Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Possible Hackdefender Trojan

Started by Green0j0s , Sep 12 2006 11:46 PM

Please log in to reply

#1
Green0j0s

Posted 12 September 2006 - 11:46 PM

New Member

Member
7 posts

Ok... Ive tried now for about a week everything that I could think of to remove whatever is infected in my PC but havent been successful. I have McAfee Enterprise Edition 8.0, it has removed a couple of infected files but has been unsuccessful in detecting the primary source fo the infection. I tried everything on this forum also to try and removing the infection but hasnt worked either. I only got as far as detecting that I have the Backdoor.win32.hacdef.fv and .fw which was detected using the Kapersky Online Scanner. I think also I have traced it down to 3 running services. Heres the Hijackthis Log:

Logfile of HijackThis v1.99.1
Scan saved at 12:25:36 AM, on 9/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\program files\powerstrip\pstrip.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
D:\Program Files\Common Framework\UpdaterUI.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\UnHackMe\hackmon.exe
C:\WINDOWS\system32\CTsvcCDA.exe
D:\Program Files\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\AlienAutopsy\TEKS_Service.exe
D:\Program Files\Alcohol 120%\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svsnt.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\WINDOWS\system32\wuauclt.exe
I:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.alienware...mothership.aspx
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {348FE907-249E-4C65-A838-F34A193FE1D1} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PowerStrip] c:\program files\powerstrip\pstrip.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "D:\Program Files\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ABIT uGuru] D:\Program Files\uGuru.exe
O4 - HKLM\..\Run: [GuruClock] D:\Program Files\GuruClock.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [UnHackMe Monitor] C:\Program Files\UnHackMe\hackmon.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Transfer by Image Converter 2 - C:\Program Files\Sony\Image Converter 2\menu.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.alienware.com/mothership.aspx
O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group Hardware Control) - https://disneyblast....wareControl.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp...ads/sysinfo.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.game...inematycoon.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://livewc01.cust...l/java/RntX.cab
O20 - Winlogon Notify: WB - C:\Program Files\AlienGUIse\fastload.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - D:\Program Files\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProductivIT Service (ProductivITService) - DynTek, Inc. - C:\Program Files\AlienAutopsy\TEKS_Service.exe
O23 - Service: Print Spooler Service (SpoolSvc224) - Unknown owner - C:\WINDOWS\system32\dior4f4dbzxvsqqon.exe (file missing)
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - D:\Program Files\Alcohol 120%\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: System Internal AntiVirus (SVSAV) - Unknown owner - C:\WINDOWS\system32\svsnt.exe
O23 - Service: Time Service (Time) - Unknown owner - C:\WINDOWS\system32\mlsdf8hmlcumkcvnm.exe (file missing)

I believe the following services on my PC are causing the spread of the infection: Time, WTime, and SpoolSvc224

Please let me know, as soon as anyone can help me, what to do with this....

#2
Wizard

Posted 13 September 2006 - 03:21 AM

Retired Staff

Retired Staff
5,661 posts

Hi Green0j0s and Welcome to GeekstoGo!

Download SDFix and save it to your desktop.

Please then reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

In Safe Mode, right click the SDFix.zip folder and choose Extract All,
Open the extracted folder and double click RunThis.bat to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

#3
Green0j0s

Posted 13 September 2006 - 06:42 PM

New Member

Topic Starter
Member
7 posts

Ok Followed your instructions everything went smoothly heres the Report.txt and Hijackthis log

SDFix: Version 1.21
-------------------------

Scan Time / Date: 19:23:00.79 / Wed 09/13/2006

Microsoft Windows XP [Version 5.1.2600]

Running from: C:\Documents and Settings\Isael\Desktop\SDFix\SDFix

Stage One...

Checking Services...

Service Name:
------------------

SpoolSvc224
SVSAV
TIME
WTIME

File Path:
------------

C:\WINDOWS\system32\dior4f4dbzxvsqqon.exe "test2" /service
"C:\WINDOWS\system32\svsnt.exe"
C:\WINDOWS\system32\cjnr4r4nldvml.exe
\??\C:\WINDOWS\system32\timedrv26.sys

Removing Services:
------------------------

SpoolSvc224 ... deleted
SVSAV ... deleted
TIME ... deleted
WTIME ... deleted

Repairing Registry...

Restoring Default Hosts File...

Stage One Complete

Rebooting!

Stage Two...

Registry Cleaning Finished...

Checking For Malware Files:
----------------------------------

C:\DOCUME~1\LOCALS~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\HCGQYI8Y\BMP_1_~1.EXE
C:\NTMS.EXE
C:\CCPT.COM
C:\WINDOWS\system32\cjnr4r4nldvml.exe
C:\WINDOWS\Temp\nlkfev7096AC490.tmp
C:\WINDOWS\system32\dior4f4atkjbtl.exe
C:\WINDOWS\system32\timedrv26.sys
C:\WINDOWS\system32\svsnt.exe

Backing Up and Removing any Files Found...

Final Check:

Remaining Services:
------------------------

Remaining Files:
-------------------

FINISHED

_________________________________________________________________________________

Logfile of HijackThis v1.99.1
Scan saved at 7:34:22 PM, on 9/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\WINDOWS\system32\CTsvcCDA.exe
D:\Program Files\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\AlienAutopsy\TEKS_Service.exe
D:\Program Files\Alcohol 120%\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\program files\powerstrip\pstrip.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
D:\Program Files\Common Framework\UpdaterUI.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
I:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.alienware...mothership.aspx
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {348FE907-249E-4C65-A838-F34A193FE1D1} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PowerStrip] c:\program files\powerstrip\pstrip.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "D:\Program Files\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ABIT uGuru] D:\Program Files\uGuru.exe
O4 - HKLM\..\Run: [GuruClock] D:\Program Files\GuruClock.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [UnHackMe Monitor] C:\Program Files\UnHackMe\hackmon.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Transfer by Image Converter 2 - C:\Program Files\Sony\Image Converter 2\menu.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.alienware.com/mothership.aspx
O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group Hardware Control) - https://disneyblast....wareControl.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp...ads/sysinfo.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.game...inematycoon.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://livewc01.cust...l/java/RntX.cab
O20 - Winlogon Notify: WB - C:\Program Files\AlienGUIse\fastload.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - D:\Program Files\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProductivIT Service (ProductivITService) - DynTek, Inc. - C:\Program Files\AlienAutopsy\TEKS_Service.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - D:\Program Files\Alcohol 120%\Alcohol 120\StarWind\StarWindService.exe

#4
Wizard

Posted 13 September 2006 - 08:25 PM

Retired Staff

Retired Staff
5,661 posts

I bet the PC feels alot better now! :whistling:

Lets do some checking over and be sure we dont leave anything behind.

Download Combofix to your desktop.
http://download.blee...Bs/combofix.exe

Doubleclick combo.exe
Follow the prompts.
Don't click on the window while the fix is running, because that may cause your system to hang.

When finished and after reboot, it should open a log, combofix.txt.

