|
|
|
I need help
|
|
|
KotaGuy
Member
|
1. April 2007 @ 20:33 |
Link to this message
|
|
Try this...
Reboot.
When Windows loads up quickly click Start>Run and type in shutdown -a and hit Enter.
That should abort the shutdown.
The click Start>Run and type in services.msc and hit Enter. Fromt he list find the DCOM service. Right click on it and choose Properties. Stop the service and change the Startup Type to Disabled.
That should enable use to do what we need in regards to cleaning your system of any remaining baddies.
|
|
Advertisement
|
|
|
|
|
trishajoy
Junior Member
|
2. April 2007 @ 09:35 |
Link to this message
|
Last night when I was scanning the comp with the new anti virus you told me to download, all was well until deep in the scan and then a window popped up stateing: Generic host process for WIN32 services has encountered a problem and needs to close. Ok, so it asks if you want to send report, etc... I just left it alone hoping the scan would finish, but shortly thereafter that stupid DCOM thing comes up and shut me down... I went to bed.
This morning it started up and scanned and found nothing. I did the Hijack report and here it is:
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 11:28:31 AM, on 4/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Documents and Settings\Trisha\Local Settings\Temporary Internet Files\Content.IE5\U7SZYX47\HiJackThis_v2.0.0.0[1].exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defa...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defa...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defa...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defa...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defa...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defa...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - f:\program files\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [D_V_T] C:\\dvt.exe /S \C:\\d_v_t.reg\
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [FormAutoFill] C:\Program Files\FormAutoFill\faf.exe
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\S-1-5-21-2052111302-1935655697-1343024091-1004\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01010200-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Installer) - http://echat.qwest.supportsoft.com/sdcco...ad/tgctlins.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner...can_unicode.cab
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://makeover.ivillage.co.uk/save/makeover.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/ActiveX/downloadcontrol.cab
O16 - DPF: {B9940246-4344-4D1B-BD82-DBAF7E657FF9} (AudioClient Control) - http://mtstandard.serveftp.net:19141/SysCamInst.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
--
End of file - 5860 bytes
|
|
KotaGuy
Member
|
2. April 2007 @ 09:48 |
Link to this message
|
|
OK...
I'd like you to try and do a scan with WinPFind3 again. If it works copy/paste the log here.
If it doesn't work and hangs up on you again... do another online Kaspersky scan and post the log.
Need to see what we have left to clean up.
This message has been edited since posting. Last time this message was edited on 2. April 2007 @ 09:49
|
|
trishajoy
Junior Member
|
2. April 2007 @ 15:19 |
Link to this message
|
Ok, I tried to run the WinPFind3 again. It didn't work... so I rand the Kaspersky like you requested. Once I ran that I noticed that I couldn't get on the internet. I booted and had to shut that DCOM error off and the AVG. popped up saying that I had a virus in Windows/system32/rsvp32_2.dll, which it cleaned... still not internet access.
Well, later I decided I'd scan with Adaware... it removed a bunch of stuff and walla... internet access! So here I am typing to you now.
Do you still want the log from Kaspersky? I am not sure if it's rellevant now.
|
|
trishajoy
Junior Member
|
2. April 2007 @ 15:29 |
Link to this message
|
|
I also did another ATF-cleaner... forgot to mention that.
I am concerned with all I have downloaded and such because my master drive isn't that big (long story), And I am wondering how you'd suggest I free up more space?
|
|
KotaGuy
Member
|
2. April 2007 @ 16:08 |
Link to this message
|
|
Yes... I'd like to see the log from the Kaspersky scan please.
As for space on your Hard Drive... ATF cleaner will have cleaned up any junk/temp file that aren't needed. And when we are done you can delete the few tools I have had you download.
We may be able to recover some more space by adjusting how much room System Restore takes up and turning off the Hibernation feature too... but we will cover those once I know your machine is clean.
|
|
trishajoy
Junior Member
|
2. April 2007 @ 16:15 |
Link to this message
|
|
Ok, everytime I boot up I get that DCOM thing and have to shut it off. Is that whats affecting me from getting online? I ran the Adaware again... everytime it catches something and has to quarantine and delete. Is this normal?
Anyway, Here is the log you wanted:-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, April 02, 2007 1:09:30 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 2/04/2007
Kaspersky Anti-Virus database records: 290151
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
Scan Statistics:
Total number of scanned objects: 18555
Number of viruses found: 1
Number of infected objects: 1 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:05:37
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Trisha\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Trisha\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Trisha\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Trisha\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Trisha\Local Settings\History\History.IE5\MSHist012007040220070403\index.dat Object is locked skipped
C:\Documents and Settings\Trisha\Local Settings\Temp\IH391.tmp Infected: Trojan-Clicker.Win32.Agent.jh skipped
C:\Documents and Settings\Trisha\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Trisha\ntuser.dat Object is locked skipped
C:\Documents and Settings\Trisha\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Trisha\UserData\index.dat Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\default Object is locked skipped
C:\WINDOWS\SYSTEM32\config\default.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\software Object is locked skipped
C:\WINDOWS\SYSTEM32\config\software.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\system Object is locked skipped
C:\WINDOWS\SYSTEM32\config\system.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\systemprofile\Cookies\index.dat Object is locked skipped
C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\I33KS19L\task[33].htm Object is locked skipped
C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\I33KS19L\task[34].htm Object is locked skipped
C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\I33KS19L\task[35].htm Object is locked skipped
C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\I33KS19L\task[36].htm Object is locked skipped
C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\I33KS19L\task[37].htm Object is locked skipped
C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\I33KS19L\task[38].htm Object is locked skipped
C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\I33KS19L\task[39].htm Object is locked skipped
C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\I33KS19L\task[40].htm Object is locked skipped
C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\I33KS19L\task[41].htm Object is locked skipped
C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\I33KS19L\task[42].htm Object is locked skipped
C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\I33KS19L\task[43].htm Object is locked skipped
C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\I33KS19L\task[44].htm Object is locked skipped
C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\I33KS19L\task[45].htm Object is locked skipped
C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\I33KS19L\task[46].htm Object is locked skipped
C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\WINDOWS\SYSTEM32\setldr.dll Object is locked skipped
G:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
Scan process completed.
