:\WINNT\System32\hdd32.log
HighMAT Extension to Microsoft Windows XP CD Writing Wizard --> MsiExec.exe /X{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}
Hijackthis 1.99.1 --> "C:\Program Files\Hijackthis\unins000.exe"
HijackThis 1.99.1 --> C:\Program Files\Hijackthis\HijackThis.exe /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINNT\$NtUninstallKB929399$\spuninst\spuninst.exe"
Huffyuv AVI lossless video codec (Remove Only) --> rundll.exe setupx.dll,InstallHinfSection DefaultUninstall 132 C:\WINNT\INF\HUFFYUV.INF
IGES & VDA Importer --> C:\PROGRA~1\Actify\IMPORT~1\UNWISE.EXE C:\PROGRA~1\Actify\IMPORT~1\IGESVDAInst.log
ImgBurn (Remove Only) --> "C:\Program Files\ImgBurn\uninstall.exe"
Intel® PROSet II --> MsiExec.exe /I{01A4AEDE-F219-49A2-B855-16A016EAF9A4}
Internet Explorer Q903235 --> C:\WINNT\ieuninst.exe C:\WINNT\INF\Q903235.inf
IntraVISION Lite 3.03 --> C:\WINNT\uninst.exe -fC:\IDA\DeIsL1.isu
IrfanView (remove only) --> C:\Program Files\IrfanView\iv_uninstall.exe
ISO Importer --> C:\PROGRA~1\Actify\IMPORT~1\UNWISE.EXE C:\PROGRA~1\Actify\IMPORT~1\ISOInst.log
IsoBuster 1.8 --> "C:\Program Files\Smart Projects\IsoBuster\Uninst\unins000.exe"
Java 2 Runtime Environment, SE v1.4.2 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142000}
Java 2 Runtime Environment, SE v1.4.2_10 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142100}
JT Importer --> C:\PROGRA~1\Actify\IMPORT~1\UNWISE.EXE C:\PROGRA~1\Actify\IMPORT~1\JTInst.log
Macromedia Shockwave Player --> C:\WINNT\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINNT\system32\Macromed\SHOCKW~1\Install.log
MACSO - Macon Sheetmetal Optimization --> C:\WINNT\st6unst.exe -n "C:\Program Files\MACSO\ST6UNST.LOG"
Mastercam Router 8.1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{81E82CAE-F5DF-4303-83C9-E76597D029FD}\setup.exe"
McAfee VirusScan Enterprise --> MsiExec.exe /I{5DF3D1BB-894E-4DCD-8275-159AC9829B43}
Microsoft Age of Empires II --> "C:\Program Files\Microsoft Games\Age of Empires II\UNINSTAL.EXE" /runtemp /uninstall
Microsoft Age of Empires II: The Conquerors Expansion --> "C:\Program Files\Microsoft Games\Age of Empires II\UNINSTALX.EXE" /runtemp /addremove
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINNT\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Data Access Components KB870669 --> C:\WINNT\muninst.exe C:\WINNT\INF\KB870669.inf
Microsoft Office XP Media Content --> MsiExec.exe /I{90300409-6000-11D3-8CFE-0050048383C9}
Microsoft Office XP Professional --> MsiExec.exe /I{91110409-6000-11D3-8CFE-0050048383C9}
Microsoft Publisher 2002 --> MsiExec.exe /I{91190409-6000-11D3-8CFE-0050048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINNT\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Windows Journal Viewer --> MsiExec.exe /X{43DCF766-6838-4F9A-8C91-D92DA586DFA7}
ModelPress Publisher 4.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{14FB62B7-2719-11D6-9A5B-009027747928}\Setup.exe" -l0x9
MP3 Wav Editor 2.3 --> "C:\Program Files\MP3 Wav Editor\unins000.exe"
MSXML 6.0 Parser (KB927977) --> MsiExec.exe /I{5A710547-B58E-488B-828D-CA9A25A0533C}
msxmlinst --> MsiExec.exe /I{07EF7F6D-5383-40D8-8D0F-6B07B64D58EA}
MUSICMATCH® Jukebox --> C:\PROGRA~1\MUSICM~1\MUSICM~1\unmatch.exe