Post this log in your next reply.

#5
Green0j0s

Posted 13 September 2006 - 08:33 PM

New Member

Topic Starter
Member
7 posts

Isael - 06-09-13 21:28:00.70 Service Pack 2
ComboFix 06.09.14 - Running from: I:\

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Program Files\Common Files\{1876D021-0D87-1033-1220-041202040001}

((((((((((((((((((((((((((((((( Files Created from 2006-08-13 to 2006-09-13 ))))))))))))))))))))))))))))))))))

2006-08-19 14:49 286 --a------ C:\WINDOWS\autoupdate.bat
2006-08-19 14:43 2,292 --a------ C:\regfile.pif

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-09-13 21:28 -------- d-------- C:\Program Files\Common Files
2006-09-12 23:59 -------- d-------- C:\Program Files\CleanUp!(2)
2006-09-12 23:58 -------- d-------- C:\Program Files\TrojanHunter 4.6
2006-09-12 23:58 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-09-11 18:01 -------- d-------- C:\Program Files\Viewpoint
2006-08-30 01:14 -------- d-------- C:\Program Files\UnHackMe
2006-08-30 00:21 -------- d-------- C:\Program Files\Internet Explorer
2006-07-27 08:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-21 03:24 72704 --a------ C:\WINDOWS\system32\hlink.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UnHackMe Monitor"="C:\\Program Files\\UnHackMe\\hackmon.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"CTDVDDET"="C:\\Program Files\\Creative\\SBAudigy2ZS\\DVDAudio\\CTDVDDET.EXE"
"CTHelper"="CTHELPER.EXE"
"AsioReg"="REGSVR32.EXE /S CTASIO.DLL"
"SBDrvDet"="C:\\Program Files\\Creative\\SB Drive Det\\SBDrvDet.exe /r"
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"PowerStrip"="c:\\program files\\powerstrip\\pstrip.exe"
"ShStatEXE"="\"C:\\Program Files\\Network Associates\\VirusScan\\SHSTAT.EXE\" /STANDALONE"
"McAfeeUpdaterUI"="\"D:\\Program Files\\Common Framework\\UpdaterUI.exe\" /StartedFromRunKey"
"type32"="\"C:\\Program Files\\Microsoft IntelliType Pro\\type32.exe\""
"ViewMgr"="C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"ABIT uGuru"="D:\\Program Files\\uGuru.exe"
"GuruClock"="D:\\Program Files\\GuruClock.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Network Associates Error Reporting Service"="\"C:\\Program Files\\Common Files\\Network Associates\\TalkBack\\TBMon.exe\""
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,96,00,00,00,00,00,00,00,6a,04,00,00,df,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]
"{1876D021-0D87-1033-1220-041202040001}"="\"C:\\Program Files\\Common Files\\{1876D021-0D87-1033-1220-041202040001}\\Update.exe\" mc-110-12-0000488"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]
"{1876D021-0D87-1033-1220-041202040001}"="\"C:\\Program Files\\Common Files\\{1876D021-0D87-1033-1220-041202040001}\\Update.exe\" mc-110-12-0000488"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll

Completion time: Wed 09/13/2006 21:29:02.00
ComboFix.txt
ComboFix2.txt

********************************************************

Well after doing the previous I went into my C drive and McAfee deleted a couple of files that were infected.... maybe it was the last of them it hasnt done it anymore. I meant to say after doing what I did in post 3 but before doing what you just told me to do.

Edited by Green0j0s, 13 September 2006 - 11:07 PM.

#6
Wizard

Posted 14 September 2006 - 02:59 PM

Retired Staff

Retired Staff
5,661 posts

Allright,Open a blank Notepad page.

Copy all the contents inside the code box below to notepad and save it to the desktop with the name Clr.reg

REGEDIT4

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]
"{1876D021-0D87-1033-1220-041202040001}"=-

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]
"{1876D021-0D87-1033-1220-041202040001}"=-

Double Click Clr.reg and allow it to merge into the regitry.

Now,locate and delete each of the below items

C:\regfile.pif<-- File

C:\WINDOWS\autoupdate.bat<-- File

C:\Program Files\Common Files\{1876D021-0D87-1033-1220-041202040001}<-- Folder

Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!

Follow the Instruction on the F-Secure page for proper installation.
Accept the License Agreement.
Once the ActiveX installs,Click Full System Scan
Once the download completes,the scan will begin automatically.
The scan will take some time to finish,so please be patient.
When the scan completes, click the Automatic cleaning (recommended) button.
Click the Show Report button and Copy&Paste the entire report in your next reply along with a fresh HijackThis log.

#7
Green0j0s

Posted 15 September 2006 - 12:33 AM

New Member

Topic Starter
Member
7 posts

I couldnt do everything you told me to do..... I didnt find "C:\Program Files\Common Files\{1876D021-0D87-1033-1220-041202040001}<-- Folder
", so I wasnt able to delete it.

Scanning Report
Thursday, January 01, 2004 01:12:17 - 01:55:00
Computer name: GREENEYES
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\ D:\

--------------------------------------------------------------------------------

Result: 56 malware found
Backdoor.Win32.HacDef.fv (virus)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP320\A0099543.COM (Renamed)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP318\A0098155.COM (Renamed)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP317\A0097942.COM (Renamed)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP317\A0097967.COM (Renamed)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP317\A0097978.COM (Renamed)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP316\A0096705.COM (Renamed)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP316\A0097938.COM (Renamed)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP315\A0095470.COM (Renamed)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP315\A0096701.COM (Renamed)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP314\A0095466.COM (Renamed)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP313\A0093241.COM (Renamed)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP313\A0094468.COM (Renamed)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP312\A0092104.COM (Renamed)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP312\A0092115.COM (Renamed)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP312\A0092126.COM (Renamed)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP312\A0092138.COM (Renamed)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP312\A0092149.COM (Renamed)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP312\A0092160.COM (Renamed)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP312\A0092172.COM (Renamed)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP312\A0092191.COM (Renamed)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP312\A0093192.COM (Renamed)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP312\A0093206.COM (Renamed)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP312\A0093217.COM (Renamed)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP312\A0093231.COM (Renamed)
Backdoor.Win32.HacDef.fw (virus)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP320\A0099517.EXE (Renamed)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP320\A0099530.EXE (Renamed)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP320\A0099542.EXE (Renamed)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP311\A0088610.EXE (Renamed)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP311\A0088625.EXE (Renamed)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP311\A0088640.EXE (Renamed)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP308\A0082069.PIF (Renamed)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP308\A0082083.PIF (Renamed)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP308\A0082108.PIF (Renamed)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP308\A0082120.PIF (Renamed)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP308\A0083120.PIF (Renamed)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP308\A0083131.PIF (Renamed)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP308\A0083147.PIF (Renamed)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP307\A0082038.PIF (Renamed)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP307\A0082050.PIF (Renamed)
Backdoor.Win32.SdBot.aad (virus)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP320\A0099417.EXE (Renamed & Submitted)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP320\A0099547.EXE (Renamed)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP318\A0099227.EXE (Renamed)
Possible Browser Hijack attempt (spyware)
System (Disinfected)
Tracking Cookie (spyware)
System (Disinfected)
System
System
System
System
System
System
System
System
System
W32/Agent.JVB (virus)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP320\A0099416.EXE (Submitted)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP318\A0099226.EXE
C:\AVTEMP\SETUP.EXE