|
|
trishajoy
Junior Member
|
2. April 2007 @ 16:19 |
Link to this message
|
|
Oh yeah, just a few minutes ago I rebooted and got the Dcom thing and shut it off, scanned with Adaware and quarantined and deleted, but still couldn't get online until I restarted the DCOM... is this normal?
|
|
KotaGuy
Member
|
2. April 2007 @ 18:03 |
Link to this message
|
No.. you shouldn't need DCOM enabled to be online. This is strange.
It almost sounds like you have the blaster worm.
Try this please...
Download FixBlast to your Desktop. Run the tool. Reboot. Run the tool again. Reboot.
Let me know if that helps.
|
|
trishajoy
Junior Member
|
2. April 2007 @ 19:07 |
Link to this message
|
|
Well, I did as you said and it didn't find anything, yet... my comp. is starting up normal now and seems like it's working fine.
|
|
KotaGuy
Member
|
2. April 2007 @ 19:16 |
Link to this message
|
OK... we're getting somewhere then :)
Couple things in the Kaspersky log we still need to take care of.
Search for and delete this File:
C:\Documents and Settings\Trisha\Local Settings\Temp\IH391.tmp
Can I also get you to upload this one...
C:\WINDOWS\SYSTEM32\setldr.dll
To VirusTotal and report back to me what the results of the scan is.
|
|
trishajoy
Junior Member
|
2. April 2007 @ 19:25 |
Link to this message
|
|
I don't know how to upload the C:\WINDOWS\SYSTEM32\setldr.dll as you suggested, but did get rid of the file you said to.
|
|
trishajoy
Junior Member
|
2. April 2007 @ 19:29 |
Link to this message
|
|
I clicked on that link and put it in the browse and clicked the go and it took me to a page that said this: 0 bytes size received / Se ha recibido un archivo vacio
|
|
KotaGuy
Member
|
2. April 2007 @ 20:09 |
Link to this message
|
OK... think AVG must've blocked it.
I can't find any info on that file... which usually isn't a good sign so I think its safe to delete it.
So please delete this file:
C:\WINDOWS\SYSTEM32\setldr.dll
Empty your Recycle Bin. Then Reboot.
Once back in Windows... delete the WiPFind folder. I've been talking to the author of the tool and he thinks he fixed the issue with it hanging.
So after you have deleted the old folder please download the new version of WinPFind3U.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.
[*]Close ALL OTHER PROGRAMS.
[*]Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
[*]Now click the Run Scan button on the toolbar.
[*]The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in. If, after posting, the last line is not < End of Report > then the log is too big to fit into a single post and you will need to split it into multiple posts.
If it works for you please post the log. If it doesn't work and stops responding again... can you let me know at what point it does this so I can pass it on to the author of the tool.
Thanks :)
|
|
trishajoy
Junior Member
|
3. April 2007 @ 06:21 |
Link to this message
|
|
This is what I get when I go to delete that dll:Cannot delete setldr: it is being used by another person or program. Close any programs that might be using the file and try again..
|
|
KotaGuy
Member
|
3. April 2007 @ 08:09 |
Link to this message
|
|
Try booting into Safe Mode and deleting that file.
Empty your Recylce Bin.
Reboot Windows normally and let me know how it goes.
See if you can get the new version of WinPFind to run too please. If so post the log it creates. If not... let me know.
Thanks.
|
|
trishajoy
Junior Member
|
3. April 2007 @ 08:52 |
Link to this message
|
|
Still, in safe mode... it gives me the same message and will not let me delete it.
|
|
KotaGuy
Member
|
3. April 2007 @ 09:00 |
Link to this message
|
|
Hmmm... ok.
Can you try to run the new version of WinPFind please.
|
|
trishajoy
Junior Member
|
3. April 2007 @ 09:09 |
Link to this message
|
WinPFind3 logfile created on: 4/3/2007 10:57:05 AM
WinPFind3U by OldTimer - Version 1.0.33 Folder = C:\Documents and Settings\Trisha\Desktop\WinPFind3u\
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 6.0.2900.2180)
255.55 Mb Total Physical Memory | 72.84 Mb Available Physical Memory | 28.50% Memory free
617.25 Mb Paging File | 458.33 Mb Available in Paging File | 74.25% Paging File free
Paging file location(s): C:\pagefile.sys 384 768;
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 2.39 Gb Total Space | 0.30 Gb Free Space | 12.48% Space Free
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 31.47 Gb Total Space | 31.14 Gb Free Space | 98.94% Space Free
Computer Name: HOME
Current User Name: Trisha
Logged in as Administrator.