Network ScanGear Ver.1.3 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{030F1677-1A3E-4113-B1F0-EE9632693478}\Setup.exe" UNINSTALL
NOMAD Jukebox 3 Driver --> C:\Program Files\Creative\Jukebox 3 Drivers\DrvUnins.exe /s
Outerinfo --> "C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe"
PE Builder v3.1.3 --> c:\pebuilder313\unins000.exe
PGP 8.1 --> C:\PROGRA~1\PGPCOR~1\PGPFOR~1\PGPUNI~1\setup.exe PGP
Plate 'n' Sheet Professional --> C:\WINNT\st6unst.exe -n "C:\Program Files\Plate 'n' Sheet Professional\ST6UNST.LOG"
PrimoPDF --> "C:\WINNT\PrimoPDF\uninstall.exe" "/U:C:\Program Files\activePDF\PrimoPDF\Uninstall\uninstall.xml"
PTC ProductView Express - Wildfire 2.0 (F000) --> MsiExec.exe /I{EBD42841-D78D-419D-A1D1-7DA28D74AEBC}
Punch! Home Design - Platinum --> C:\PROGRA~1\PUNCH!~1\UNWISE.EXE C:\PROGRA~1\PUNCH!~1\INSTALL.LOG
QuickTime --> MsiExec.exe /I{5E863175-E85D-44A6-8968-82507D34AE7F}
RAW Importer --> C:\PROGRA~1\Actify\IMPORT~1\UNWISE.EXE C:\PROGRA~1\Actify\IMPORT~1\RAWInst.log
SDRC Importer --> C:\PROGRA~1\Actify\IMPORT~1\UNWISE.EXE C:\PROGRA~1\Actify\IMPORT~1\SDRCInst.log
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINNT\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINNT\$NtUninstallKB923723$\spuninst\spuninst.exe"
Sentinel Keys Protection Installer 1.0.0 (English) --> MsiExec.exe /I{ADBFE83F-6EFB-41CE-A147-EED70CDE68FD}
Sentinel System Driver 5.41.1 (32-bit) --> MsiExec.exe /I{5081528F-5DD5-49BA-8213-9A6A13502497}
SMP-IS --> MsiExec.exe /I{37A3F9E1-4BCA-4A0B-B98B-23C07809AB46}
SolidWorks viewer --> MsiExec.exe /X{8EA7D464-00C8-4CAF-B565-56CAF0C2F379}
Sound Blaster Audigy --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9115E7DB-3B29-445A-802D-11E0AA945B7F}\setup.exe" -l0x9
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
STL Importer --> C:\PROGRA~1\Actify\IMPORT~1\UNWISE.EXE C:\PROGRA~1\Actify\IMPORT~1\STLInst.log
TDS Importer --> C:\PROGRA~1\Actify\IMPORT~1\UNWISE.EXE C:\PROGRA~1\Actify\IMPORT~1\TDSInst.log
Time Zone Data Update Tool for Microsoft Office Outlook --> MsiExec.exe /X{95120000-0038-0409-0000-0000000FF1CE}
TransMagic 2006 sp0.2 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{31652E0A-477A-4C6D-9049-583D98E21397}\setup.exe" -l0x9 -removeonly
UGS JT2Go --> MsiExec.exe /I{07D2750B-D757-434F-B3F5-13F95475C179}
URGE --> MsiExec.exe /I{8BBF6DFD-0AD9-43A7-9FBD-BF065E3866AE}
VideoLAN VLC media player 0.8.1 --> C:\Program Files\VideoLAN\VLC\uninstall.exe
Viewpoint Manager (Remove Only) --> C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgrInstaller.exe /u /k
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
Volo View Express --> MsiExec.exe /I{1ECD6EC8-7BB2-4CD5-A384-BAA371BC4D21}
WebEx --> C:\WINNT\DOWNLO~1\atcliun.exe
Windows Defender --> MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
Windows Live Messenger --> MsiExec.exe /I{FCE50DB8-C610-4C42-BE5C-193F46C6F812}
Windows Media Encoder 9 Series --> msiexec.exe /I {E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
Windows Media Encoder 9 Series --> MsiExec.exe /I{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
Windows Media Format 11 runtime --> "C:\WINNT\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall