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 29574
System: 3905
Not scanned: 6
Actions:
Disinfected: 2
Renamed: 42
Deleted: 0
None: 12
Submitted: 2
Files not scanned:
C:\HIBERFIL.SYS
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SOFTWAREDISTRIBUTION\EVENTCACHE\{3149AB55-538D-4B41-9013-57ADB663D4F0}.BIN
C:\SYSTEM VOLUME INFORMATION\MOUNTPOINTMANAGERREMOTEDATABASE
D:\SYSTEM VOLUME INFORMATION\MOUNTPOINTMANAGERREMOTEDATABASE

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure AVP: 6.0.171, 2006-09-14
F-Secure Libra: 2.4.1, 2006-09-13
F-Secure Orion: 1.2.37, 2006-09-14
F-Secure Blacklight: 1.0.31, 0000-00-00
F-Secure Pegasus: 1.19.0, 2006-08-14
F-Secure Draco: 1.0.35, 2006-09-13
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX
Use Advanced heuristics

--------------------------------------------------------------------------------

And the Hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 1:56:20 AM, on 1/1/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\program files\powerstrip\pstrip.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
D:\Program Files\Common Framework\UpdaterUI.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\CTsvcCDA.exe
D:\Program Files\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\AlienAutopsy\TEKS_Service.exe
D:\Program Files\Alcohol 120%\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
I:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.alienware...mothership.aspx
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {348FE907-249E-4C65-A838-F34A193FE1D1} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PowerStrip] c:\program files\powerstrip\pstrip.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "D:\Program Files\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ABIT uGuru] D:\Program Files\uGuru.exe
O4 - HKLM\..\Run: [GuruClock] D:\Program Files\GuruClock.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Transfer by Image Converter 2 - C:\Program Files\Sony\Image Converter 2\menu.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.alienware.com/mothership.aspx
O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group Hardware Control) - https://disneyblast....wareControl.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp...ads/sysinfo.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-sec.../ols3/fscax.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.game...inematycoon.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://livewc01.cust...l/java/RntX.cab
O20 - Winlogon Notify: WB - C:\Program Files\AlienGUIse\fastload.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - D:\Program Files\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProductivIT Service (ProductivITService) - DynTek, Inc. - C:\Program Files\AlienAutopsy\TEKS_Service.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - D:\Program Files\Alcohol 120%\Alcohol 120\StarWind\StarWindService.exe

Edited by Green0j0s, 15 September 2006 - 12:35 AM.

#8
Wizard

Posted 15 September 2006 - 03:24 AM

Retired Staff

Retired Staff
5,661 posts

If you want to double check the folder status--> Click Start--> Click Run--> Type in cmd and click OK.

Once the command prompt opens,type in cd\ and hit enter

Hightlight the command below and select Copy

del C:\Program Files\Common Files\{1876D021-0D87-1033-1220-041202040001}

Now,right click inside the command prompt window and select paste.

Once the command is pasted in,hit enter and see if the folder is deleted.

One last Online Scan,Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
- Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

#9
Green0j0s

Posted 16 September 2006 - 02:21 AM

New Member

Topic Starter
Member
7 posts

I doubled checked to see if that folder was deleted, the way you mentioned, and yes MS-Dos could not locate that folder.

Friday, January 02, 2004 3:41:42 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 16/09/2006
Kaspersky Anti-Virus database records: 223843

Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases false

Scan Target My Computer
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\

Scan Statistics
Total number of scanned objects 74609
Number of viruses found 5
Number of infected objects 58 / 0
Number of suspicious objects 0
Duration of the scan process 01:19:01

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\Agent_GREENEYES.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\PrdMgr_GREENEYES.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\AccessProtectionLog.txt Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\BufferOverflowProtectionLog.txt Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\OnAccessScanLog.txt Object is locked skipped

C:\Documents and Settings\Isael\Application Data\Aim\cvxboqlr\green0j0s\cert8.db Object is locked skipped

C:\Documents and Settings\Isael\Application Data\Aim\cvxboqlr\green0j0s\key3.db Object is locked skipped

C:\Documents and Settings\Isael\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Isael\Desktop\SDFix\SDFix\backups\backups.zip/backups/bmp[1].exe Infected: Backdoor.Win32.HacDef.fw skipped

C:\Documents and Settings\Isael\Desktop\SDFix\SDFix\backups\backups.zip/backups/ccpt.com Infected: Backdoor.Win32.HacDef.fv skipped

C:\Documents and Settings\Isael\Desktop\SDFix\SDFix\backups\backups.zip/backups/ntms.exe Infected: Backdoor.Win32.HacDef.fw skipped

C:\Documents and Settings\Isael\Desktop\SDFix\SDFix\backups\backups.zip/backups/svsnt.exe Infected: Backdoor.Win32.SdBot.aad skipped

C:\Documents and Settings\Isael\Desktop\SDFix\SDFix\backups\backups.zip ZIP: infected - 4 skipped

C:\Documents and Settings\Isael\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Isael\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Isael\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Isael\Local Settings\History\History.IE5\MSHist012004010220040103\index.dat Object is locked skipped

C:\Documents and Settings\Isael\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Isael\ntuser.dat Object is locked skipped

C:\Documents and Settings\Isael\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP307\A0082038.0IF Infected: Backdoor.Win32.HacDef.fw skipped

C:\System Volume Information\_restore{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP307\A0082050.0IF Infected: Backdoor.Win32.HacDef.fw skipped

C:\System Volume Information\_restore{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP308\A0082069.0IF Infected: Backdoor.Win32.HacDef.fw skipped

C:\System Volume Information\_restore{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP308\A0082083.0IF Infected: Backdoor.Win32.HacDef.fw skipped

C:\System Volume Information\_restore{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP308\A0082108.0IF Infected: Backdoor.Win32.HacDef.fw skipped

C:\System Volume Information\_restore{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP308\A0082120.0IF Infected: Backdoor.Win32.HacDef.fw skipped

C:\System Volume Information\_restore{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP308\A0083120.0IF Infected: Backdoor.Win32.HacDef.fw skipped

C:\System Volume Information\_restore{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP308\A0083131.0IF Infected: Backdoor.Win32.HacDef.fw skipped

C:\System Volume Information\_restore{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP308\A0083147.0IF Infected: Backdoor.Win32.HacDef.fw skipped

C:\System Volume Information\_restore{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP309\A0084280.exe/stream/data0003 Infected: not-a-virus:AdWare.Win32.Agent.y skipped

C:\System Volume Information\_restore{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP309\A0084280.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Softomate.q skipped