Current Boot Mode: Normal
[Processes - Non-Microsoft Only]
avgamsvr.exe -> %ProgramFiles%\Grisoft\AVG7\avgamsvr.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.445 | Size = 353792 bytes | Modified Date = 4/1/2007 10:06:54 PM | Attr = ]
avgemc.exe -> %ProgramFiles%\Grisoft\AVG7\avgemc.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.442 | Size = 324096 bytes | Modified Date = 4/1/2007 10:06:56 PM | Attr = ]
avgupsvc.exe -> %ProgramFiles%\Grisoft\AVG7\avgupsvc.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.420 | Size = 49664 bytes | Modified Date = 4/1/2007 10:07:00 PM | Attr = ]
realsched.exe -> %CommonProgramFiles%\Real\Update_OB\realsched.exe -> RealNetworks, Inc. [Ver = 0.1.0.3760 | Size = 185896 bytes | Modified Date = 2/25/2007 1:50:02 PM | Attr = ]
winpfind3u.exe -> %UserDesktop%\WinPFind3u\WinPFind3U.exe -> OldTimer Tools [Ver = 1.0.33.0 | Size = 318464 bytes | Modified Date = 4/2/2007 10:01:54 PM | Attr = ]
[Win32 Services - Non-Microsoft Only]
(AVG Anti-Spyware Guard) AVG Anti-Spyware Guard [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\guard.exe -> Anti-Malware Development a.s. [Ver = 7, 5, 0, 47 | Size = 204800 bytes | Modified Date = 9/28/2006 7:13:20 AM | Attr = ]
(Avg7Alrt) AVG7 Alert Manager Server [Win32_Own | Auto | Running] -> %ProgramFiles%\Grisoft\AVG7\avgamsvr.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.445 | Size = 353792 bytes | Modified Date = 4/1/2007 10:06:54 PM | Attr = ]
(Avg7UpdSvc) AVG7 Update Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Grisoft\AVG7\avgupsvc.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.420 | Size = 49664 bytes | Modified Date = 4/1/2007 10:07:00 PM | Attr = ]
(AVGEMS) AVG E-mail Scanner [Win32_Own | Auto | Running] -> %ProgramFiles%\Grisoft\AVG7\avgemc.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.442 | Size = 324096 bytes | Modified Date = 4/1/2007 10:06:56 PM | Attr = ]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %System32%\dmadmin.exe -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 224768 bytes | Modified Date = 8/3/2004 5:56:50 PM | Attr = ]
(gusvc) Google Updater Service [Win32_Own | Disabled | Stopped] -> %ProgramFiles%\Google\Common\Google Updater\GoogleUpdaterService.exe -> Google [Ver = 2.0.734.29932.beta | Size = 138168 bytes | Modified Date = 3/3/2007 12:35:10 PM | Attr = ]
(mmupdate) Macromedia Updater [Win32_Own | Disabled | Stopped] -> %SystemRoot%\TEMP\E64.tmp -> File not found
(Pctspk) PCTEL Speaker Phone [Win32_Own | Disabled | Stopped] -> %System32%\pctspk.exe -> PCtel, Inc. [Ver = 4.00 | Size = 86016 bytes | Modified Date = 8/17/2001 3:36:54 PM | Attr = ]
(STI Simulator) STI Simulator [Win32_Own | Disabled | Stopped] -> %System32%\PAStiSvc.exe -> [Ver = | Size = 53248 bytes | Modified Date = 1/14/2005 9:32:38 AM | Attr = ]
[Registry - Non-Microsoft Only]
< Run [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
{0228e555-4f9c-4e35-a3ec-b109a192b4c2} -> %ProgramFiles%\Google\Gmail Notifier\gnotify.exe -> Google Inc. [Ver = 1.0.25.0 | Size = 479232 bytes | Modified Date = 7/15/2005 2:48:34 PM | Attr = ]
AVG7_CC -> %ProgramFiles%\Grisoft\AVG7\avgcc.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.438 | Size = 411648 bytes | Modified Date = 4/1/2007 10:06:54 PM | Attr = ]
D_V_T -> -> File not found
Google -> %SystemRoot%\TEMP\BBD0.tmp -> File not found
TkBellExe -> %CommonProgramFiles%\Real\Update_OB\realsched.exe -> RealNetworks, Inc. [Ver = 0.1.0.3760 | Size = 185896 bytes | Modified Date = 2/25/2007 1:50:02 PM | Attr = ]
winctl -> winctl.exe -> File not found
< Run [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Brave-Sentry -> %ProgramFiles%\BraveSentry\BraveSentry.exe -> File not found
FormAutoFill -> %ProgramFiles%\FormAutoFill\faf.exe -> File not found
MSMSGS -> %ProgramFiles%\Messenger\msmsgs.exe -> File not found
< Common Startup > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup
