|
|
|
Fake Adobe update virus. please help
|
|
|
stp77
Newbie
|
22. August 2008 @ 22:42 |
Link to this message
|
Ok first of all i got what i thought was a legit adobe update after the instal i got a background that lokked like anti virus page saying i had win32/Adware.Virtumond and also win32/PrivacyRemover.m64.
So i read a few forums and tryed many thing they are not working.
First i tried to use spyware doctor that didn't work so next i tried smitfraud fix it got stuck on the disk clean up and just stoped i let it run for 17 hours and nothing. next i tried spybot search and destroy it got the most off and was able to change my background back to normal but after a restart it went back to the fake antivirus background. after an update on my trend micro antivirus the fake blue screen screensaver was removed but i can't get this completly removed. Please help. so here is my hijackthis log file.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:40:29 PM, on 8/22/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINNT\System32\CTSvcCDA.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\devldr32.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Creative\SBPCI5122k\AudioHQ\AHQTB.EXE
C:\WINNT\system32\Promon.exe
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\WINNT\system32\desk95.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINNT\system32\lphc7d9j0e159.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
O4 - HKLM\..\Run: [HydarVisionDesktopManager] desk95.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBPCI5122k\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [Creative Launcher] C:\Program Files\Creative\SBPCI5122k\Launcher\CTLauncher.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.2\SetHook.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINNT\system32\PSDrvCheck.exe
O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\SBPCI5122k\PlayCenter\CTSRReg.exe
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\Updreg.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [lphc7d9j0e159] C:\WINNT\system32\lphc7d9j0e159.exe
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\nbj.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupd...b?1147836645187
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/chnz/default/mjolauncher.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTSvcCDA.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Intel(R) Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Neth - Unknown owner - C:\WINNT\system32\netid.exe (file missing)
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Win Common module - Unknown owner - C:\WINNT\system32\servicemp.exe (file missing)
--
End of file - 9064 bytes
|
|
Advertisement
|
 |
|
|
|
stp77
Newbie
|
22. August 2008 @ 22:47 |
Link to this message
|
|
also im getting this on reboot now
tt5.tmp.vbs script file not found error
|
AfterDawn Addict
|
23. August 2008 @ 03:40 |
Link to this message
|
|
Download and run: MalwareBytes' AntiMalware
Also, download and run SuperAntispyware
That should take care of it.
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
|
stp77
Newbie
|
25. August 2008 @ 20:09 |
Link to this message
|
Ok so i did that and that didn't work. the fake background has taken over again and the web tab is back where the apperence tab was and that one is gone. Here is the hijack log now.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:04:22 PM, on 8/25/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINNT\System32\CTSvcCDA.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\stisvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\devldr32.exe
C:\Program Files\Creative\SBPCI5122k\AudioHQ\AHQTB.EXE
C:\WINNT\system32\Promon.exe
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\WINNT\system32\desk95.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmoAgent.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
O4 - HKLM\..\Run: [HydarVisionDesktopManager] desk95.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBPCI5122k\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [Creative Launcher] C:\Program Files\Creative\SBPCI5122k\Launcher\CTLauncher.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.2\SetHook.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINNT\system32\PSDrvCheck.exe
O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\SBPCI5122k\PlayCenter\CTSRReg.exe
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\Updreg.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [lphc7d9j0e159] C:\WINNT\system32\lphc7d9j0e159.exe
O4 - HKLM\..\RunOnce: [TSC] "C:\PROGRA~1\TRENDM~1\INTERN~1\tsc.exe" /HD
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\nbj.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupd...b?1147836645187
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/chnz/default/mjolauncher.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTSvcCDA.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Intel(R) Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Neth - Unknown owner - C:\WINNT\system32\netid.exe (file missing)
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Win Common module - Unknown owner - C:\WINNT\system32\servicemp.exe (file missing)
--
End of file - 9361 bytes
|
AfterDawn Addict
|
25. August 2008 @ 21:04 |
Link to this message
|
@stp77,
Since you haven?t posted any of the MalwareBytes? Logs, I really can?t tell what is going on from the HJT Log only. HJT doesn?t always show all the hidden Trojans, rootkits or malware.
Follow these instructions and post all the required Logs and we?ll attempt to clean your computer.
That said, All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.
Download Malwarebytes' Anti-Malware to your desktop.
Double-click mbam-setup.exe and follow the prompts to install the program.
? At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
? If an update is found, it will download and install the latest version.
? Once the program has loaded, select Perform full scan, then click Scan.
? When the scan is complete, click OK, then Show Results to view the results.
? Make sure that everything is checked, and click Remove Selected. <-- Don't forget this.
? When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Next:
Download ComboFix from Here
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
? Double click combofix.exe and follow the prompts.
? When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall.
Extra-Note: Please, DO NOT use ComboFix on your own. It is a very powerful tool designed to deal with sophisticated infections and if something goes wrong or you use it incorrectly, you could possibly lose the use of your computer. It is ONLY meant to be used under the direct supervision of a malware removal specialist.
Please post the MBAM Log, ComboFix Log and a fresh HJT log in your next reply.
2OG
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves...This message has been edited since posting. Last time this message was edited on 25. August 2008 @ 21:05
|
|
stp77
Newbie
|
27. August 2008 @ 15:31 |
Link to this message
|
Malwarebytes log
Malwarebytes' Anti-Malware 1.25
Database version: 1088
Windows 5.0.2195 Service Pack 4
10:11:06 PM 8/26/2008
mbam-log-08-26-2008 (22-11-06).txt
Scan type: Full Scan (C:\|E:\|F:\|)
Objects scanned: 111745
Time elapsed: 48 minute(s), 47 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 7
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 5
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{70004d5d-3bf6-4d51-43b2-02fc0002cdb5} (Rogue.Errorsafe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lphc7d9j0e159 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\backupwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Documents and Settings\Administrator\Local Settings\Temp\.tt5.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\.tt6.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\.tt8.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\.ttB.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINNT\system32\phc7d9j0e159.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Combofix log
ComboFix 08-08-27.01 - Administrator 08/27/2008 14:51:44.1 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.510 [GMT -4:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
ADS - WINNT: deleted 24 bytes in 1 streams.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Administrator\Application Data\inst.exe
C:\Documents and Settings\Administrator\Cookies\administrator@isohunt[1].txt
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\isgTi19
C:\Temp\isgTi19\lPig.log
C:\temp\tn3
C:\WINNT\system32\config\SAM.SAV
C:\WINNT\system32\dao350.dll
C:\WINNT\Web\default.htt
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_NPF
-------\Service_sysrest.sys
((((((((((((((((((((((((( Files Created from 2008-07-27 to 2008-08-27 )))))))))))))))))))))))))))))))
.