C:\System Volume Information\_restore{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP309\A0084280.exe/stream Infected: not-a-virus:AdWare.Win32.Softomate.q skipped

C:\System Volume Information\_restore{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP309\A0084280.exe NSIS: infected - 3 skipped

C:\System Volume Information\_restore{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP309\A0084281.exe/stream/data0003 Infected: not-a-virus:AdWare.Win32.Agent.y skipped

C:\System Volume Information\_restore{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP309\A0084281.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Softomate.q skipped

C:\System Volume Information\_restore{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP309\A0084281.exe/stream Infected: not-a-virus:AdWare.Win32.Softomate.q skipped

C:\System Volume Information\_restore{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP309\A0084281.exe NSIS: infected - 3 skipped

C:\System Volume Information\_restore{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP311\A0088610.0XE Infected: Backdoor.Win32.HacDef.fw skipped

C:\System Volume Information\_restore{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP311\A0088625.0XE Infected: Backdoor.Win32.HacDef.fw skipped

C:\System Volume Information\_restore{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP311\A0088640.0XE Infected: Backdoor.Win32.HacDef.fw skipped

C:\System Volume Information\_restore{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP312\A0092104.0OM Infected: Backdoor.Win32.HacDef.fv skipped

C:\System Volume Information\_restore{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP312\A0092115.0OM Infected: Backdoor.Win32.HacDef.fv skipped

C:\System Volume Information\_restore{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP312\A0092126.0OM Infected: Backdoor.Win32.HacDef.fv skipped

C:\System Volume Information\_restore{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP312\A0092138.0OM Infected: Backdoor.Win32.HacDef.fv skipped

C:\System Volume Information\_restore{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP312\A0092149.0OM Infected: Backdoor.Win32.HacDef.fv skipped

C:\System Volume Information\_restore{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP312\A0092160.0OM Infected: Backdoor.Win32.HacDef.fv skipped

C:\System Volume Information\_restore{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP312\A0092172.0OM Infected: Backdoor.Win32.HacDef.fv skipped

C:\System Volume Information\_restore{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP312\A0092191.0OM Infected: Backdoor.Win32.HacDef.fv skipped

C:\System Volume Information\_restore{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP312\A0093192.0OM Infected: Backdoor.Win32.HacDef.fv skipped

C:\System Volume Information\_restore{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP312\A0093206.0OM Infected: Backdoor.Win32.HacDef.fv skipped

C:\System Volume Information\_restore{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP312\A0093217.0OM Infected: Backdoor.Win32.HacDef.fv skipped

C:\System Volume Information\_restore{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP312\A0093231.0OM Infected: Backdoor.Win32.HacDef.fv skipped

C:\System Volume Information\_restore{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP313\A0093241.0OM Infected: Backdoor.Win32.HacDef.fv skipped

C:\System Volume Information\_restore{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP313\A0094468.0OM Infected: Backdoor.Win32.HacDef.fv skipped

C:\System Volume Information\_restore{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP314\A0095466.0OM Infected: Backdoor.Win32.HacDef.fv skipped

C:\System Volume Information\_restore{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP315\A0095470.0OM Infected: Backdoor.Win32.HacDef.fv skipped

C:\System Volume Information\_restore{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP315\A0096701.0OM Infected: Backdoor.Win32.HacDef.fv skipped

C:\System Volume Information\_restore{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP316\A0096705.0OM Infected: Backdoor.Win32.HacDef.fv skipped

C:\System Volume Information\_restore{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP316\A0097938.0OM Infected: Backdoor.Win32.HacDef.fv skipped

C:\System Volume Information\_restore{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP317\A0097942.0OM Infected: Backdoor.Win32.HacDef.fv skipped

C:\System Volume Information\_restore{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP317\A0097967.0OM Infected: Backdoor.Win32.HacDef.fv skipped

C:\System Volume Information\_restore{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP317\A0097978.0OM Infected: Backdoor.Win32.HacDef.fv skipped

C:\System Volume Information\_restore{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP318\A0098155.0OM Infected: Backdoor.Win32.HacDef.fv skipped

C:\System Volume Information\_restore{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP318\A0099227.0XE Infected: Backdoor.Win32.SdBot.aad skipped

C:\System Volume Information\_restore{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP318\A0099229.exe Infected: not-a-virus:AdWare.Win32.Agent.y skipped

C:\System Volume Information\_restore{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP320\A0099417.0XE Infected: Backdoor.Win32.SdBot.aad skipped

C:\System Volume Information\_restore{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP320\A0099419.exe Infected: not-a-virus:AdWare.Win32.Agent.y skipped

C:\System Volume Information\_restore{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP320\A0099517.0XE Infected: Backdoor.Win32.HacDef.fw skipped

C:\System Volume Information\_restore{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP320\A0099530.0XE Infected: Backdoor.Win32.HacDef.fw skipped

C:\System Volume Information\_restore{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP320\A0099542.0XE Infected: Backdoor.Win32.HacDef.fw skipped

C:\System Volume Information\_restore{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP320\A0099543.0OM Infected: Backdoor.Win32.HacDef.fv skipped

C:\System Volume Information\_restore{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP320\A0099547.0XE Infected: Backdoor.Win32.SdBot.aad skipped

C:\System Volume Information\_restore{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP320\A0099566.exe Infected: not-a-virus:AdWare.Win32.Agent.y skipped

C:\System Volume Information\_restore{C4F8676F-0347-4E5F-B8A1-4FFC39767621}\RP322\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

C:\WINDOWS\{00000002-00000000-00000005-00001102-00000004-20021102}.CDF Object is locked skipped

D:\Program Files\Alcohol 120%\Alcohol 120\StarWind\logs\starwind.2004-01-02.00-33-08.log Object is locked skipped

D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.

***********************************************************************

Logfile of HijackThis v1.99.1
Scan saved at 3:43:19 AM, on 1/2/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\rundll32.exe
C:\program files\powerstrip\pstrip.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
D:\Program Files\Common Framework\UpdaterUI.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\CTsvcCDA.exe
D:\Program Files\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\AlienAutopsy\TEKS_Service.exe
D:\Program Files\Alcohol 120%\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
D:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
I:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.alienware...mothership.aspx
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {348FE907-249E-4C65-A838-F34A193FE1D1} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PowerStrip] c:\program files\powerstrip\pstrip.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "D:\Program Files\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ABIT uGuru] D:\Program Files\uGuru.exe
O4 - HKLM\..\Run: [GuruClock] D:\Program Files\GuruClock.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Transfer by Image Converter 2 - C:\Program Files\Sony\Image Converter 2\menu.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.alienware.com/mothership.aspx
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group Hardware Control) - https://disneyblast....wareControl.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp...ads/sysinfo.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-sec.../ols3/fscax.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.game...inematycoon.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://livewc01.cust...l/java/RntX.cab
O20 - Winlogon Notify: WB - C:\Program Files\AlienGUIse\fastload.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - D:\Program Files\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProductivIT Service (ProductivITService) - DynTek, Inc. - C:\Program Files\AlienAutopsy\TEKS_Service.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - D:\Program Files\Alcohol 120%\Alcohol 120\StarWind\StarWindService.exe