%AllUsersStartup%\PalStart.lnk -> %ProgramFiles%\Paltalk Messenger\palstart.exe -> [Ver = | Size = 45568 bytes | Modified Date = 3/23/2007 8:34:14 PM | Attr = ]
< SecurityProviders [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders
< Winlogon settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
< Winlogon settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
< HOSTS File > (798 bytes) -> C:\WINDOWS\System32\drivers\etc\Hosts
127.0.0.1 localhost -> ->
127.0.0.1 advertising.paltalk.com -> ->
127.0.0.1 c5.zedo.com -> ->
< Internet Explorer Settings > ->
HKLM: Default_Page_URL -> http://www.yahoo.com/ ->
HKLM: Main\\Default_Search_URL -> http://us.rd.yahoo.com/customize/ie/defa...//www.yahoo.com ->
HKLM: Local Page -> %SystemRoot%\system32\blank.htm ->
HKLM: Search Bar -> http://us.rd.yahoo.com/customize/ie/defa...rch/search.html ->
HKLM: Search Page -> http://us.rd.yahoo.com/customize/ie/defa...//www.yahoo.com ->
HKLM: Start Page -> http://www.yahoo.com/ ->
HKLM: CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm ->
HKLM: Search\\Default_Search_URL -> http://www.google.com/ie ->
HKLM: SearchAssistant -> http://www.google.com/ie ->
HKCU: Local Page -> C:\WINDOWS\system32\blank.htm ->
HKCU: Search Bar -> http://us.rd.yahoo.com/customize/ie/defa...rch/search.html ->
HKCU: Search Page -> http://us.rd.yahoo.com/customize/ie/defa...//www.yahoo.com ->
HKCU: Start Page -> http://www.google.com ->
HKCU: SearchAssistant -> http://www.google.com/ie ->
HKCU: URLSearchHooks\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKLM] -> Reg Data - Key not found [Yahoo! Toolbar] -> File not found
HKCU: ProxyEnable -> 0 ->
< Trusted Sites > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
msn.com [ - ] -> ->
< BHO's > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] -> f:\program files\Reader\ActiveX\AcroIEHelper.ocx [AcroIEHlprObj Class] -> [Ver = 1, 0, 0, 1 | Size = 37808 bytes | Modified Date = 4/16/2001 4:39:02 PM | Attr = ]
{AA58ED58-01DD-4d91-8333-CF10577473F7} [HKLM] -> %ProgramFiles%\Google\googletoolbar2.dll [Google Toolbar Helper] -> Google Inc. [Ver = 4, 0, 1601, 4978 | Size = 2403392 bytes | Modified Date = 1/19/2007 11:55:32 PM | Attr = R ]
< Internet Explorer ToolBars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
{2318C2B1-4965-11d4-9B18-009027A5CD4F} [HKLM] -> %ProgramFiles%\Google\googletoolbar2.dll [&Google] -> Google Inc. [Ver = 4, 0, 1601, 4978 | Size = 2403392 bytes | Modified Date = 1/19/2007 11:55:32 PM | Attr = R ]
< Internet Explorer ToolBars [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKLM] -> %ProgramFiles%\Google\googletoolbar2.dll [&Google] -> Google Inc. [Ver = 4, 0, 1601, 4978 | Size = 2403392 bytes | Modified Date = 1/19/2007 11:55:32 PM | Attr = R ]
WebBrowser\\{724D43A0-0D85-11D4-9908-00400523E39A} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKLM] -> Reg Data - Key not found [Yahoo! Toolbar] -> File not found
< Internet Explorer Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %ProgramFiles%\Java\jre1.5.0_03\bin\npjpi150_03.dll [MenuText: Sun Java Console] -> Sun Microsystems, Inc. [Ver = 5.0.30.7 | Size = 69746 bytes | Modified Date = 4/13/2005 4:06:32 AM | Attr = ]
{4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} -> %ProgramFiles%\Paltalk Messenger\paltalk.exe [ButtonText: PalTalk] -> AVM Software Inc. [Ver = 9.88.2129.0 | Size = 10874880 bytes | Modified Date = 3/23/2007 8:41:32 PM | Attr = ]
{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} -> %ProgramFiles%\Yahoo!\Messenger\YahooMessenger.exe [ButtonText: Yahoo! Messenger] -> Yahoo! Inc. [Ver = 8,1,0,209 | Size = 4662776 bytes | Modified Date = 11/30/2006 9:49:04 PM | Attr = ]
{FB5F1910-F110-11d2-BB9E-00C04F795683} -> %ProgramFiles%\Messenger\msmsgs.exe [ButtonText: Messenger] -> File not found
< Internet Explorer Menu Extensions [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\
Yahoo! &SMS -> %ProgramFiles%\Yahoo!\Common\ycsms.htm -> File not found
< Internet Explorer Plugins [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\Extension\