2008-08-24 14:35 . 08-08-24 14:35 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-08-24 14:35 . 08-08-24 14:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-24 14:35 . 08-08-24 14:35 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-08-24 14:32 . 08-08-24 14:32 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-08-24 14:30 . 08-08-24 15:02 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-24 14:30 . 08-08-24 14:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-24 14:30 . 08-08-17 15:01 38,472 --a------ C:\WINNT\system32\drivers\mbamswissarmy.sys
2008-08-24 14:30 . 08-08-17 15:01 17,144 --a------ C:\WINNT\system32\drivers\mbam.sys
2008-08-22 15:42 . 08-08-22 15:44 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-22 15:42 . 08-08-22 17:39 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-20 21:23 . 07-09-06 00:22 289,144 --a------ C:\WINNT\system32\VCCLSID.exe
2008-08-20 21:23 . 06-04-27 17:49 288,417 --a------ C:\WINNT\system32\SrchSTS.exe
2008-08-20 21:23 . 08-05-29 09:35 86,528 --a------ C:\WINNT\system32\VACFix.exe
2008-08-20 21:23 . 08-05-18 21:40 82,944 --a------ C:\WINNT\system32\IEDFix.exe
2008-08-20 21:23 . 08-08-14 21:52 82,432 --a------ C:\WINNT\system32\IEDFix.C.exe
2008-08-20 21:23 . 08-08-18 12:19 82,432 --a------ C:\WINNT\system32\404Fix.exe
2008-08-20 21:23 . 03-06-05 21:13 53,248 --a------ C:\WINNT\system32\Process.exe
2008-08-20 21:23 . 04-07-31 18:50 51,200 --a------ C:\WINNT\system32\dumphive.exe
2008-08-20 21:23 . 07-10-04 00:36 25,600 --a------ C:\WINNT\system32\WS2Fix.exe
2008-08-20 21:23 . 08-08-22 18:37 4,576 --a------ C:\WINNT\system32\tmp.reg
2008-08-20 16:17 . 08-08-24 14:34 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-20 16:17 . 08-08-20 16:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-20 04:09 . 08-08-20 04:16 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-08-20 04:09 . 08-08-20 04:09 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\PC Tools
2008-08-20 04:09 . 08-06-10 21:22 81,288 --a------ C:\WINNT\system32\drivers\iksyssec.sys
2008-08-20 04:09 . 08-06-02 15:19 66,952 --a------ C:\WINNT\system32\drivers\iksysflt.sys
2008-08-20 04:09 . 08-06-02 15:19 42,376 --a------ C:\WINNT\system32\drivers\ikfilesec.sys
2008-08-20 04:09 . 08-06-02 15:19 29,576 --a------ C:\WINNT\system32\drivers\kcom.sys
2008-08-19 15:29 . 02-05-15 15:16 462,848 --a------ C:\WINNT\system32\msaatext.dll
2008-08-19 15:29 . 02-05-15 15:16 360,448 --a------ C:\WINNT\system32\oleacc.dll
2008-08-19 15:29 . 02-05-15 15:16 360,448 --a--c--- C:\WINNT\system32\dllcache\oleacc.dll
2008-08-19 15:29 . 02-05-15 15:16 356,352 --a------ C:\WINNT\system32\oleaccrc.dll
2008-08-19 15:29 . 02-05-15 15:16 356,352 --a--c--- C:\WINNT\system32\dllcache\oleaccrc.dll
2008-08-01 09:27 . 08-08-01 09:27 99,648 --a------ C:\WINNT\system32\drivers\AnyDVD.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-23 17:02 --------- d-----w C:\Documents and Settings\Administrator\Application Data\uTorrent
2008-08-23 03:29 --------- d---a-w C:\Program Files\mIRC
2008-08-21 00:31 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-20 23:33 --------- d-----w C:\Program Files\Trend Micro
2008-08-20 20:17 --------- d---a-w C:\Program Files\Lavasoft
2008-08-15 00:11 --------- d---a-w C:\Program Files\DVDlabPro
2008-08-08 00:48 --------- d---a-w C:\Program Files\DC++
2008-07-21 12:11 24,392 ----a-w C:\WINNT\system32\drivers\ElbyCDIO.sys
2008-07-18 23:06 265,688 ----a-w C:\WINNT\system32\drivers\tmfilter.sys
2008-07-18 22:51 1,195,448 ----a-w C:\WINNT\system32\drivers\vsapint.sys
2008-07-13 12:47 --------- d-----w C:\Program Files\TagRename
2008-07-12 18:21 --------- d-----w C:\Program Files\Java
2007-12-03 00:44 47,360 ----a-w C:\Documents and Settings\Administrator\Application Data\pcouffin.sys
2006-05-15 18:12 271 ---ha-w C:\Program Files\desktop.ini
2006-05-15 18:12 21,952 ---ha-w C:\Program Files\folder.htt
1999-12-07 12:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe" [08-08-01 09:32 2161600]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\nbj.exe" [06-09-15 13:27 2048000]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [08-08-18 18:41 1832272]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [08-08-19 23:34 1576176]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe" [07-01-23 02:26 3429904]
"IMONTRAY"="C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe" [01-08-20 19:24 32768]
"AudioHQ"="C:\Program Files\Creative\SBPCI5122k\AudioHQ\AHQTB.EXE" [99-11-30 01:00 204800]
"Creative Launcher"="C:\Program Files\Creative\SBPCI5122k\Launcher\CTLauncher.exe" [00-02-16 01:52 257536]
"Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [03-08-19 06:43 57344]
"MediaFace Integration"="C:\Program Files\Fellowes\MediaFACE 4.2\SetHook.exe" [05-03-28 03:45 53248]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [02-07-16 21:21 28672]
"PinnacleDriverCheck"="C:\WINNT\system32\PSDrvCheck.exe" [03-05-28 16:37 394240]
"Speed racer"="C:\Program Files\Creative\SBPCI5122k\PlayCenter\CTSRReg.exe" [99-11-15 21:00 5632]
"StatusClient 2.6"="C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" [04-02-11 19:08 61440]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [08-06-10 04:27 144784]
"TomcatStartup 2.5"="C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [04-02-12 17:40 163840]
"UpdReg"="C:\WINNT\Updreg.exe" [00-05-11 01:00 90112]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [06-08-20 21:46 282624]
"Synchronization Manager"="mobsync.exe" [03-06-19 12:05 111376 C:\WINNT\system32\mobsync.exe]
"Promon.exe"="Promon.exe" [00-04-13 07:34 29184 C:\WINNT\system32\promon.exe]
"AtiPTA"="atiptaxx.exe" [01-10-27 01:32 270336 C:\WINNT\system32\atiptaxx.exe]
"HydarVisionDesktopManager"="desk95.exe" [01-08-20 21:30 663552 C:\WINNT\system32\Desk95.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 12:05 186640]