-- End of Deckard's System Scanner: finished at 2007-06-12 at 07:03:24 ---------

#6 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:10:36 PM

Posted 12 June 2007 - 02:58 PM

Hello hockeypill,

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.
  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • In the File menu click "Exit" to exit Spybot Search & Destroy.
The same goes with the Real-Time Protection feature of Windows Defender:

To disable Real-Time Protection:
  • Go to "Tools" | "General Settings"
  • Scroll down to "Real-time protection options"
  • Uncheck "Turn on real-time protection (recommended)"
  • Remember to reactivate this feature when we have finished all our work.
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. A malicious site could render Java content under older, vulnerable versions of Sun's software if the user has not removed them. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 1 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6u1...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Read the License Agreement and then check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u1-windows-i586-p.exe to install the newest version.
1. Download combofix from one of these links:
Link1
Link2
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Please post back with combofix report and new HijackThis log.
SNOWHITE
Posted Image

#7 hockeypill

hockeypill
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:36 PM

Posted 15 June 2007 - 02:35 PM

Combofix

ComboFix 07-06-13.3 - C:\temp\ComboFix.exe
"ppatton" - 2007-06-15 15:11:24 - Service Pack 2 NTFS


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\ppatton\Desktop.\internet explorer.lnk
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\Temp\0b9
C:\Temp\0b9\tmpTF.log
C:\WINNT\system32\pog
C:\WINNT\system32\T3
C:\WINNT\system32\T4


((((((((((((((((((((((((( Files Created from 2007-05-15 to 2007-06-15 )))))))))))))))))))))))))))))))


2007-06-15 15:10 49,152 --a------ C:\WINNT\nircmd.exe
2007-06-15 14:07 13,801,120 --a------ C:\temp\jre-6u1-windows-i586-p.exe
2007-06-15 14:06 1,085,249 --a------ C:\temp\ComboFix.exe
2007-06-13 15:44 15,177,920 --a------ C:\temp\eDrawingsFullEnglish.exe
2007-06-13 15:29 <DIR> d-------- C:\Program Files\SolidWorks Viewer
2007-06-13 15:28 19,518,496 --a------ C:\temp\swviewer.exe
2007-06-13 14:13 29,910,046 --a------ C:\temp\061307.reg
2007-06-12 08:11 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SMP
2007-06-12 08:05 <DIR> d-------- C:\Program Files\Common Files\SMP
2007-06-12 08:05 <DIR> d-------- C:\Program Files\Common Files\Data Dynamics
2007-06-12 08:05 <DIR> d-------- C:\DOCUME~1\ppatton\APPLIC~1\SMP
2007-06-12 07:00 <DIR> d-------- C:\Deckard
2007-06-11 14:30 3,968 --a------ C:\WINNT\system32\drivers\AvgAsCln.sys
2007-06-11 14:02 11,470,608 --a------ C:\temp\avgas-setup-7.5.0.50.exe
2007-06-05 14:20 <DIR> d-------- C:\VundoFix Backups
2007-06-05 13:53 104,960 --a------ C:\temp\VundoFix.exe
2007-06-05 09:17 2,719,216 --a------ C:\temp\ccsetup140.exe
2007-06-05 09:14 50,688 --a------ C:\temp\ATF-Cleaner.exe
2007-06-05 09:01 <DIR> d-------- C:\temp\SDFIX
2007-06-05 07:02 488,144 --a------ C:\temp\HJTsetup.exe
2007-06-04 09:37 <DIR> d-------- C:\DOCUME~1\ppatton\APPLIC~1\Lavasoft
2007-06-04 09:36 <DIR> d-------- C:\Program Files\Lavasoft
2007-06-04 09:35 4,850,920 --a------ C:\temp\aawsepersonal.exe
2007-06-04 09:35 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-06-01 12:00 4,434 --a------ C:\WINNT\system32\tmp.reg
2007-06-01 11:59 <DIR> d-------- C:\temp\SmitfraudFix
2007-06-01 11:33 878,391 --a------ C:\temp\SmitfraudFix.exe
2007-06-01 11:03 <DIR> d-------- C:\SDAT
2007-05-31 09:35 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-05-31 07:34 <DIR> d-------- C:\Program Files\Windows Defender
2007-05-30 13:39 1,557,636 ---hs---- C:\WINNT\system32\kjllm.bak2
2007-05-29 13:38 263,220 --ahs---- C:\WINNT\system32\mlljk.dll.vir
2007-05-29 13:38 1,542,808 ---hs---- C:\WINNT\system32\kjllm.bak1
2007-05-29 13:33 42,473 --a------ C:\WINNT\WpAJTrYf67HazytRD.exe
2007-05-29 13:33 <DIR> d-------- C:\WINNT\system32\T6
2007-05-29 13:33 <DIR> d-------- C:\quarantine
2007-05-29 13:32 <DIR> d-------- C:\WINNT\system32\TQ0
2007-05-29 13:32 <DIR> d-------- C:\WINNT\system32\T1QaSQ