.spop -> %ProgramFiles%\Internet Explorer\PLUGINS\NPDocBox.dll [Reg Data - Value does not exist] -> Intertrust Technologies, Inc. [Ver = 1.0.0.32 | Size = 270336 bytes | Modified Date = 8/1/2001 5:05:42 PM | Attr = ]
< User Agent Post Platform [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
SV1 -> ->
< DNS Name Servers [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\
{0397AAD7-2CE6-44D1-8C6F-1491DBCEE7B4} -> (Linksys LNE100TX(v5) Fast Ethernet Adapter) ->
{3F563A29-65E7-4EF5-9038-B645C7A17045} -> () ->
< Protocol Handlers [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\
ipp -> Reg Data - Key not found -> File not found
ipp\0x00000001 -> %SystemDrive%\PROGRA~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL -> File not found
msdaipp -> Reg Data - Key not found -> File not found
msdaipp\0x00000001 -> %SystemDrive%\PROGRA~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL -> File not found
msdaipp\oledb -> %SystemDrive%\PROGRA~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL -> File not found
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\
{01010200-5E80-11D8-9E86-0007E96C65AE} -> SupportSoft Installer - CodeBase = http://echat.qwest.supportsoft.com/sdcco...ad/tgctlins.cab ->
{0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} -> CKAVWebScan Object - CodeBase = http://www.kaspersky.com/kos/eng/partner...can_unicode.cab ->
{166B1BCA-3F9C-11CF-8075-444553540000} -> Shockwave ActiveX Control - CodeBase = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab ->
{17D72920-7A15-11D4-921E-0080C8DA7A5E} -> AimSp32 Class - CodeBase = http://makeover.ivillage.co.uk/save/makeover.cab ->
{30528230-99f7-4bb4-88d8-fa1d4f56a2ab} -> YInstStarter Class - CodeBase = C:\Program Files\Yahoo!\Common\yinsthelper.dll ->
{8AD9C840-044E-11D1-B3E9-00805F499D93} -> Java Plug-in 1.5.0_03 - CodeBase = http://java.sun.com/update/1.5.0/jinstal...indows-i586.cab ->
{A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} -> InetDownload Class - CodeBase = https://media.pineconeresearch.com/ActiveX/downloadcontrol.cab ->
{B9940246-4344-4D1B-BD82-DBAF7E657FF9} -> AudioClient Control - CodeBase = http://mtstandard.serveftp.net:19141/SysCamInst.cab ->
{CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} -> Java Plug-in 1.5.0_03 - CodeBase = http://java.sun.com/update/1.5.0/jinstal...indows-i586.cab ->
[Files/Folders - Created Within 30 days]
$VAULT$.AVG -> %SystemDrive%\$VAULT$.AVG -> [Folder | Created Date = 4/2/2007 1:16:57 PM | Attr = RH ]
avg7qt.dat -> %SystemDrive%\avg7qt.dat -> [Ver = | Size = 12220047 bytes | Created Date = 4/3/2007 8:09:35 AM | Attr = ]
hiberfil.sys -> %SystemDrive%\hiberfil.sys -> [Ver = | Size = 268029952 bytes | Created Date = 1/1/1601 7:00:00 AM | Attr = HS]
cache -> %SystemRoot%\cache -> [Folder | Created Date = 3/23/2007 9:34:10 AM | Attr = ]
gmer.dll -> %SystemRoot%\gmer.dll -> [Ver = 1, 0, 12, 12086 | Size = 565311 bytes | Created Date = 4/1/2007 2:09:39 PM | Attr = ]
gmer.exe -> %SystemRoot%\gmer.exe -> [Ver = 1, 0, 12, 12086 | Size = 573440 bytes | Created Date = 4/1/2007 2:09:39 PM | Attr = R ]
@Alternate Data Stream - 0 bytes -> %SystemRoot%\gmer.exe:Zone.Identifier ->
gmer.ini -> %SystemRoot%\gmer.ini -> [Ver = | Size = 250 bytes | Created Date = 4/1/2007 2:09:41 PM | Attr = ]
gmer_uninstall.cmd -> %SystemRoot%\gmer_uninstall.cmd -> [Ver = | Size = 80 bytes | Created Date = 4/1/2007 2:09:39 PM | Attr = ]
Minidump -> %SystemRoot%\Minidump -> [Folder | Created Date = 4/1/2007 2:11:18 PM | Attr = ]
Paltalk Messenger -> %SystemRoot%\Paltalk Messenger -> [Folder | Created Date = 3/26/2007 12:16:13 PM | Attr = ]
YAHELITE.INI -> %SystemRoot%\YAHELITE.INI -> [Ver = | Size = 2376 bytes | Created Date = 3/25/2007 4:39:30 PM | Attr = ]
ipv6mons.dll -> %System32%\ipv6mons.dll -> [Ver = | Size = 46176 bytes | Created Date = 3/30/2007 7:40:47 AM | Attr = ]
Kaspersky Lab -> %System32%\Kaspersky Lab -> [Folder | Created Date = 4/1/2007 11:00:19 AM | Attr = ]