#10
Wizard

Posted 16 September 2006 - 05:09 AM

Retired Staff

Retired Staff
5,661 posts

Open HijackThis-> Click "Do a System Scan Only" and put a check by these but DO NOT hit the Fix Checked button yet

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com

O2 - BHO: (no name) - {348FE907-249E-4C65-A838-F34A193FE1D1} - (no file)

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button

Copy the contents of this next code box to Notepad.
Name the file inspect.bat
Save as Type: All files

If not exist Files MkDir Files


regedit /a /e files\2.txt HKEY_CURRENT_USER\Software\Microsoft\OLE
regedit /a /e files\3.txt HKEY_CURRENT_USER\System\CurrentControlSet\Control\Lsa
regedit /a /e files\4.txt HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
regedit /a /e files\5.txt HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
regedit /e /a files\6.txt HKEY_USERS\DEFAULT\SYSTEM\CURRENTCONTROLSET\CONTROL\LSA
regedit /a /e files\7.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center"
regedit /a /e files\8.txt "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center"
Regedit /a /e files\9.txt HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
Regedit /a /e files\10.txt HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
Regedit /a /e files\11.txt HKEY_LOCAL_MACHINE\SOFTWARE\Policies\WindowsFirewall
Regedit /a /e files\12.txt HKEY_CURRENT_USER\SOFTWARE\Policies\WindowsFirewall
regedit /a /e files\13.txt HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters
regedit /a /e files\14.txt HKEY_LOCAL_MACHINE\SYSTEM\Services\SharedAccess


Copy files\*.txt = lsa.txt
rmdir /s /q files
Start Notepad lsa.txt

Double click on inspect.bat and let it run.
When finished it will open a file in Notepad.
That file will be named lsa.txt
Please post the contents of lsa.txt into your next reply here.

Please Install these 2 to add to the Security of the PC!

SpywareBlaster:
http://www.javacools.../downloads.html
Update Immediatly!

WinHelp2002 Hosts File
http://www.mvps.org/...2002/hosts2.htm

Post back with a fresh HijackThis log and the contents of lsa.txt in the next reply.

#11
Green0j0s

Posted 16 September 2006 - 01:49 PM

New Member

Topic Starter
Member
7 posts

Heres the lsa.txt

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID]
"{17492023-C23A-453E-A040-C7C580BBF700}"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum]
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"=dword:00000001
"{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}"=dword:40000021
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"=dword:00000020

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings]
"Key"=hex:3c,04,67,8e,ed,5e,1e,85,34,0c,e6,f6,30,dd,e1,4e
"Hint"="Think hard"
"FileName0"="C:\\WINDOWS\\system32\\RSACi.rat"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\.Default]
"Allow_Unknowns"=dword:00000000
"PleaseMom"=dword:00000001
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\.Default\http://www.rsac.org/ratingsv01.html]
"l"=dword:00000002
"n"=dword:00000002
"s"=dword:00000002
"v"=dword:00000004

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default]
"NumSys"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0]
"dwFlags"=dword:00000000
"errLine"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicy]
"PRNumPolicy"=dword:00000014

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicy\0]
"PRPPolicyAttribute"=dword:00000002

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicy\0\PRPPolicySub]
"PRNumURLExpressions"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicy\0\PRPPolicySub\0]
"PRBUInternetPattern"=dword:00000001
"PRBUNonWild"=dword:0000000d
"PRBUSpecified"=dword:0000001f
"PRBUScheme"="http"
"PRBUHost"="google.com"
"PRBUPort"="80"
"PRBUUrl"="google.com"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicy\1]
"PRPPolicyAttribute"=dword:00000002

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicy\1\PRPPolicySub]
"PRNumURLExpressions"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicy\1\PRPPolicySub\0]
"PRBUInternetPattern"=dword:00000001
"PRBUNonWild"=dword:0000000d
"PRBUSpecified"=dword:0000001f
"PRBUScheme"="http"
"PRBUHost"="forums.maxima.org"
"PRBUPort"="80"
"PRBUUrl"="forums.maxima.org"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicy\10]
"PRPPolicyAttribute"=dword:00000002

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicy\10\PRPPolicySub]
"PRNumURLExpressions"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicy\10\PRPPolicySub\0]
"PRBUInternetPattern"=dword:00000001
"PRBUNonWild"=dword:0000000d
"PRBUSpecified"=dword:0000001f
"PRBUScheme"="http"
"PRBUHost"="delb.mspaceads.com"
"PRBUPort"="80"
"PRBUUrl"="delb.mspaceads.com"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicy\11]
"PRPPolicyAttribute"=dword:00000002

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicy\11\PRPPolicySub]
"PRNumURLExpressions"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicy\11\PRPPolicySub\0]
"PRBUInternetPattern"=dword:00000001
"PRBUNonWild"=dword:0000000d
"PRBUSpecified"=dword:0000001f
"PRBUScheme"="http"
"PRBUHost"="desk.mspaceads.com"
"PRBUPort"="80"
"PRBUUrl"="desk.mspaceads.com"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicy\12]
"PRPPolicyAttribute"=dword:00000002

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicy\12\PRPPolicySub]
"PRNumURLExpressions"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicy\12\PRPPolicySub\0]
"PRBUInternetPattern"=dword:00000001
"PRBUNonWild"=dword:0000000d
"PRBUSpecified"=dword:0000001f
"PRBUScheme"="http"
"PRBUHost"="mail1.myspace.com"
"PRBUPort"="80"
"PRBUUrl"="mail1.myspace.com"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicy\13]
"PRPPolicyAttribute"=dword:00000002

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicy\13\PRPPolicySub]
"PRNumURLExpressions"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicy\13\PRPPolicySub\0]
"PRBUInternetPattern"=dword:00000001
"PRBUNonWild"=dword:0000000d
"PRBUSpecified"=dword:0000001f
"PRBUScheme"="http"
"PRBUHost"="uillinois.facebook.com"
"PRBUPort"="80"
"PRBUUrl"="uillinois.facebook.com"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicy\14]
"PRPPolicyAttribute"=dword:00000002

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicy\14\PRPPolicySub]
"PRNumURLExpressions"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicy\14\PRPPolicySub\0]
"PRBUInternetPattern"=dword:00000001
"PRBUNonWild"=dword:0000000d
"PRBUSpecified"=dword:0000001f
"PRBUScheme"="http"
"PRBUHost"="media.adrevolver.com"
"PRBUPort"="80"
"PRBUUrl"="media.adrevolver.com"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicy\15]
"PRPPolicyAttribute"=dword:00000002

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicy\15\PRPPolicySub]
"PRNumURLExpressions"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicy\15\PRPPolicySub\0]
"PRBUInternetPattern"=dword:00000001
"PRBUNonWild"=dword:0000000d
"PRBUSpecified"=dword:0000001f
"PRBUScheme"="http"
"PRBUHost"="depaul.facebook.com"
"PRBUPort"="80"
"PRBUUrl"="depaul.facebook.com"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicy\16]
"PRPPolicyAttribute"=dword:00000002