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-03 12:09:27 113664]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2004-10-09 21:43:39 49254]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-03 12:09:27 113664]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 05:15:54 65588]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [08-05-13 10:13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
08-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nwprovau]
06-09-01 01:49 140048 C:\WINNT\system32\NWPROVAU.DLL
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.dvsd"= pdvcodec.dll
"aux"= ctwdm32.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"="0x00000000"
"UpdatesDisableNotify"="0x00000000"
R1 Dlc;DLC Protocol;C:\WINNT\system32\DRIVERS\dlc.sys [03-06-19 12:05 ]
R2 NwSapAgent;SAP Agent;C:\WINNT\System32\svchost.exe [99-12-07 08:00 ]
R2 ousbehci;NEC PCI to USB Enhanced Host Controller;C:\WINNT\system32\Drivers\ousbehci.sys [02-12-24 13:52 ]
R3 openhci;Microsoft USB Open Host Controller Driver;C:\WINNT\system32\DRIVERS\openhci.sys [03-06-19 12:05 ]
R3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;C:\WINNT\system32\DRIVERS\ousb2hub.sys [02-12-24 13:52 ]
S1 sglfb;sglfb;C:\WINNT\system32\drivers\sglfb.sys [99-12-07 08:00 ]
S1 SMBus;Intel(R) SMBus Driver;C:\WINNT\system32\DRIVERS\SMBus.sys [01-08-20 17:33 ]
S2 Neth;Neth;C:\WINNT\system32\netid.exe []
S2 portD;CMS PortIO Service;C:\WINNT\system32\DRIVERS\portd2k.sys []
S2 Win Common module;Win Common module;C:\WINNT\system32\servicemp.exe []
S3 PCIDATA;PCIDATA;D:\PCIDATA.sys []
S3 usbhub20;USB 2.0 Root Hub Support;C:\WINNT\system32\DRIVERS\usbhub20.sys [03-06-19 12:05 ]
*Newly Created Service* - IPNAT
*Newly Created Service* - RASAUTO
*Newly Created Service* - SHAREDACCESS
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Local Page = C:\windows\system32\blank.htm
R0 -: HKCU-Main,Start Page = hxxp://www.google.com/
R0 -: HKLM-Main,Local Page = C:\windows\system32\blank.htm
O9 -: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
O16 -: DirectAnimation Java Classes - file://C:\WINNT\Java\classes\dajava.cab
C:\WINNT\Downloaded Program Files\DirectAnimation Java Classes.osd
O16 -: Microsoft XML Parser for Java - file://C:\WINNT\Java\classes\xmldso.cab
C:\WINNT\Downloaded Program Files\Microsoft XML Parser for Java.osd
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-27 14:56:28
Windows 5.0.2195 Service Pack 4 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-08-27 15:02:58 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-27 19:02:54
Pre-Run: 59,372,818,432 bytes free
Post-Run: 59,477,053,440 bytes free
175 --- E O F --- 2008-08-26 00:12:07
HijackThis log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 03:04:51 PM, on 8/27/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINNT\System32\CTSvcCDA.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\devldr32.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\mobsync.exe
C:\WINNT\system32\Promon.exe
C:\WINNT\system32\atiptaxx.exe
C:\WINNT\system32\desk95.exe
C:\Program Files\Creative\SBPCI5122k\AudioHQ\AHQTB.EXE
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
O4 - HKLM\..\Run: [HydarVisionDesktopManager] desk95.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBPCI5122k\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [Creative Launcher] C:\Program Files\Creative\SBPCI5122k\Launcher\CTLauncher.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.2\SetHook.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINNT\system32\PSDrvCheck.exe
O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\SBPCI5122k\PlayCenter\CTSRReg.exe
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\Updreg.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [lphc7d9j0e159] C:\WINNT\system32\lphc7d9j0e159.exe
O4 - HKLM\..\RunOnce: [TSC] "C:\PROGRA~1\TRENDM~1\INTERN~1\tsc.exe" /HD
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\nbj.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupd...b?1147836645187
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/chnz/default/mjolauncher.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTSvcCDA.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Intel(R) Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Neth - Unknown owner - C:\WINNT\system32\netid.exe (file missing)
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Win Common module - Unknown owner - C:\WINNT\system32\servicemp.exe (file missing)
--
End of file - 9037 bytes
|
AfterDawn Addict
|
27. August 2008 @ 17:17 |
Link to this message
|
@ stp77,
Open Notepad - it must be Notepad, not Wordpad.
Copy the text below in the quote box by highlighting all the text with your mouse and pressing Ctrl+C
Quote:
KILLALL::
File::
C:\WINNT\system32\netid.exe
C:\WINNT\system32\servicemp.exe
Driver::
netid
servicemp
Go to the Notepad window and click Edit > Paste
Then click File > Save
Name the file "CFScript.txt" (including the quotes)
Save the file to your Desktop
Referring to the picture above, drag CFScript into ComboFix.exe
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
2OG
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
|
stp77
Newbie
|
27. August 2008 @ 20:40 |
Link to this message
|
|
(including the quotes) do you mean the word quote and the lines above and below the comands?
This message has been edited since posting. Last time this message was edited on 27. August 2008 @ 20:42
|
AfterDawn Addict
|
28. August 2008 @ 04:03 |
Link to this message
|
|
"CFScript.txt" including the quotes) --> " "
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
|
stp77
Newbie
|
29. August 2008 @ 14:58 |
Link to this message
|
ComboFix 08-08-27.01 - Administrator 08/29/2008 14:45:17.2 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.548 [GMT -4:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\WINNT\system32\netid.exe
C:\WINNT\system32\servicemp.exe
.
((((((((((((((((((((((((( Files Created from 2008-07-28 to 2008-08-29 )))))))))))))))))))))))))))))))
.