winctl.dll -> %System32%\winctl.dll -> [Ver = | Size = 9728 bytes | Created Date = 3/30/2007 1:12:22 PM | Attr = ]
avg7core.sys -> %System32%\drivers\avg7core.sys -> GRISOFT, s.r.o. [Ver = 7.5.0.444 | Size = 775680 bytes | Created Date = 4/1/2007 10:07:24 PM | Attr = ]
avg7rsw.sys -> %System32%\drivers\avg7rsw.sys -> GRISOFT, s.r.o. [Ver = 7,0,0,340 | Size = 4224 bytes | Created Date = 4/1/2007 10:07:42 PM | Attr = ]
avg7rsxp.sys -> %System32%\drivers\avg7rsxp.sys -> GRISOFT, s.r.o. [Ver = 7.5.0.442 | Size = 27776 bytes | Created Date = 4/1/2007 10:07:43 PM | Attr = ]
AvgAsCln.sys -> %System32%\drivers\AvgAsCln.sys -> GRISOFT, s.r.o. [Ver = 1.0.0.14 | Size = 3968 bytes | Created Date = 4/1/2007 1:59:21 PM | Attr = ]
avgclean.sys -> %System32%\drivers\avgclean.sys -> GRISOFT, s.r.o. [Ver = 1.0.0.14 | Size = 3968 bytes | Created Date = 4/1/2007 10:07:48 PM | Attr = ]
avgmfx86.sys -> %System32%\drivers\avgmfx86.sys -> GRISOFT, s.r.o. [Ver = 7.5.0.442 | Size = 19392 bytes | Created Date = 4/1/2007 10:07:46 PM | Attr = ]
avgtdi.sys -> %System32%\drivers\avgtdi.sys -> GRISOFT, s.r.o. [Ver = 7,0,0,346 | Size = 4960 bytes | Created Date = 4/1/2007 10:07:46 PM | Attr = ]
gmer.sys -> %System32%\drivers\gmer.sys -> GMER [Ver = 1, 0, 12, 3816 | Size = 68993 bytes | Created Date = 4/1/2007 2:09:39 PM | Attr = ]
[Files/Folders - Modified Within 30 days]
$VAULT$.AVG -> %SystemDrive%\$VAULT$.AVG -> [Folder | Modified Date = 4/2/2007 1:16:58 PM | Attr = RH ]
avg7qt.dat -> %SystemDrive%\avg7qt.dat -> [Ver = | Size = 12220047 bytes | Modified Date = 4/3/2007 8:09:36 AM | Attr = ]
boot.ini -> %SystemDrive%\boot.ini -> [Ver = | Size = 211 bytes | Modified Date = 4/2/2007 5:39:36 PM | Attr = HS]
hiberfil.sys -> %SystemDrive%\hiberfil.sys -> [Ver = | Size = 268029952 bytes | Modified Date = 4/3/2007 10:47:30 AM | Attr = HS]
Program Files -> %ProgramFiles% -> [Folder | Modified Date = 4/1/2007 9:42:10 PM | Attr = R ]
System Volume Information -> %SystemDrive%\System Volume Information -> [Folder | Modified Date = 4/2/2007 4:58:34 PM | Attr = HS]
WINDOWS -> %SystemRoot% -> [Folder | Modified Date = 4/1/2007 10:06:38 PM | Attr = ]
bootstat.dat -> %SystemRoot%\bootstat.dat -> [Ver = | Size = 2048 bytes | Modified Date = 4/3/2007 10:47:48 AM | Attr = S]
cache -> %SystemRoot%\cache -> [Folder | Modified Date = 3/23/2007 9:34:12 AM | Attr = ]
Downloaded Program Files -> %SystemRoot%\Downloaded Program Files -> [Folder | Modified Date = 4/1/2007 11:00:26 AM | Attr = S]
gmer.dll -> %SystemRoot%\gmer.dll -> [Ver = 1, 0, 12, 12086 | Size = 565311 bytes | Modified Date = 4/1/2007 2:09:40 PM | Attr = ]
gmer.exe -> %SystemRoot%\gmer.exe -> [Ver = 1, 0, 12, 12086 | Size = 573440 bytes | Modified Date = 3/7/2007 3:52:36 PM | Attr = R ]
@Alternate Data Stream - 0 bytes -> %SystemRoot%\gmer.exe:Zone.Identifier ->
gmer.ini -> %SystemRoot%\gmer.ini -> [Ver = | Size = 250 bytes | Modified Date = 4/1/2007 7:23:58 PM | Attr = ]
gmer_uninstall.cmd -> %SystemRoot%\gmer_uninstall.cmd -> [Ver = | Size = 80 bytes | Modified Date = 4/1/2007 2:09:40 PM | Attr = ]
If42le.ini -> %SystemRoot%\If42le.ini -> [Ver = | Size = 4519 bytes | Modified Date = 4/1/2007 1:12:44 PM | Attr = ]
imsins.BAK -> %SystemRoot%\imsins.BAK -> [Ver = | Size = 1891 bytes | Modified Date = 3/6/2007 5:02:42 PM | Attr = ]
INF -> %SystemRoot%\INF -> [Folder | Modified Date = 4/1/2007 11:00:20 AM | Attr = H ]
Installer -> %SystemRoot%\Installer -> [Folder | Modified Date = 3/30/2007 10:28:14 AM | Attr = HS]
Minidump -> %SystemRoot%\Minidump -> [Folder | Modified Date = 4/1/2007 7:25:48 PM | Attr = ]
Paltalk Messenger -> %SystemRoot%\Paltalk Messenger -> [Folder | Modified Date = 3/26/2007 12:16:14 PM | Attr = ]
ppa_if.bmp -> %SystemRoot%\ppa_if.bmp -> [Ver = | Size = 840862 bytes | Modified Date = 3/29/2007 8:01:22 PM | Attr = ]
Prefetch -> %SystemRoot%\Prefetch -> [Folder | Modified Date = 4/2/2007 6:10:58 PM | Attr = ]
pss -> %SystemRoot%\pss -> [Folder | Modified Date = 4/2/2007 5:31:54 PM | Attr = ]