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicy\16\PRPPolicySub]
"PRNumURLExpressions"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicy\16\PRPPolicySub\0]
"PRBUInternetPattern"=dword:00000001
"PRBUNonWild"=dword:0000000d
"PRBUSpecified"=dword:0000001f
"PRBUScheme"="http"
"PRBUHost"="network.realmedia.com"
"PRBUPort"="80"
"PRBUUrl"="network.realmedia.com"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicy\17]
"PRPPolicyAttribute"=dword:00000002

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicy\17\PRPPolicySub]
"PRNumURLExpressions"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicy\17\PRPPolicySub\0]
"PRBUInternetPattern"=dword:00000001
"PRBUNonWild"=dword:0000000d
"PRBUSpecified"=dword:0000001f
"PRBUScheme"="http"
"PRBUHost"="maxima.org"
"PRBUPort"="80"
"PRBUUrl"="maxima.org"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicy\18]
"PRPPolicyAttribute"=dword:00000002

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicy\18\PRPPolicySub]
"PRNumURLExpressions"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicy\18\PRPPolicySub\0]
"PRBUInternetPattern"=dword:00000001
"PRBUNonWild"=dword:0000000d
"PRBUSpecified"=dword:0000001f
"PRBUScheme"="http"
"PRBUHost"="pages.ebay.com"
"PRBUPort"="80"
"PRBUUrl"="pages.ebay.com"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicy\19]
"PRPPolicyAttribute"=dword:00000002

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicy\19\PRPPolicySub]
"PRNumURLExpressions"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicy\19\PRPPolicySub\0]
"PRBUInternetPattern"=dword:00000001
"PRBUNonWild"=dword:0000000d
"PRBUSpecified"=dword:0000001f
"PRBUScheme"="http"
"PRBUHost"="chat.myspace.com"
"PRBUPort"="80"
"PRBUUrl"="chat.myspace.com"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicy\2]
"PRPPolicyAttribute"=dword:00000002

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicy\2\PRPPolicySub]
"PRNumURLExpressions"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicy\2\PRPPolicySub\0]
"PRBUInternetPattern"=dword:00000001
"PRBUNonWild"=dword:0000000d
"PRBUSpecified"=dword:0000001f
"PRBUScheme"="http"
"PRBUHost"="www.maxima.org"
"PRBUPort"="80"
"PRBUUrl"="www.maxima.org"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicy\3]
"PRPPolicyAttribute"=dword:00000002

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicy\3\PRPPolicySub]
"PRNumURLExpressions"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicy\3\PRPPolicySub\0]
"PRBUInternetPattern"=dword:00000001
"PRBUNonWild"=dword:0000000d
"PRBUSpecified"=dword:0000001f
"PRBUScheme"="http"
"PRBUHost"="myspace.com"
"PRBUPort"="80"
"PRBUUrl"="myspace.com"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicy\4]
"PRPPolicyAttribute"=dword:00000002

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicy\4\PRPPolicySub]
"PRNumURLExpressions"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicy\4\PRPPolicySub\0]
"PRBUInternetPattern"=dword:00000001
"PRBUNonWild"=dword:0000000d
"PRBUSpecified"=dword:0000001f
"PRBUScheme"="http"
"PRBUHost"="login.myspace.com"
"PRBUPort"="80"
"PRBUUrl"="login.myspace.com"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicy\5]
"PRPPolicyAttribute"=dword:00000002

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicy\5\PRPPolicySub]
"PRNumURLExpressions"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicy\5\PRPPolicySub\0]
"PRBUInternetPattern"=dword:00000001
"PRBUNonWild"=dword:0000000d
"PRBUSpecified"=dword:0000001f
"PRBUScheme"="http"
"PRBUHost"="home.myspace.com"
"PRBUPort"="80"
"PRBUUrl"="home.myspace.com"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicy\6]
"PRPPolicyAttribute"=dword:00000002

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicy\6\PRPPolicySub]
"PRNumURLExpressions"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicy\6\PRPPolicySub\0]
"PRBUInternetPattern"=dword:00000001
"PRBUNonWild"=dword:0000000d
"PRBUSpecified"=dword:0000001f
"PRBUScheme"="http"
"PRBUHost"="home13.myspace.com"
"PRBUPort"="80"
"PRBUUrl"="home13.myspace.com"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicy\7]
"PRPPolicyAttribute"=dword:00000002

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicy\7\PRPPolicySub]
"PRNumURLExpressions"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicy\7\PRPPolicySub\0]
"PRBUInternetPattern"=dword:00000001
"PRBUNonWild"=dword:0000000d
"PRBUSpecified"=dword:0000001f
"PRBUScheme"="http"
"PRBUHost"="onlinenow.myspace.com"
"PRBUPort"="80"
"PRBUUrl"="onlinenow.myspace.com"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicy\8]
"PRPPolicyAttribute"=dword:00000002

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicy\8\PRPPolicySub]
"PRNumURLExpressions"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicy\8\PRPPolicySub\0]
"PRBUInternetPattern"=dword:00000001
"PRBUNonWild"=dword:0000000d
"PRBUSpecified"=dword:0000001f
"PRBUScheme"="http"
"PRBUHost"="profile.myspace.com"
"PRBUPort"="80"
"PRBUUrl"="profile.myspace.com"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicy\9]
"PRPPolicyAttribute"=dword:00000002

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicy\9\PRPPolicySub]
"PRNumURLExpressions"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicy\9\PRPPolicySub\0]
"PRBUInternetPattern"=dword:00000001
"PRBUNonWild"=dword:0000000d
"PRBUSpecified"=dword:0000001f
"PRBUScheme"="http"
"PRBUHost"="www.myspace.com"
"PRBUPort"="80"
"PRBUUrl"="www.myspace.com"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters]
"ServiceDll"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,\
33,32,5c,69,70,6e,61,74,68,6c,70,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"D:\\Program Files\\AIM\\aim.exe"="D:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP"="139:TCP:*:Enabled:@xpsp2res.dll,-22004"
"445:TCP"="445:TCP:*:Enabled:@xpsp2res.dll,-22005"
"137:UDP"="137:UDP:*:Enabled:@xpsp2res.dll,-22001"
"138:UDP"="138:UDP:*:Enabled:@xpsp2res.dll,-22002"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=dword:00000001
"DoNotAllowExceptions"=dword:00000000
"DisableNotifications"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\THQ\\Dawn of War\\W40k.exe"="C:\\Program Files\\THQ\\Dawn of War\\W40k.exe:*:Enabled:W40K"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\support.com\\bin\\tgcmd.exe"="C:\\Program Files\\support.com\\bin\\tgcmd.exe:*:Enabled:Support.com Scheduler and Command Dispatcher"
"D:\\StubInstaller.exe"="D:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"D:\\Program Files\\LimeWire\\LimeWire.exe"="D:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Activision\\X-Men Legends 2\\XMen2.exe"="C:\\Program Files\\Activision\\X-Men Legends 2\\XMen2.exe:*:Enabled:XMen2"
"C:\\Program Files\\Area 51\\A51.exe"="C:\\Program Files\\Area 51\\A51.exe:*:Enabled:A51"
"D:\\Program Files\\AIM\\aim.exe"="D:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"
"C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"="C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe:*:Enabled:Battlefield 2"
"C:\\Program Files\\Java\\jre1.5.0_02\\bin\\javaw.exe"="C:\\Program Files\\Java\\jre1.5.0_02\\bin\\javaw.exe:*:Disabled:Java™ 2 Platform Standard Edition binary"
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaw.exe"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaw.exe:*:Disabled:Java™ 2 Platform Standard Edition binary"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP"="1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007"
"2869:TCP"="2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008"
"139:TCP"="139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004"
"445:TCP"="445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005"
"137:UDP"="137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001"
"138:UDP"="138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002"