2008-08-29 14:49 . 08-08-29 14:49 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_2b8.dat
2008-08-24 14:35 . 08-08-24 14:35 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-08-24 14:35 . 08-08-24 14:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-24 14:35 . 08-08-24 14:35 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-08-24 14:32 . 08-08-24 14:32 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-08-24 14:30 . 08-08-24 15:02 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-24 14:30 . 08-08-24 14:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-24 14:30 . 08-08-17 15:01 38,472 --a------ C:\WINNT\system32\drivers\mbamswissarmy.sys
2008-08-24 14:30 . 08-08-17 15:01 17,144 --a------ C:\WINNT\system32\drivers\mbam.sys
2008-08-22 15:42 . 08-08-22 15:44 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-22 15:42 . 08-08-22 17:39 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-20 21:23 . 07-09-06 00:22 289,144 --a------ C:\WINNT\system32\VCCLSID.exe
2008-08-20 21:23 . 06-04-27 17:49 288,417 --a------ C:\WINNT\system32\SrchSTS.exe
2008-08-20 21:23 . 08-05-29 09:35 86,528 --a------ C:\WINNT\system32\VACFix.exe
2008-08-20 21:23 . 08-05-18 21:40 82,944 --a------ C:\WINNT\system32\IEDFix.exe
2008-08-20 21:23 . 08-08-14 21:52 82,432 --a------ C:\WINNT\system32\IEDFix.C.exe
2008-08-20 21:23 . 08-08-18 12:19 82,432 --a------ C:\WINNT\system32\404Fix.exe
2008-08-20 21:23 . 03-06-05 21:13 53,248 --a------ C:\WINNT\system32\Process.exe
2008-08-20 21:23 . 04-07-31 18:50 51,200 --a------ C:\WINNT\system32\dumphive.exe
2008-08-20 21:23 . 07-10-04 00:36 25,600 --a------ C:\WINNT\system32\WS2Fix.exe
2008-08-20 21:23 . 08-08-22 18:37 4,576 --a------ C:\WINNT\system32\tmp.reg
2008-08-20 16:17 . 08-08-24 14:34 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-20 16:17 . 08-08-20 16:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-20 04:09 . 08-08-20 04:16 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-08-20 04:09 . 08-08-20 04:09 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\PC Tools
2008-08-20 04:09 . 08-06-10 21:22 81,288 --a------ C:\WINNT\system32\drivers\iksyssec.sys
2008-08-20 04:09 . 08-06-02 15:19 66,952 --a------ C:\WINNT\system32\drivers\iksysflt.sys
2008-08-20 04:09 . 08-06-02 15:19 42,376 --a------ C:\WINNT\system32\drivers\ikfilesec.sys
2008-08-20 04:09 . 08-06-02 15:19 29,576 --a------ C:\WINNT\system32\drivers\kcom.sys
2008-08-19 15:29 . 02-05-15 15:16 462,848 --a------ C:\WINNT\system32\msaatext.dll
2008-08-19 15:29 . 02-05-15 15:16 360,448 --a------ C:\WINNT\system32\oleacc.dll
2008-08-19 15:29 . 02-05-15 15:16 360,448 --a--c--- C:\WINNT\system32\dllcache\oleacc.dll
2008-08-19 15:29 . 02-05-15 15:16 356,352 --a------ C:\WINNT\system32\oleaccrc.dll
2008-08-19 15:29 . 02-05-15 15:16 356,352 --a--c--- C:\WINNT\system32\dllcache\oleaccrc.dll
2008-08-01 09:27 . 08-08-01 09:27 99,648 --a------ C:\WINNT\system32\drivers\AnyDVD.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-23 17:02 --------- d-----w C:\Documents and Settings\Administrator\Application Data\uTorrent
2008-08-23 03:29 --------- d---a-w C:\Program Files\mIRC
2008-08-21 00:31 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-20 23:33 --------- d-----w C:\Program Files\Trend Micro
2008-08-20 20:17 --------- d---a-w C:\Program Files\Lavasoft
2008-08-15 00:11 --------- d---a-w C:\Program Files\DVDlabPro
2008-08-08 00:48 --------- d---a-w C:\Program Files\DC++
2008-07-21 12:11 24,392 ----a-w C:\WINNT\system32\drivers\ElbyCDIO.sys
2008-07-18 23:06 265,688 ----a-w C:\WINNT\system32\drivers\tmfilter.sys
2008-07-18 22:51 1,195,448 ----a-w C:\WINNT\system32\drivers\vsapint.sys
2008-07-13 12:47 --------- d-----w C:\Program Files\TagRename
2008-07-12 18:21 --------- d-----w C:\Program Files\Java
2007-12-03 00:44 47,360 ----a-w C:\Documents and Settings\Administrator\Application Data\pcouffin.sys
2006-05-15 18:12 271 ---ha-w C:\Program Files\desktop.ini
2006-05-15 18:12 21,952 ---ha-w C:\Program Files\folder.htt
1999-12-07 12:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe" [08-08-01 09:32 2161600]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\nbj.exe" [06-09-15 13:27 2048000]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [08-08-18 18:41 1832272]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [08-08-19 23:34 1576176]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe" [07-01-23 02:26 3429904]
"IMONTRAY"="C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe" [01-08-20 19:24 32768]
"AudioHQ"="C:\Program Files\Creative\SBPCI5122k\AudioHQ\AHQTB.EXE" [99-11-30 01:00 204800]
"Creative Launcher"="C:\Program Files\Creative\SBPCI5122k\Launcher\CTLauncher.exe" [00-02-16 01:52 257536]
"Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [03-08-19 06:43 57344]
"MediaFace Integration"="C:\Program Files\Fellowes\MediaFACE 4.2\SetHook.exe" [05-03-28 03:45 53248]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [02-07-16 21:21 28672]
"PinnacleDriverCheck"="C:\WINNT\system32\PSDrvCheck.exe" [03-05-28 16:37 394240]
"Speed racer"="C:\Program Files\Creative\SBPCI5122k\PlayCenter\CTSRReg.exe" [99-11-15 21:00 5632]
"StatusClient 2.6"="C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" [04-02-11 19:08 61440]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [08-06-10 04:27 144784]
"TomcatStartup 2.5"="C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [04-02-12 17:40 163840]
"UpdReg"="C:\WINNT\Updreg.exe" [00-05-11 01:00 90112]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [06-08-20 21:46 282624]
"Synchronization Manager"="mobsync.exe" [03-06-19 12:05 111376 C:\WINNT\system32\mobsync.exe]
"Promon.exe"="Promon.exe" [00-04-13 07:34 29184 C:\WINNT\system32\promon.exe]
"AtiPTA"="atiptaxx.exe" [01-10-27 01:32 270336 C:\WINNT\system32\atiptaxx.exe]
"HydarVisionDesktopManager"="desk95.exe" [01-08-20 21:30 663552 C:\WINNT\system32\Desk95.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 12:05 186640]
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-03 12:09:27 113664]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2004-10-09 21:43:39 49254]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-03 12:09:27 113664]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 05:15:54 65588]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [08-05-13 10:13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
08-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nwprovau]
06-09-01 01:49 140048 C:\WINNT\system32\NWPROVAU.DLL
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.dvsd"= pdvcodec.dll
"aux"= ctwdm32.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"="0x00000000"
"UpdatesDisableNotify"="0x00000000"
R1 Dlc;DLC Protocol;C:\WINNT\system32\DRIVERS\dlc.sys [03-06-19 12:05 ]
R2 NwSapAgent;SAP Agent;C:\WINNT\System32\svchost.exe [99-12-07 08:00 ]
R2 ousbehci;NEC PCI to USB Enhanced Host Controller;C:\WINNT\system32\Drivers\ousbehci.sys [02-12-24 13:52 ]
R3 openhci;Microsoft USB Open Host Controller Driver;C:\WINNT\system32\DRIVERS\openhci.sys [03-06-19 12:05 ]
R3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;C:\WINNT\system32\DRIVERS\ousb2hub.sys [02-12-24 13:52 ]
S1 sglfb;sglfb;C:\WINNT\system32\drivers\sglfb.sys [99-12-07 08:00 ]
S1 SMBus;Intel(R) SMBus Driver;C:\WINNT\system32\DRIVERS\SMBus.sys [01-08-20 17:33 ]
S2 Neth;Neth;C:\WINNT\system32\netid.exe []
S2 portD;CMS PortIO Service;C:\WINNT\system32\DRIVERS\portd2k.sys []
S2 Win Common module;Win Common module;C:\WINNT\system32\servicemp.exe []
S3 PCIDATA;PCIDATA;D:\PCIDATA.sys []