Registration -> %SystemRoot%\Registration -> [Folder | Modified Date = 4/2/2007 2:47:34 PM | Attr = ]
SYSTEM -> %SystemRoot%\SYSTEM -> [Folder | Modified Date = 4/1/2007 10:06:38 PM | Attr = ]
system.ini -> %SystemRoot%\system.ini -> [Ver = | Size = 227 bytes | Modified Date = 4/2/2007 5:39:36 PM | Attr = ]
SYSTEM32 -> %System32% -> [Folder | Modified Date = 4/2/2007 1:16:58 PM | Attr = ]
@Alternate Data Stream - 74620 bytes -> %System32%:lzx32.sys ->
TEMP -> %SystemRoot%\TEMP -> [Folder | Modified Date = 4/3/2007 10:57:14 AM | Attr = ]
win.ini -> %SystemRoot%\win.ini -> [Ver = | Size = 612 bytes | Modified Date = 4/2/2007 5:39:36 PM | Attr = ]
YAHELITE.INI -> %SystemRoot%\YAHELITE.INI -> [Ver = | Size = 2376 bytes | Modified Date = 3/25/2007 5:03:50 PM | Attr = ]
SA.DAT -> %SystemRoot%\tasks\SA.DAT -> [Ver = | Size = 6 bytes | Modified Date = 3/31/2007 9:49:34 AM | Attr = H ]
CatRoot2 -> %System32%\CatRoot2 -> [Folder | Modified Date = 4/1/2007 11:00:12 AM | Attr = ]
DRIVERS -> %System32%\DRIVERS -> [Folder | Modified Date = 4/1/2007 10:07:50 PM | Attr = ]
imon1.dat -> %System32%\imon1.dat -> [Ver = | Size = 275 bytes | Modified Date = 3/29/2007 7:49:32 PM | Attr = ]
ipv6mons.dll -> %System32%\ipv6mons.dll -> [Ver = | Size = 46176 bytes | Modified Date = 3/30/2007 7:40:48 AM | Attr = ]
Kaspersky Lab -> %System32%\Kaspersky Lab -> [Folder | Modified Date = 4/1/2007 11:00:20 AM | Attr = ]
Restore -> %System32%\Restore -> [Folder | Modified Date = 4/2/2007 4:58:34 PM | Attr = ]
winctl.dll -> %System32%\winctl.dll -> [Ver = | Size = 9728 bytes | Modified Date = 3/31/2007 4:31:52 PM | Attr = ]
wpa.dbl -> %System32%\wpa.dbl -> [Ver = | Size = 2278 bytes | Modified Date = 3/31/2007 9:39:12 AM | Attr = ]
avg7core.sys -> %System32%\drivers\avg7core.sys -> GRISOFT, s.r.o. [Ver = 7.5.0.444 | Size = 775680 bytes | Modified Date = 4/1/2007 10:07:26 PM | Attr = ]
avg7rsw.sys -> %System32%\drivers\avg7rsw.sys -> GRISOFT, s.r.o. [Ver = 7,0,0,340 | Size = 4224 bytes | Modified Date = 4/1/2007 10:07:44 PM | Attr = ]
avg7rsxp.sys -> %System32%\drivers\avg7rsxp.sys -> GRISOFT, s.r.o. [Ver = 7.5.0.442 | Size = 27776 bytes | Modified Date = 4/1/2007 10:07:44 PM | Attr = ]
avgclean.sys -> %System32%\drivers\avgclean.sys -> GRISOFT, s.r.o. [Ver = 1.0.0.14 | Size = 3968 bytes | Modified Date = 4/1/2007 10:07:50 PM | Attr = ]
avgmfx86.sys -> %System32%\drivers\avgmfx86.sys -> GRISOFT, s.r.o. [Ver = 7.5.0.442 | Size = 19392 bytes | Modified Date = 4/1/2007 10:07:48 PM | Attr = ]
avgtdi.sys -> %System32%\drivers\avgtdi.sys -> GRISOFT, s.r.o. [Ver = 7,0,0,346 | Size = 4960 bytes | Modified Date = 4/1/2007 10:07:48 PM | Attr = ]
etc -> %System32%\drivers\etc -> [Folder | Modified Date = 3/30/2007 4:01:50 PM | Attr = ]
gmer.sys -> %System32%\drivers\gmer.sys -> GMER [Ver = 1, 0, 12, 3816 | Size = 68993 bytes | Modified Date = 4/1/2007 2:09:40 PM | Attr = ]
[File String Scan - Non-Microsoft Only]
@Alternate Data Stream - 0 bytes -> %SystemRoot%\gmer.exe:Zone.Identifier ->
@Alternate Data Stream - 74620 bytes -> %System32%:lzx32.sys ->
PEC2 , -> %System32%\dfrg.msc -> [Ver = | Size = 41397 bytes | Modified Date = 8/16/2004 5:48:32 PM | Attr = ]
Thawte Consulting , -> %System32%\rmoc3260.dll -> RealNetworks, Inc. [Ver = 6.0.9.2568 | Size = 185952 bytes | Modified Date = 2/25/2007 1:50:36 PM | Attr = ]
winsync , -> %System32%\wbdbase.deu -> [Ver = | Size = 1309184 bytes | Modified Date = 8/16/2004 5:49:40 PM | Attr = ]
UPX! , UPX0 , -> %System32%\winctl.dll -> [Ver = | Size = 9728 bytes | Modified Date = 3/31/2007 4:31:52 PM | Attr = ]
UPX! , FSG! , PEC2 , aspack , -> %System32%\drivers\avg7core.sys -> GRISOFT, s.r.o. [Ver = 7.5.0.444 | Size = 775680 bytes | Modified Date = 4/1/2007 10:07:26 PM | Attr = ]
< End of report >
|
|
KotaGuy
Member
|
3. April 2007 @ 10:51 |
Link to this message
|
|
Excellent... will need a bit of time to go through this.
Might not be able to get back to you till I get home from work though.