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\OLE]

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"DefaultLaunchPermission"=hex:01,00,04,80,5c,00,00,00,6c,00,00,00,00,00,00,00,\
14,00,00,00,02,00,48,00,03,00,00,00,00,00,18,00,1f,00,00,00,01,02,00,00,00,\
00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,0b,00,00,00,01,01,00,00,00,00,\
00,05,04,00,00,00,00,00,14,00,0b,00,00,00,01,01,00,00,00,00,00,05,12,00,00,\
00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,05,\
20,00,00,00,20,02,00,00
"MachineLaunchRestriction"=hex:01,00,04,80,48,00,00,00,58,00,00,00,00,00,00,00,\
14,00,00,00,02,00,34,00,02,00,00,00,00,00,18,00,1f,00,00,00,01,02,00,00,00,\
00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,0b,00,00,00,01,01,00,00,00,00,\
00,01,00,00,00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,\
00,00,00,00,05,20,00,00,00,20,02,00,00
"MachineAccessRestriction"=hex:01,00,04,80,44,00,00,00,54,00,00,00,00,00,00,00,\
14,00,00,00,02,00,30,00,02,00,00,00,00,00,14,00,03,00,00,00,01,01,00,00,00,\
00,00,05,07,00,00,00,00,00,14,00,07,00,00,00,01,01,00,00,00,00,00,01,00,00,\
00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,\
05,20,00,00,00,20,02,00,00
"EnableDCOM"="Y"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList]
"{A50398B8-9075-4FBF-A7A1-456BF21937AD}"="1"
"{AD65A69D-3831-40D7-9629-9B0B50A93843}"="1"
"{0040D221-54A1-11D1-9DE0-006097042D69}"="1"
"{2A6D72F1-6E7E-4702-B99C-E40D3DED33C3}"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\NONREDIST]
"System.EnterpriseServices.Thunk.dll"=""

REGEDIT4

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
"Bounds"=hex:00,30,00,00,00,20,00,00
"Security Packages"=hex(7):6b,65,72,62,65,72,6f,73,00,6d,73,76,31,5f,30,00,73,\
63,68,61,6e,6e,65,6c,00,77,64,69,67,65,73,74,00,00
"ImpersonatePrivilegeUpgradeToolHasRun"=dword:00000001
"LsaPid"=dword:00000330
"SecureBoot"=dword:00000001
"auditbaseobjects"=dword:00000000
"crashonauditfail"=dword:00000000
"disabledomaincreds"=dword:00000000
"everyoneincludesanonymous"=dword:00000000
"fipsalgorithmpolicy"=dword:00000000
"forceguest"=dword:00000001
"fullprivilegeauditing"=hex:00
"limitblankpassworduse"=dword:00000001
"lmcompatibilitylevel"=dword:00000000
"nodefaultadminowner"=dword:00000001
"nolmhash"=dword:00000000
"restrictanonymous"=dword:00000000
"restrictanonymoussam"=dword:00000001
"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00
"enabledcom"="y"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\AccessProviders]
"ProviderOrder"=hex(7):57,69,6e,64,6f,77,73,20,4e,54,20,41,63,63,65,73,73,20,\
50,72,6f,76,69,64,65,72,00,00

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider]
"ProviderPath"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,\
33,32,5c,6e,74,6d,61,72,74,61,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Audit]

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing]

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\System]

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Data]
"Pattern"=hex:15,93,05,19,7f,7e,65,13,38,a5,79,cc,a5,a3,e7,b0,66,34,38,64,62,\
31,38,31,00,fd,07,00,c8,33,00,00,34,fa,07,00,56,82,7c,75,20,fa,07,00,40,fd,\
07,00,4c,fd,07,00,e3,12,5b,bc,7d,08,8d,8f,2a,97,80,f4

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\GBG]
"GrafBlumGroup"=hex:7b,95,d8,27,00,d2,40,65,31

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\JD]
"Lookup"=hex:0e,9f,46,bf,91,5e

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos]

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Domains]

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\SidCache]

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0]
"Auth132"="IISSUBA"
"ntlmminclientsec"=dword:00000000
"ntlmminserversec"=dword:00000000

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Skew1]
"SkewMatrix"=hex:b9,da,6f,c7,f2,91,df,b2,88,28,40,95,60,d4,01,58

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SSO]

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SSO\Passport1.4]
"SSOURL"="http://www.passport.com"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache]
"Time"=hex:c8,ae,5e,e2,92,fd,c4,01

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll]
"Name"="Digest"
"Comment"="Digest SSPI Authentication Package"
"Capabilities"=dword:00004050
"RpcId"=dword:0000ffff
"Version"=dword:00000001
"TokenSize"=dword:0000ffff
"Time"=hex:00,e0,60,91,1a,7a,c4,01
"Type"=dword:00000031

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll]
"Name"="DPA"
"Comment"="DPA Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000011
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:00,e0,60,91,1a,7a,c4,01
"Type"=dword:00000031

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll]
"Name"="MSN"
"Comment"="MSN Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000012
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:00,e0,60,91,1a,7a,c4,01
"Type"=dword:00000031

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled"=dword:00000001
"AntiVirusDisableNotify"=dword:00000000
"FirewallDisableNotify"=dword:00000000
"UpdatesDisableNotify"=dword:00000000
"AntiVirusOverride"=dword:00000000
"FirewallOverride"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center]
"FirstRun"=dword:00000001

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]

***********************************************************

Logfile of HijackThis v1.99.1
Scan saved at 1:01:20 AM, on 1/1/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\program files\powerstrip\pstrip.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
D:\Program Files\Common Framework\UpdaterUI.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\CTsvcCDA.exe
D:\Program Files\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\AlienAutopsy\TEKS_Service.exe
D:\Program Files\Alcohol 120%\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
I:\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.alienware...mothership.aspx
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PowerStrip] c:\program files\powerstrip\pstrip.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "D:\Program Files\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ABIT uGuru] D:\Program Files\uGuru.exe
O4 - HKLM\..\Run: [GuruClock] D:\Program Files\GuruClock.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Transfer by Image Converter 2 - C:\Program Files\Sony\Image Converter 2\menu.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.alienware.com/mothership.aspx
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group Hardware Control) - https://disneyblast....wareControl.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp...ads/sysinfo.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-sec.../ols3/fscax.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.game...inematycoon.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://livewc01.cust...l/java/RntX.cab
O20 - Winlogon Notify: WB - C:\Program Files\AlienGUIse\fastload.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - D:\Program Files\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProductivIT Service (ProductivITService) - DynTek, Inc. - C:\Program Files\AlienAutopsy\TEKS_Service.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - D:\Program Files\Alcohol 120%\Alcohol 120\StarWind\StarWindService.exe

#12
Wizard

Posted 17 September 2006 - 04:50 AM

Retired Staff

Retired Staff
5,661 posts

Disable System Restore
http://service1.syma...src=sec_doc_nam

Go ahead and remove any of the tools downloaded that are of no use anymore

Post back and let me know how things are running now?