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-14 19:16:14 -------- d-----w C:\DOCUME~1\ppatton\APPLIC~1\AdobeUM
2007-06-14 14:20:02 24 ----a-w C:\WINNT\system32\DVCStateBkp-{00000002-00000000-0000000C-00001102-00000004-00581102}.dat
2007-06-14 14:20:02 24 ----a-w C:\WINNT\system32\DVCState-{00000002-00000000-0000000C-00001102-00000004-00581102}.dat
2007-06-13 19:36:31 -------- d-----w C:\DOCUME~1\ppatton\APPLIC~1\SolidWorks
2007-06-13 13:08:06 648 ----a-w C:\WINNT\system32\winsusrm.dll
2007-06-12 12:36:44 -------- d-----w C:\Program Files\MMI
2007-06-07 11:19:08 -------- d-----w C:\DOCUME~1\ppatton\APPLIC~1\Viewpoint
2007-06-07 11:18:45 -------- d-----w C:\Program Files\AIM6
2007-06-07 11:18:30 -------- d-----w C:\Program Files\Viewpoint
2007-05-31 13:30:53 -------- d-----w C:\Program Files\Dassault Systemes
2007-05-31 11:28:05 -------- d-----w C:\Program Files\Messenger
2007-05-16 15:12:02 683,520 ----a-w C:\WINNT\system32\inetcomm.dll
2007-05-14 15:57:42 -------- d-----w C:\Program Files\UGS
2007-05-08 16:55:23 -------- d-----w C:\Program Files\ACAD2000
2007-05-07 17:55:29 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-04-26 15:21:54 -------- d-----w C:\Program Files\Dassault Systemes 3D XML Player
2007-04-26 14:36:37 -------- d-----w C:\Program Files\Dassault Systemes 3D PrintScreen
2007-04-25 14:21:15 144,896 ----a-w C:\WINNT\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINNT\system32\msi.dll
2007-03-17 13:43:01 292,864 ----a-w C:\WINNT\system32\winsrv.dll
2007-03-15 16:23:16 497,496 ----a-w C:\WINNT\system32\XceedZip.dll
2007-03-15 16:19:58 526,184 ----a-w C:\WINNT\system32\XceedCry.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTHelper"="CTHELPER.EXE" [2002-07-02 19:56 C:\WINNT\system32\cthelper.exe]
"Jet Detection"="C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe" [2001-10-04 02:00]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-10-03 19:50]
"CalCompUtil"="ccwtup32.exe" []
"Synchronization Manager"="%SystemRoot%\system32\mobsync.exe" []
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-03-23 21:10]
"ATI DeviceDetect"="C:\Program Files\ATI Multimedia\\Program Files\ATI Multimedia\main\ATIDtct.EXE" []
"@"="" []
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-06 01:07]
"HostManager"="C:\Program Files\Common Files\AOL\1138030376\ee\AOLSoftware.exe" [2006-05-09 20:24]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-09-22 20:00]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 03:50]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 09:48]
"CloneCDTray"="C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" [2004-12-27 15:14]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 11:54]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2006-10-07 08:20]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2004-08-04 00:56]
"@"="" []
"ATI Launchpad"="" []
"ATI Remote Control"="C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe" [2004-03-23 05:39]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2006-07-29 19:34]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 17:17]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisablePersonalDirChange"=1 (0x1)
"ForceStartMenuLogOff"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 10:13]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-602162358-362288127-682003330-1126\Scripts\Logon\0\0]
"Script"=\\Spm2-server\Profiles\logon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-602162358-362288127-682003330-1126\Scripts\Logon\0\1]
"Script"=\\spm2-server\Profiles\shortcuts.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-602162358-362288127-682003330-1129\Scripts\Logon\0\0]
"Script"=\\Spm2-server\Profiles\logon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-602162358-362288127-682003330-1129\Scripts\Logon\0\1]
"Script"=\\spm2-server\Profiles\shortcuts.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-602162358-362288127-682003330-1134\Scripts\Logon\0\0]
"Script"=\\Spm2-server\Profiles\logon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-602162358-362288127-682003330-1134\Scripts\Logon\0\1]
"Script"=\\spm2-server\Profiles\shortcuts.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-602162358-362288127-682003330-1137\Scripts\Logon\0\0]
"Script"=\\Spm2-server\Profiles\logon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-602162358-362288127-682003330-1137\Scripts\Logon\0\1]
"Script"=\\spm2-server\Profiles\shortcuts.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Usnsvc usnsvc