Just a quick scan of the log showed me a few things. One being the presence of a RootKit.
Also noted some things we can do to free up some space on your C:\ Drive. As I said before though... we will take of that once we've got your PC cleaned up.
|
|
trishajoy
Junior Member
|
3. April 2007 @ 11:11 |
Link to this message
|
|
Ok, no problem. Thanks for helping me so much. It's much appreciated!
|
|
KotaGuy
Member
|
3. April 2007 @ 16:23 |
Link to this message
|
OK... lets get rid of the RootKit first.
Download RustBFix from one of the following locations...
http://www.uploads.ejvindh.net/rustbfix.exe
http://uploads.ejvindh.andymanchesta.com/Rustbfix.exe
...and save it to your desktop.
Double click on rustbfix.exe to run the tool. If a Rustock.b-infection is found, you will shortly hereafter be asked to reboot the computer. The reboot will probably take quite a while, and perhaps 2 reboots will be needed. But this will happen automatically. After the reboot 2 logfiles will open (%root%\avenger.txt & %root%\rustbfix\pelog.txt). Post the content of these logfiles along with a new HijackThis log.
|
|
trishajoy
Junior Member
|
3. April 2007 @ 16:35 |
Link to this message
|
|
************************* Rustock.b-fix -- By ejvindh *************************
Tue 04/03/2007 18:25:54.30
******************* Pre-run Status of system *******************
Rootkit driver PE386 is found. Starting the unload-procedure....
Rustock.b-ADS attached to the System32-folder:
:lzx32.sys 74620
Total size: 74620 bytes.
Attempting to remove ADS...
system32: deleted 74620 bytes in 1 streams.
Looking for Rustock.b-files in the System32-folder:
system32\lzx32.sys FOUND!
attempting to delete lzx32.sys from system32-folder
******************* Post-run Status of system *******************
Rustock.b-driver on the system: NONE!
Rustock.b-ADS attached to the System32-folder:
No System32-ADS found.
Looking for Rustock.b-files in the System32-folder:
No Rustock.b-files found in system32
******************************* End of Logfile ********************************
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\dvtubxyw
*******************
Script file located at: \??\C:\Program Files\bxvidevt.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Driver PE386 unloaded successfully.
Program C:\Rustbfix\2run.bat successfully set up to run once on reboot.
Completed script processing.
*******************
Finished! Terminate.
Now I will do the Hijack report... in next reply.
|
|
trishajoy
Junior Member
|
3. April 2007 @ 16:38 |
Link to this message
|
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 6:37:15 PM, on 4/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Trisha\Local Settings\Temporary Internet Files\Content.IE5\NX1G3RHH\HiJackThis_v2.0.0.0[1].exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defa...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defa...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defa...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defa...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defa...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defa...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - f:\program files\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [winctl] winctl.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Google] C:\WINDOWS\TEMP\BBD0.tmp
O4 - HKLM\..\Run: [D_V_T] C:\\dvt.exe /S \C:\\d_v_t.reg\
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [FormAutoFill] C:\Program Files\FormAutoFill\faf.exe
O4 - HKCU\..\Run: [Brave-Sentry] C:\Program Files\BraveSentry\BraveSentry.exe
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\S-1-5-21-2052111302-1935655697-1343024091-1004\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-2052111302-1935655697-1343024091-1004\..\Run: [Brave-Sentry] C:\Program Files\BraveSentry\BraveSentry.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: PalStart.lnk = C:\Program Files\Paltalk Messenger\palstart.exe
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01010200-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Installer) - http://echat.qwest.supportsoft.com/sdcco...ad/tgctlins.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner...can_unicode.cab
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://makeover.ivillage.co.uk/save/makeover.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/ActiveX/downloadcontrol.cab
O16 - DPF: {B9940246-4344-4D1B-BD82-DBAF7E657FF9} (AudioClient Control) - http://mtstandard.serveftp.net:19141/SysCamInst.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
--
End of file - 6330 bytes
|
|
Advertisement
|
|
|
|
KotaGuy
Member
|
3. April 2007 @ 16:42 |
Link to this message
|
OK... you're doing great :)
Now start WinPFind3U. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.
Quote:
[Registry - Non-Microsoft Only]
< Run [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> winctl -> winctl.exe
< Run [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> Brave-Sentry -> %ProgramFiles%\BraveSentry\BraveSentry.exe
< DNS Name Servers [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\
YN -> {3F563A29-65E7-4EF5-9038-B645C7A17045} -> ()
[Files/Folders - Created Within 30 days]
NY -> ipv6mons.dll -> %System32%\ipv6mons.dll
NY -> winctl.dll -> %System32%\winctl.dll
[Files/Folders - Modified Within 30 days]
NY -> If42le.ini -> %SystemRoot%\If42le.ini
NY -> imsins.BAK -> %SystemRoot%\imsins.BAK
NY -> ipv6mons.dll -> %System32%\ipv6mons.dll
NY -> winctl.dll -> %System32%\winctl.dll
[File String Scan - Non-Microsoft Only]
NY -> UPX! , UPX0 , -> %System32%\winctl.dll
The fix should only take a very short time and then you will be asked if you want to reboot. Choose Yes.
Once back in Windows post the following back here:
[*] a new WinPFind3U report
[*] the latest .log file from the WinPFind3u folder (it will have a name in the format mmddyyyy_hhmmss.log)
I will review the information when it comes back in.
Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.
|
|