S3 usbhub20;USB 2.0 Root Hub Support;C:\WINNT\system32\DRIVERS\usbhub20.sys [03-06-19 12:05 ]
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-lphc7d9j0e159 - C:\WINNT\system32\lphc7d9j0e159.exe
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-29 14:50:04
Windows 5.0.2195 Service Pack 4 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-08-29 14:54:14 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-29 18:54:10
ComboFix2.txt 2008-08-27 19:03:04
Pre-Run: 59,581,992,960 bytes free
Post-Run: 59,606,188,032 bytes free
150 --- E O F --- 2008-08-26 00:12:07
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:54:54 PM, on 8/29/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINNT\System32\CTSvcCDA.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\devldr32.exe
C:\WINNT\system32\Promon.exe
C:\WINNT\system32\atiptaxx.exe
C:\WINNT\system32\desk95.exe
C:\Program Files\Creative\SBPCI5122k\AudioHQ\AHQTB.EXE
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\WINNT\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
O4 - HKLM\..\Run: [HydarVisionDesktopManager] desk95.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBPCI5122k\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [Creative Launcher] C:\Program Files\Creative\SBPCI5122k\Launcher\CTLauncher.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.2\SetHook.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINNT\system32\PSDrvCheck.exe
O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\SBPCI5122k\PlayCenter\CTSRReg.exe
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\Updreg.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\nbj.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupd...b?1147836645187
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/chnz/default/mjolauncher.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTSvcCDA.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Intel(R) Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Neth - Unknown owner - C:\WINNT\system32\netid.exe (file missing)
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Win Common module - Unknown owner - C:\WINNT\system32\servicemp.exe (file missing)
--
End of file - 9027 bytes
|
AfterDawn Addict
|
29. August 2008 @ 16:01 |
Link to this message
|
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves...This message has been edited since posting. Last time this message was edited on 29. August 2008 @ 19:12
|
|
stp77
Newbie
|
29. August 2008 @ 20:13 |
Link to this message
|
|
i think there was a combofix update but i wasent sure if i should update during that fix also when it reboots my trend micro and the spyware programs start to run and i turn them off would this have an effect. should i do it in safemode?
|
AfterDawn Addict
|
29. August 2008 @ 20:33 |
Link to this message
|
|
@stp77,
I really don't know... I had this happen to me another time and never did figure out what was wrong.
Last time I had to use a different method of removing the bad files, which we could this time. The drivers are what I am concerned about so let's try it one more time and this time use the Safe Mode like you suggested. That may work..
2OG
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
AfterDawn Addict
|
29. August 2008 @ 23:40 |
Link to this message
|
@stp77,
If you?re having trouble with ComboFix then here?s another way to delete the files:
Please download the OTMoveIt2 by OldTimer.HERE
? Save it to your desktop.
? Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
? Copy the lines in the box below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
Quote:
C:\WINNT\system32\netid.exe
C:\WINNT\system32\servicemp.exe
? Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the Yellow bar) and choose Paste.
? Click the red Moveit! button.
? Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
? Close OTMoveIt2
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
Re-run combofix normally.
Post:
- combofix report
- otmoveit2 log
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves...This message has been edited since posting. Last time this message was edited on 29. August 2008 @ 23:46
|
|
stp77
Newbie
|
29. August 2008 @ 23:41 |
Link to this message
|
tried safemode
ComboFix 08-08-29.02 - Administrator 08/29/2008 23:26:35.3 - NTFSx86 MINIMAL
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.652 [GMT -4:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\WINNT\system32\netid.exe
C:\WINNT\system32\servicemp.exe
.
((((((((((((((((((((((((( Files Created from 2008-07-28 to 2008-08-30 )))))))))))))))))))))))))))))))
.
2008-08-29 23:30 . 08-08-29 23:30 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_5a0.dat
2008-08-29 23:19 . 08-08-29 23:20 804,556,800 --a------ C:\WINNT\MEMORY.DMP
2008-08-24 14:35 . 08-08-24 14:35 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-08-24 14:35 . 08-08-24 14:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-24 14:35 . 08-08-24 14:35 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-08-24 14:32 . 08-08-24 14:32 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-08-24 14:30 . 08-08-24 15:02 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-24 14:30 . 08-08-24 14:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-24 14:30 . 08-08-17 15:01 38,472 --a------ C:\WINNT\system32\drivers\mbamswissarmy.sys
2008-08-24 14:30 . 08-08-17 15:01 17,144 --a------ C:\WINNT\system32\drivers\mbam.sys
2008-08-22 15:42 . 08-08-22 15:44 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-22 15:42 . 08-08-22 17:39 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-20 21:23 . 07-09-06 00:22 289,144 --a------ C:\WINNT\system32\VCCLSID.exe
2008-08-20 21:23 . 06-04-27 17:49 288,417 --a------ C:\WINNT\system32\SrchSTS.exe
2008-08-20 21:23 . 08-05-29 09:35 86,528 --a------ C:\WINNT\system32\VACFix.exe
2008-08-20 21:23 . 08-05-18 21:40 82,944 --a------ C:\WINNT\system32\IEDFix.exe
2008-08-20 21:23 . 08-08-14 21:52 82,432 --a------ C:\WINNT\system32\IEDFix.C.exe
2008-08-20 21:23 . 08-08-18 12:19 82,432 --a------ C:\WINNT\system32\404Fix.exe
2008-08-20 21:23 . 03-06-05 21:13 53,248 --a------ C:\WINNT\system32\Process.exe
2008-08-20 21:23 . 04-07-31 18:50 51,200 --a------ C:\WINNT\system32\dumphive.exe
2008-08-20 21:23 . 07-10-04 00:36 25,600 --a------ C:\WINNT\system32\WS2Fix.exe
2008-08-20 21:23 . 08-08-22 18:37 4,576 --a------ C:\WINNT\system32\tmp.reg
2008-08-20 16:17 . 08-08-24 14:34 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-20 16:17 . 08-08-20 16:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-20 04:09 . 08-08-20 04:16 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-08-20 04:09 . 08-08-20 04:09 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\PC Tools
2008-08-20 04:09 . 08-06-10 21:22 81,288 --a------ C:\WINNT\system32\drivers\iksyssec.sys
2008-08-20 04:09 . 08-06-02 15:19 66,952 --a------ C:\WINNT\system32\drivers\iksysflt.sys
2008-08-20 04:09 . 08-06-02 15:19 42,376 --a------ C:\WINNT\system32\drivers\ikfilesec.sys
2008-08-20 04:09 . 08-06-02 15:19 29,576 --a------ C:\WINNT\system32\drivers\kcom.sys
2008-08-19 15:29 . 02-05-15 15:16 462,848 --a------ C:\WINNT\system32\msaatext.dll
2008-08-19 15:29 . 02-05-15 15:16 360,448 --a------ C:\WINNT\system32\oleacc.dll
2008-08-19 15:29 . 02-05-15 15:16 360,448 --a--c--- C:\WINNT\system32\dllcache\oleacc.dll
2008-08-19 15:29 . 02-05-15 15:16 356,352 --a------ C:\WINNT\system32\oleaccrc.dll
2008-08-19 15:29 . 02-05-15 15:16 356,352 --a--c--- C:\WINNT\system32\dllcache\oleaccrc.dll