*Newly Created Service* - NMSCFG
*Newly Created Service* - NMSSVC

Contents of the 'Scheduled Tasks' folder
2007-06-09 15:41:01 C:\WINNT\tasks\AppleSoftwareUpdate.job
2007-06-15 08:18:04 C:\WINNT\tasks\Backup Database Now.job
2007-06-15 09:01:00 C:\WINNT\tasks\Fabritrak.job
2007-06-15 00:00:39 C:\WINNT\tasks\MP Scheduled Scan.job
2007-06-15 06:00:16 C:\WINNT\tasks\XCOPYM.job
2007-06-15 07:01:40 C:\WINNT\tasks\XCOPYR.job
2007-06-15 08:01:10 C:\WINNT\tasks\XCOPYT.job
2007-06-15 06:30:41 C:\WINNT\tasks\XCOPYY.job
2007-06-15 07:30:03 C:\WINNT\tasks\XCOPYZ.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-15 15:26:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-15 15:27:17
C:\ComboFix-quarantined-files.txt ... 2007-06-15 15:26

--- E O F ---


Hijackthis

Logfile of HijackThis v1.99.1
Scan saved at 15:32, on 2007-06-15
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Dassault Systemes\B17\intel_a\code\bin\CATSysDemon.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\System32\PGPserv.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\AOL\1138030376\ee\AOLSoftware.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Program Files\PGP Corporation\PGP for Windows XP\PGPtray.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\wisptis.exe
C:\WINNT\explorer.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gatewaybiz.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CalCompUtil] ccwtup32.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1138030376\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: Microsoft Office Shortcut Bar.lnk = ?
O4 - Startup: Microsoft Outlook.lnk = ?
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: PGPtray.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/games/clients/y/xt0_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {4F96CE92-09EA-49D3-B478-F1892F6DCB6D} - http://imgfarm.com/images/nocache/funwebpr...etup1.0.0.6.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = schwartzprecision.net
O17 - HKLM\Software\..\Telephony: DomainName = schwartzprecision.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = schwartzprecision.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = schwartzprecision.net
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINNT\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Backbone Service (BBDemon) - Unknown owner - C:\Program Files\Dassault Systemes\B17\intel_a\code\bin\CATSysDemon.exe" -service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: PGPserv - PGP Corporation - C:\WINNT\System32\PGPserv.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: Sentinel Keys Server (SentinelKeysServer) - SafeNet, Inc. - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

#8 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:10:36 PM

Posted 19 June 2007 - 02:22 AM

Hello hockeypill,

Please follow the steps below exactly in the order they are written:

Step #1


Please re-open HiJackThis and click on "Do a system scan only". Check the boxes next to all the entries listed below.

O16 - DPF: {4F96CE92-09EA-49D3-B478-F1892F6DCB6D} - http://imgfarm.com/images/nocache/funwebpr...etup1.0.0.6.cab

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

Step #2

Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\temp\061307.reg
C:\WINNT\system32\kjllm.bak2
C:\WINNT\system32\mlljk.dll.vir
C:\WINNT\system32\kjllm.bak1
C:\WINNT\WpAJTrYf67HazytRD.exe

Folder::
C:\WINNT\system32\T6
C:\WINNT\system32\TQ0
C:\WINNT\system32\T1QaSQ


Save this as ComboFix-Do.txt

Then drag the ComboFix-Do.txt into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

In your next post please include the following reports:
  • Combofix report
  • new HijackThis log
Let me know how the things went.


Regards,
SNOWHITE
Posted Image

#9 hockeypill

hockeypill
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:36 PM

Posted 22 June 2007 - 02:56 PM

Combofix:

ComboFix 07-06-13.3 - C:\temp\ComboFix.exe
"ppatton" - 2007-06-22 15:09:05 - Service Pack 2 NTFS
Command switches used :: C:\temp\ComboFix-Do.txt


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\ppatton\Desktop.\internet explorer.lnk
C:\temp\061307.reg
C:\WINNT\system32\kjllm.bak1
C:\WINNT\system32\kjllm.bak2
C:\WINNT\system32\mlljk.dll.vir
C:\WINNT\system32\T1QaSQ
C:\WINNT\system32\T6
C:\WINNT\system32\TQ0
C:\WINNT\WpAJTrYf67HazytRD.exe


((((((((((((((((((((((((( Files Created from 2007-05-22 to 2007-06-22 )))))))))))))))))))))))))))))))


2007-06-18 13:16 <DIR> d-------- C:\WINNT\LastGood
2007-06-15 15:10 49,152 --a------ C:\WINNT\nircmd.exe
2007-06-15 14:07 13,801,120 --a------ C:\temp\jre-6u1-windows-i586-p.exe
2007-06-15 14:06 1,085,249 --a------ C:\temp\ComboFix.exe
2007-06-13 15:44 15,177,920 --a------ C:\temp\eDrawingsFullEnglish.exe
2007-06-13 15:29 <DIR> d-------- C:\Program Files\SolidWorks Viewer
2007-06-13 15:28 19,518,496 --a------ C:\temp\swviewer.exe
2007-06-12 08:11 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SMP
2007-06-12 08:05 <DIR> d-------- C:\Program Files\Common Files\SMP
2007-06-12 08:05 <DIR> d-------- C:\Program Files\Common Files\Data Dynamics
2007-06-12 08:05 <DIR> d-------- C:\DOCUME~1\ppatton\APPLIC~1\SMP
2007-06-12 07:00 <DIR> d-------- C:\Deckard
2007-06-11 14:30 3,968 --a------ C:\WINNT\system32\drivers\AvgAsCln.sys
2007-06-11 14:02 11,470,608 --a------ C:\temp\avgas-setup-7.5.0.50.exe
2007-06-05 14:20 <DIR> d-------- C:\VundoFix Backups
2007-06-05 13:53 104,960 --a------ C:\temp\VundoFix.exe
2007-06-05 09:17 2,719,216 --a------ C:\temp\ccsetup140.exe
2007-06-05 09:14 50,688 --a------ C:\temp\ATF-Cleaner.exe
2007-06-05 09:01 <DIR> d-------- C:\temp\SDFIX
2007-06-05 07:02 488,144 --a------ C:\temp\HJTsetup.exe
2007-06-04 09:37 <DIR> d-------- C:\DOCUME~1\ppatton\APPLIC~1\Lavasoft
2007-06-04 09:36 <DIR> d-------- C:\Program Files\Lavasoft
2007-06-04 09:35 4,850,920 --a------ C:\temp\aawsepersonal.exe
2007-06-04 09:35 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-06-01 12:00 4,434 --a------ C:\WINNT\system32\tmp.reg
2007-06-01 11:59 <DIR> d-------- C:\temp\SmitfraudFix
2007-06-01 11:33 878,391 --a------ C:\temp\SmitfraudFix.exe
2007-06-01 11:03 <DIR> d-------- C:\SDAT
2007-05-31 09:35 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-05-31 07:34 <DIR> d-------- C:\Program Files\Windows Defender
2007-05-29 13:33 <DIR> d-------- C:\quarantine