2008-08-01 09:27 . 08-08-01 09:27 99,648 --a------ C:\WINNT\system32\drivers\AnyDVD.sys
2008-07-21 08:11 . 08-07-21 08:11 24,392 --a------ C:\WINNT\system32\drivers\ElbyCDIO.sys
2008-07-10 06:00 . 08-07-10 06:00 251,152 --a------ C:\WINNT\system32\es.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-30 00:16 --------- d-----w C:\Documents and Settings\Administrator\Application Data\uTorrent
2008-08-23 03:29 --------- d---a-w C:\Program Files\mIRC
2008-08-21 00:31 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-20 23:33 --------- d-----w C:\Program Files\Trend Micro
2008-08-20 20:17 --------- d---a-w C:\Program Files\Lavasoft
2008-08-15 00:11 --------- d---a-w C:\Program Files\DVDlabPro
2008-08-08 00:48 --------- d---a-w C:\Program Files\DC++
2008-07-18 23:06 265,688 ----a-w C:\WINNT\system32\drivers\tmfilter.sys
2008-07-18 22:51 1,195,448 ----a-w C:\WINNT\system32\drivers\vsapint.sys
2008-07-13 12:47 --------- d-----w C:\Program Files\TagRename
2008-07-12 18:21 --------- d-----w C:\Program Files\Java
2007-12-03 00:44 47,360 ----a-w C:\Documents and Settings\Administrator\Application Data\pcouffin.sys
2006-05-15 18:12 271 ---ha-w C:\Program Files\desktop.ini
2006-05-15 18:12 21,952 ---ha-w C:\Program Files\folder.htt
1999-12-07 12:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe" [08-08-01 09:32 2161600]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\nbj.exe" [06-09-15 13:27 2048000]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [08-08-18 18:41 1832272]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [08-08-19 23:34 1576176]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe" [07-01-23 02:26 3429904]
"IMONTRAY"="C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe" [01-08-20 19:24 32768]
"AudioHQ"="C:\Program Files\Creative\SBPCI5122k\AudioHQ\AHQTB.EXE" [99-11-30 01:00 204800]
"Creative Launcher"="C:\Program Files\Creative\SBPCI5122k\Launcher\CTLauncher.exe" [00-02-16 01:52 257536]
"Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [03-08-19 06:43 57344]
"MediaFace Integration"="C:\Program Files\Fellowes\MediaFACE 4.2\SetHook.exe" [05-03-28 03:45 53248]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [02-07-16 21:21 28672]
"PinnacleDriverCheck"="C:\WINNT\system32\PSDrvCheck.exe" [03-05-28 16:37 394240]
"Speed racer"="C:\Program Files\Creative\SBPCI5122k\PlayCenter\CTSRReg.exe" [99-11-15 21:00 5632]
"StatusClient 2.6"="C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" [04-02-11 19:08 61440]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [08-06-10 04:27 144784]
"TomcatStartup 2.5"="C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [04-02-12 17:40 163840]
"UpdReg"="C:\WINNT\Updreg.exe" [00-05-11 01:00 90112]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [06-08-20 21:46 282624]
"Synchronization Manager"="mobsync.exe" [03-06-19 12:05 111376 C:\WINNT\system32\mobsync.exe]
"Promon.exe"="Promon.exe" [00-04-13 07:34 29184 C:\WINNT\system32\promon.exe]
"AtiPTA"="atiptaxx.exe" [01-10-27 01:32 270336 C:\WINNT\system32\atiptaxx.exe]
"HydarVisionDesktopManager"="desk95.exe" [01-08-20 21:30 663552 C:\WINNT\system32\Desk95.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 12:05 186640]
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-03 12:09:27 113664]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2004-10-09 21:43:39 49254]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-03 12:09:27 113664]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 05:15:54 65588]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [08-05-13 10:13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
08-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nwprovau]
06-09-01 01:49 140048 C:\WINNT\system32\NWPROVAU.DLL
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.dvsd"= pdvcodec.dll
"aux"= ctwdm32.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"="0x00000000"
"UpdatesDisableNotify"="0x00000000"
R1 Dlc;DLC Protocol;C:\WINNT\system32\DRIVERS\dlc.sys [03-06-19 12:05 ]
R2 NwSapAgent;SAP Agent;C:\WINNT\System32\svchost.exe [99-12-07 08:00 ]
R2 ousbehci;NEC PCI to USB Enhanced Host Controller;C:\WINNT\system32\Drivers\ousbehci.sys [02-12-24 13:52 ]
R3 openhci;Microsoft USB Open Host Controller Driver;C:\WINNT\system32\DRIVERS\openhci.sys [03-06-19 12:05 ]
R3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;C:\WINNT\system32\DRIVERS\ousb2hub.sys [02-12-24 13:52 ]
S1 sglfb;sglfb;C:\WINNT\system32\drivers\sglfb.sys [99-12-07 08:00 ]
S1 SMBus;Intel(R) SMBus Driver;C:\WINNT\system32\DRIVERS\SMBus.sys [01-08-20 17:33 ]
S2 Neth;Neth;C:\WINNT\system32\netid.exe []
S2 portD;CMS PortIO Service;C:\WINNT\system32\DRIVERS\portd2k.sys []
S2 Win Common module;Win Common module;C:\WINNT\system32\servicemp.exe []
S3 PCIDATA;PCIDATA;D:\PCIDATA.sys []
S3 usbhub20;USB 2.0 Root Hub Support;C:\WINNT\system32\DRIVERS\usbhub20.sys [03-06-19 12:05 ]
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-29 23:30:47
Windows 5.0.2195 Service Pack 4 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-08-29 23:36:23 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-30 03:36:15
ComboFix2.txt 2008-08-29 18:54:17
ComboFix3.txt 2008-08-27 19:03:04
Pre-Run: 60,246,360,064 bytes free
Post-Run: 60,231,389,184 bytes free
151 --- E O F --- 2008-08-26 00:12:07
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:37:47 PM, on 8/29/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINNT\System32\CTSvcCDA.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\devldr32.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Promon.exe
C:\WINNT\system32\atiptaxx.exe
C:\WINNT\system32\desk95.exe
C:\Program Files\Creative\SBPCI5122k\AudioHQ\AHQTB.EXE
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\WINNT\explorer.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
O4 - HKLM\..\Run: [HydarVisionDesktopManager] desk95.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBPCI5122k\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [Creative Launcher] C:\Program Files\Creative\SBPCI5122k\Launcher\CTLauncher.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.2\SetHook.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINNT\system32\PSDrvCheck.exe
O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\SBPCI5122k\PlayCenter\CTSRReg.exe
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\Updreg.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [lphc7d9j0e159] C:\WINNT\system32\lphc7d9j0e159.exe
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\nbj.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupd...b?1147836645187
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/chnz/default/mjolauncher.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTSvcCDA.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Intel(R) Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Neth - Unknown owner - C:\WINNT\system32\netid.exe (file missing)
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Win Common module - Unknown owner - C:\WINNT\system32\servicemp.exe (file missing)
--
End of file - 9470 bytes
|
AfterDawn Addict
|
29. August 2008 @ 23:49 |
Link to this message
|
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
|
stp77
Newbie
|
6. September 2008 @ 08:56 |
Link to this message
|
|
OTMoveIt2 says files not found
|
AfterDawn Addict
|
7. September 2008 @ 10:08 |
Link to this message
|
@stp77,
We may well be dealing with a rootkit so let?s just make that assumption and see if we can find and kill it..
Download and Run Gmer
Download Gmer to your Desktop and unzip it to your Desktop.
http://www.gmer.net/gmer.zip
Disconnect from internet and close running programs.
There is a small chance this application may crash your computer so save any work you have open.
Double click gmer.exe
Let the gmer.sys driver load if asked.
If it gives you a warning at program start about rootkit activity and asks if you want to run scan...say Ok.
If no warning....
Click the rootkit tab
To the right of the program you will see a bunch of boxes that have been checked... leave everything checked. Then click the Scan button. Wait for the scan to finish.
Once done click the Copy button.
Open Notepad and hit ctrl+v to paste the log. Save the log to your desktop please.
Please post the Gmer log in your reply.
2OG
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
|
stp77
Newbie
|
7. September 2008 @ 10:20 |
Link to this message
|
|
how do i make sure no programs are running in background
|
AfterDawn Addict
|
7. September 2008 @ 11:01 |
Link to this message
|
Disconnect from internet and close running programs.
Ie. Anti-virus, malware scanners, spybot teatimer etc.
Look in your tray and close anything that looks like a scanner...
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
|
stp77
Newbie
|
7. September 2008 @ 12:45 |
Link to this message
|
Crashed the first time
GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-09-07 12:41:19
Windows 5.0.2195 Service Pack 4
---- System - GMER 1.0.14 ----
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xBB964F20]
---- Kernel code sections - GMER 1.0.14 ----
.text ntoskrnl.exe!NtClose 80522AF4 10 Bytes [ B8, 55, 08, 57, B7, FF, E0, ... ]
PAGE ntoskrnl.exe!IoCreateFile 80573652 7 Bytes [ B8, D4, 06, 57, B7, FF, E0 ]
---- User IAT/EAT - GMER 1.0.14 ----
IAT C:\WINNT\Explorer.EXE[1404] @ C:\WINNT\Explorer.EXE [KERNEL32.DLL!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1404] @ C:\WINNT\Explorer.EXE [KERNEL32.DLL!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1404] @ C:\WINNT\Explorer.EXE [KERNEL32.DLL!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1404] @ C:\WINNT\Explorer.EXE [KERNEL32.DLL!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1404] @ C:\WINNT\Explorer.EXE [KERNEL32.DLL!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1404] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1404] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!CreateProcessA] [23021346] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1404] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1404] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1404] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1404] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1404] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1404] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1404] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1404] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1404] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1404] @ C:\WINNT\system32\Secur32.dll [KERNEL32.DLL!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1404] @ C:\WINNT\system32\Secur32.dll [KERNEL32.DLL!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1404] @ C:\WINNT\system32\Secur32.dll [KERNEL32.DLL!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1404] @ C:\WINNT\system32\Secur32.dll [KERNEL32.DLL!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1404] @ C:\WINNT\system32\GDI32.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1404] @ C:\WINNT\system32\GDI32.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1404] @ C:\WINNT\system32\GDI32.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1404] @ C:\WINNT\system32\GDI32.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1404] @ C:\WINNT\system32\GDI32.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1404] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1404] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1404] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1404] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1404] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1404] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1404] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!LoadLibraryExA] [732E78DE] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1404] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1404] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1404] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!CreateProcessA] [23021346] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1404] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1404] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1404] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1404] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1404] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1404] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1404] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1404] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1404] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1404] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1404] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1404] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1404] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1404] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1404] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1404] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1404] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1404] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1404] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1404] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1404] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1404] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1404] @ C:\WINNT\system32\NETAPI32.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1404] @ C:\WINNT\system32\NETAPI32.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1404] @ C:\WINNT\system32\NETAPI32.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1404] @ C:\WINNT\system32\WS2_32.DLL [KERNEL32.DLL!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1404] @ C:\WINNT\system32\WS2_32.DLL [KERNEL32.DLL!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1404] @ C:\WINNT\system32\WS2_32.DLL [KERNEL32.DLL!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1404] @ C:\WINNT\system32\WS2HELP.DLL [KERNEL32.DLL!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1404] @ C:\WINNT\system32\WS2HELP.DLL [KERNEL32.DLL!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1404] @ C:\WINNT\system32\WS2HELP.DLL [KERNEL32.DLL!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1404] @ C:\WINNT\system32\WININET.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1404] @ C:\WINNT\system32\WININET.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1404] @ C:\WINNT\system32\WININET.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1404] @ C:\WINNT\system32\WININET.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1404] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1404] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1404] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1404] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExA] [732E78DE] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[1404] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
---- Devices - GMER 1.0.14 ----
Device ACPI.sys (ACPI Driver for NT/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Incorporated.)