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-21 18:17:35 648 ----a-w C:\WINNT\system32\winsusrm.dll
2007-06-20 20:15:44 -------- d-----w C:\Program Files\MMI
2007-06-15 19:47:31 24 ----a-w C:\WINNT\system32\DVCStateBkp-{00000002-00000000-0000000C-00001102-00000004-00581102}.dat
2007-06-15 19:47:31 24 ----a-w C:\WINNT\system32\DVCState-{00000002-00000000-0000000C-00001102-00000004-00581102}.dat
2007-06-14 19:16:14 -------- d-----w C:\DOCUME~1\ppatton\APPLIC~1\AdobeUM
2007-06-13 19:36:31 -------- d-----w C:\DOCUME~1\ppatton\APPLIC~1\SolidWorks
2007-06-07 11:19:08 -------- d-----w C:\DOCUME~1\ppatton\APPLIC~1\Viewpoint
2007-06-07 11:18:45 -------- d-----w C:\Program Files\AIM6
2007-06-07 11:18:30 -------- d-----w C:\Program Files\Viewpoint
2007-05-31 13:30:53 -------- d-----w C:\Program Files\Dassault Systemes
2007-05-31 11:28:05 -------- d-----w C:\Program Files\Messenger
2007-05-16 15:12:02 683,520 ----a-w C:\WINNT\system32\inetcomm.dll
2007-05-14 15:57:42 -------- d-----w C:\Program Files\UGS
2007-05-08 16:55:23 -------- d-----w C:\Program Files\ACAD2000
2007-05-07 17:55:29 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-04-26 15:21:54 -------- d-----w C:\Program Files\Dassault Systemes 3D XML Player
2007-04-26 14:36:37 -------- d-----w C:\Program Files\Dassault Systemes 3D PrintScreen
2007-04-25 14:21:15 144,896 ----a-w C:\WINNT\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINNT\system32\msi.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINNT\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINNT\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINNT\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINNT\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINNT\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINNT\system32\wuauclt.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTHelper"="CTHELPER.EXE" [2002-07-02 19:56 C:\WINNT\system32\cthelper.exe]
"Jet Detection"="C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe" [2001-10-04 02:00]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-10-03 19:50]
"CalCompUtil"="ccwtup32.exe" []
"Synchronization Manager"="%SystemRoot%\system32\mobsync.exe" []
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-03-23 21:10]
"ATI DeviceDetect"="C:\Program Files\ATI Multimedia\\Program Files\ATI Multimedia\main\ATIDtct.EXE" []
"@"="" []
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-06 01:07]
"HostManager"="C:\Program Files\Common Files\AOL\1138030376\ee\AOLSoftware.exe" [2006-05-09 20:24]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-09-22 20:00]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 03:50]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 09:48]
"CloneCDTray"="C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" [2004-12-27 15:14]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 11:54]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2006-10-07 08:20]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2004-08-04 00:56]
"@"="" []
"ATI Launchpad"="" []
"ATI Remote Control"="C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe" [2004-03-23 05:39]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2006-07-29 19:34]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 17:17]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisablePersonalDirChange"=1 (0x1)
"ForceStartMenuLogOff"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 10:13]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-602162358-362288127-682003330-1126\Scripts\Logon\0\0]
"Script"=\\Spm2-server\Profiles\logon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-602162358-362288127-682003330-1126\Scripts\Logon\0\1]
"Script"=\\spm2-server\Profiles\shortcuts.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-602162358-362288127-682003330-1129\Scripts\Logon\0\0]
"Script"=\\Spm2-server\Profiles\logon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-602162358-362288127-682003330-1129\Scripts\Logon\0\1]
"Script"=\\spm2-server\Profiles\shortcuts.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-602162358-362288127-682003330-1134\Scripts\Logon\0\0]
"Script"=\\Spm2-server\Profiles\logon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-602162358-362288127-682003330-1134\Scripts\Logon\0\1]
"Script"=\\spm2-server\Profiles\shortcuts.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-602162358-362288127-682003330-1137\Scripts\Logon\0\0]
"Script"=\\Spm2-server\Profiles\logon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-602162358-362288127-682003330-1137\Scripts\Logon\0\1]
"Script"=\\spm2-server\Profiles\shortcuts.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Usnsvc usnsvc