AttachedDevice \Driver\Tcpip \Device\Tcp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Incorporated.)
Device pci.sys (NT Plug and Play PCI Enumerator/Microsoft Corporation)
Device AnyDVD.sys (AnyDVD Filter Driver/SlySoft, Inc.)
Device IdeBusDr.sys (Intel Ultra ATA Storage Driver/Intel Corporation)
Device \Driver\IdeChnDr \Device\Ide\IntelAta0 AnyDVD.sys (AnyDVD Filter Driver/SlySoft, Inc.)
Device \Driver\IdeChnDr \Device\Ide\IntelAta1 AnyDVD.sys (AnyDVD Filter Driver/SlySoft, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Incorporated.)
AttachedDevice \Driver\Tcpip \Device\RawIp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Incorporated.)
---- EOF - GMER 1.0.14 ----
|
AfterDawn Addict
|
7. September 2008 @ 18:02 |
Link to this message
|
@stp77,
Good news, there is no RootKit and the Trojan has been removed.
There are a few Traces left over, but this should take care of them:
1. Remove Hijackthis Entries
? Run HijackThis
? Click on the Scan button
Put a check beside all of the items listed below (if present):
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [lphc7d9j0e159] C:\WINNT\system32\lphc7d9j0e159.exe
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O23 - Service: Neth - Unknown owner - C:\WINNT\system32\netid.exe (file missing)
O23 - Service: Win Common module - Unknown owner - C:\WINNT\system32\servicemp.exe (file missing)
? Close all open windows and browsers/email, etc...
? Click on the "Fix Checked" button
? When completed, close the application.
2. Delete bad services
Please open Notepad. Ensure that word wrap is turned off. Click on Format and make sure that there is not a tick next to Word Wrap. If there's one, click on Word Wrap to remove it. Copy and paste the following in the quote box into Notepad:
Quote:
@echo off
sc stop Neth
sc delete Neth
sc stop Win Common module
sc delete Win Common module
exit
Click on File > Save As....
In the File Name box, copy and paste in fix.bat
In the Save as type box, select All Files from the drop-down list.
Click Save and save it to your Desktop.
Double click on fix.bat. A Command Prompt window will open and close quickly. That is normal.
3. Download and Run OTMoveIt2
Please download OTMoveIt2 by OldTimer.
? Save it to your desktop.
? Please double-click OTMoveIt2.exe to run it.
? Copy the lines in the Quotebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
Quote:
C:\WINNT\system32\lphc7d9j0e159.exe
? Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the yellow bar) and choose Paste.
? Click the red Moveit! button..
? Close OTMoveIt2
? Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
In your next post/reply, I need to see a fresh HiJackThis Log.
And, Please let me know if you have any problems???
2OG
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
|
fire27
Newbie
|
9. September 2008 @ 09:36 |
Link to this message
|
Hi 2OG,
I have 2 more computers that might be infected could you please look at this log for me. The one computer wont connect to the internet so I have to copy the files off first. Heres the first one.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:32:39 AM, on 9/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQInet.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\WINDOWS\System32\NILaunch.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\taskswitch.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\Desktop 16\TrueWeather.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN\Toolbar\3.0.0311.0\msntask.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ms101.mysearch.com/sa/srchlft.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.0311.0\msneshellx.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0311.0\msneshellx.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Net-It Launcher] C:\WINDOWS\System32\NILaunch.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKLM\..\Run: [AQ3HelperStartUp] C:\PROGRA~1\AQUATI~1\AQ3HEL~1.EXE /partner AQ3
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
O4 - Startup: logon.bat
O4 - Startup: Microsoft Outlook.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: Desktop 16.lnk = C:\Program Files\Desktop 16\TrueWeather.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0522.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0522.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O9 - Extra button: Support - {D516A253-0C7F-4E37-A777-D5B8AD09C95B} - C:\Program Files\Internet Explorer\SIGNUP\Presario.htm (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/03c82c380db3cb039019/netzip/RdxIE2.cab
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://wdownload.weatherbug.com/minibug/...uginstaller.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup145.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.yahoo.co...io4_0_2_10a.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AC85F3DA-193B-4A33-B734-E28D9EEFFDEF}: NameServer = 192.168.1.253
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: (no name) - file:///F:/SETUP/data/help/Help%20Art/main.gif
O24 - Desktop Component 1: (no name) - http://www.greenbook.net/GlobalImages/doc_on.gif
--
End of file - 10317 bytes
|
AfterDawn Addict
|
9. September 2008 @ 19:46 |
Link to this message
|
Hi fire27, 
I see you?re still getting infected. :(
If you have no internet connection then download ComboFix to a USB stick and transfer it to the computer and run it there.
1. Download Combo fix from one of these locations.
* IMPORTANT !!! Place combofix.exe on your Desktop
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Click start > run and Copy and Paste this in exactly, using the picture below for reference, then click OK.
Quote:
"%userprofile%\desktop\combofix.exe" /killall
3. Combo will begin to run DO NOTHING while this is happening.
? It will kill a few processes and disconnect you from the internet.
? If by chance it stops prematurely you can re-establish your internet connection by restarting your computer. We'll see :)
? This needs to be done so the program can work most efficiently for you.
Do not attempt to use the internet or anything else while it's doing its job for you.
If when it's completed you can not get on the internet just reboot the computer
Post the log from comboFix for me located in
c:\comboFix.txt
2OG
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
|
Advertisement
|
|
|
|
stp77
Newbie
|
13. September 2008 @ 14:18 |
Link to this message
|
When i reboot there is still this funny blue screen before the booting process is finished then is goes back to my background picture. also the file that OTMoveIt2.exe is supposed to move says not found.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:14:20 PM, on 9/13/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINNT\System32\CTSvcCDA.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\stisvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\WINNT\system32\devldr32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Creative\SBPCI5122k\AudioHQ\AHQTB.EXE
C:\WINNT\system32\Promon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\WINNT\system32\desk95.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Creative\SBPCI5122k\Launcher\CTLauncher.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
O4 - HKLM\..\Run: [HydarVisionDesktopManager] desk95.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBPCI5122k\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [Creative Launcher] C:\Program Files\Creative\SBPCI5122k\Launcher\CTLauncher.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.2\SetHook.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINNT\system32\PSDrvCheck.exe
O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\SBPCI5122k\PlayCenter\CTSRReg.exe
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\Updreg.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [lphc7d9j0e159] C:\WINNT\system32\lphc7d9j0e159.exe
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\nbj.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupd...b?1147836645187
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/chnz/default/mjolauncher.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTSvcCDA.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Intel(R) Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
--
End of file - 9256 bytes
|
|