*Newly Created Service* - ENTDRV51
*Newly Created Service* - NMSSVC

Contents of the 'Scheduled Tasks' folder
2007-06-16 15:41:01 C:\WINNT\tasks\AppleSoftwareUpdate.job
2007-06-22 08:15:53 C:\WINNT\tasks\Backup Database Now.job
2007-06-22 09:01:00 C:\WINNT\tasks\Fabritrak.job
2007-06-19 12:30:54 C:\WINNT\tasks\MP Scheduled Scan.job
2007-06-22 06:00:12 C:\WINNT\tasks\XCOPYM.job
2007-06-22 07:01:42 C:\WINNT\tasks\XCOPYR.job
2007-06-22 08:01:07 C:\WINNT\tasks\XCOPYT.job
2007-06-22 06:30:26 C:\WINNT\tasks\XCOPYY.job
2007-06-22 07:30:02 C:\WINNT\tasks\XCOPYZ.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-22 15:25:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

cmd.exe [4976]


scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

Completion time: 2007-06-22 15:26:33
C:\ComboFix-quarantined-files.txt ... 2007-06-22 15:26
C:\ComboFix2.txt ... 2007-06-15 15:27

--- E O F ---

HijackThis:

Logfile of HijackThis v1.99.1
Scan saved at 15:53, on 2007-06-22
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Dassault Systemes\B17\intel_a\code\bin\CATSysDemon.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\System32\PGPserv.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\AOL\1138030376\ee\AOLSoftware.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINNT\System32\rundll32.exe
C:\Program Files\PGP Corporation\PGP for Windows XP\PGPtray.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINNT\system32\svchost.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gatewaybiz.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CalCompUtil] ccwtup32.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1138030376\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: Microsoft Office Shortcut Bar.lnk = ?
O4 - Startup: Microsoft Outlook.lnk = ?
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: PGPtray.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/games/clients/y/xt0_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = schwartzprecision.net
O17 - HKLM\Software\..\Telephony: DomainName = schwartzprecision.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = schwartzprecision.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = schwartzprecision.net
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINNT\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Backbone Service (BBDemon) - Unknown owner - C:\Program Files\Dassault Systemes\B17\intel_a\code\bin\CATSysDemon.exe" -service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: PGPserv - PGP Corporation - C:\WINNT\System32\PGPserv.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: Sentinel Keys Server (SentinelKeysServer) - SafeNet, Inc. - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

#10 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:10:36 PM

Posted 25 June 2007 - 06:28 AM

Hello hockeypill,

I would like you to answer me on some questions:

I see that the computer we are trying to clean up is a company computer?

Please let me know for what purpose is used this computer, means also do you keep confidential data on it about the company and customers? or is there information accessible through the computer (through an employer's network that the computer connects to via dialup or VPN).

Do you have banking or personal information on this computer?

The reason why i am asking you this questions is because, the last report shows a hidden process, which may mean a presence of undetected backdoor and rootkit. At this point i cant say what is the real threat, why is this process hidden or what is hiding it. We will do more research, but i would also like you to take your time and read the recommendations below:

1) use a known secure computer to change all of your online passwords
2) contact your bank and credit card company for possible unauthorised transactions

more info can be found here:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

some further reading:

Security Management - May 2004
Help: I Got Hacked. Now What Do I Do?
http://www.microsoft.com/technet/community...gmt/sm0504.mspx

Security Management - July 2004
Help: I Got Hacked. Now What Do I Do? Part II
http://www.microsoft.com/technet/community...gmt/sm0704.mspx

and finally some more considerations:

When should I re-format? How should I reinstall?
http://www.dslreports.com/faq/10063

if you choose to format and reinstall see this link for instructions:
http://www.cyberwalker.net/faqs/how-tos/reinstall-faq.html

Please follow the steps below:

Step #1

Download GMER from here:
http://www.gmer.net/files.php


Unzip it to the desktop.

Open the program and click on the Rootkit tab.
Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
Click on Scan.
When the scan has run click Copy and paste the results (if any) into this thread.

Step #2

Please do an online scan with Kaspersky WebScanner

NOTE: This Scanner will work with Internet Explorer Only!


Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save Report As... button:
  • Under Save as type select Text file write name for the file and save it to your Desktop.
  • Locate the file at the Desktop, open it, then copy and paste that information in your next post.
Please post back with GMER report, Kaspersky scan report and answers to my questions.

Best regards,
SNOWHITE
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users