#13
Green0j0s

Posted 17 September 2006 - 11:49 PM

New Member

Topic Starter
Member
7 posts

I did what you said and did some virus scanning heres what I came up with......

KASPERSKY ONLINE SCANNER REPORT
Sunday, September 17, 2006 10:36:07 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 18/09/2006
Kaspersky Anti-Virus database records: 224104

Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\

Scan Statistics
Total number of scanned objects 71727
Number of viruses found 0
Number of infected objects 0 / 0
Number of suspicious objects 0
Duration of the scan process 01:16:49

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\Agent_GREENEYES.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\PrdMgr_GREENEYES.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\AccessProtectionLog.txt Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\BufferOverflowProtectionLog.txt Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\OnAccessScanLog.txt Object is locked skipped

C:\Documents and Settings\Isael\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Isael\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Isael\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Isael\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Isael\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Isael\ntuser.dat Object is locked skipped

C:\Documents and Settings\Isael\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{94EA08F4-441F-42EB-9749-F70B7569A52F}.bin Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edbtmp.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

C:\WINDOWS\{00000002-00000000-00000005-00001102-00000004-20021102}.CDF Object is locked skipped

D:\Program Files\Alcohol 120%\Alcohol 120\StarWind\logs\starwind.2006-09-17.20-58-57.log Object is locked skipped

D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.

************************************************************

F-Secure Online Scanner

Scanning Report
Sunday, September 17, 2006 22:39:30 - 00:45:37
Computer name: GREENEYES
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\ D:\

--------------------------------------------------------------------------------

Result: 3 malware found
Tracking Cookie (spyware)
System (Disinfected)
System
W32/Agent.JVB (virus)
C:\avtemp\setup.exe

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 330448
System: 3974
Not scanned: 190
Actions:
Disinfected: 1
Renamed: 0
Deleted: 0
None: 2
Submitted: 0
Files not scanned:
ÀvÄ ]:iles\EA GAMES\Battlefield 2 Server\mods\bf2\Levels\Wake_Island_2007\server.zip\overgrowth\Overgrowth.con
C:\Program Files\EA GAMES\Battlefield 2 Server\mods\bf2\Levels\Strike_at_Karkand\server.zip\Overgrowth\Overgrowth.con
C:\Program Files\EA GAMES\Battlefield 2 Server\mods\bf2\Levels\Songhua_Stalemate\server.zip\overgrowth\Overgrowth.con
C:\Program Files\EA GAMES\Battlefield 2 Server\mods\bf2\Levels\Sharqi_Peninsula\server.zip\overgrowth\Overgrowth.con
C:\Program Files\EA GAMES\Battlefield 2 Server\mods\bf2\Levels\Sharqi_Peninsula\server.zip\overgrowth\OvergrowthCollision.con
C:\Program Files\EA GAMES\Battlefield 2 Server\mods\bf2\Levels\Operation_Clean_Sweep\server.zip\Overgrowth\Overgrowth.con
C:\Program Files\EA GAMES\Battlefield 2 Server\mods\bf2\Levels\Operation_Clean_Sweep\server.zip\Overgrowth\OvergrowthCollision.con
C:\Program Files\EA GAMES\Battlefield 2 Server\mods\bf2\Levels\Mashtuur_City\server.zip\Overgrowth\Overgrowth.con
C:\Program Files\EA GAMES\Battlefield 2 Server\mods\bf2\Levels\Mashtuur_City\server.zip\Overgrowth\OvergrowthCollision.con
C:\Program Files\EA GAMES\Battlefield 2 Server\mods\bf2\Levels\kubra_dam\server.zip\overgrowth\Overgrowth.con
C:\Program Files\EA GAMES\Battlefield 2 Server\mods\bf2\Levels\Gulf_of_Oman\server.zip\HeightmapSecondary_R1U1.raw
C:\Program Files\EA GAMES\Battlefield 2 Server\mods\bf2\Levels\Gulf_of_Oman\server.zip\overgrowth\Overgrowth.con
C:\Program Files\EA GAMES\Battlefield 2 Server\mods\bf2\Levels\FuShe_Pass\server.zip\Overgrowth\Overgrowth.con
C:\Program Files\EA GAMES\Battlefield 2 Server\mods\bf2\Levels\Dragon_Valley\server.zip\overgrowth\Overgrowth.con
C:\Program Files\EA GAMES\Battlefield 2 Server\mods\bf2\Levels\Daqing_oilfields\server.zip\overgrowth\Overgrowth.con
C:\Program Files\EA GAMES\Battlefield 2 Server\mods\bf2\Levels\Dalian_plant\server.zip\Overgrowth\Overgrowth.con
C:\Program Files\EA GAMES\Battlefield 2\mods\bf2\Levels\Zatar_Wetlands\server.zip\Overgrowth\Overgrowth.con
C:\Program Files\EA GAMES\Battlefield 2\mods\bf2\Levels\Wake_Island_2007\server.zip\overgrowth\Overgrowth.con
C:\Program Files\EA GAMES\Battlefield 2\mods\bf2\Levels\Strike_at_Karkand\server.zip\Overgrowth\Overgrowth.con
C:\Program Files\EA GAMES\Battlefield 2\mods\bf2\Levels\Songhua_Stalemate\server.zip\overgrowth\Overgrowth.con
C:\Program Files\EA GAMES\Battlefield 2\mods\bf2\Levels\Sharqi_Peninsula\server.zip\overgrowth\Overgrowth.con
C:\Program Files\EA GAMES\Battlefield 2\mods\bf2\Levels\Sharqi_Peninsula\server.zip\overgrowth\OvergrowthCollision.con
C:\Program Files\EA GAMES\Battlefield 2\mods\bf2\Levels\Operation_Clean_Sweep\server.zip\Overgrowth\Overgrowth.con
C:\Program Files\EA GAMES\Battlefield 2\mods\bf2\Levels\Operation_Clean_Sweep\server.zip\Overgrowth\OvergrowthCollision.con
C:\Program Files\EA GAMES\Battlefield 2\mods\bf2\Levels\Mashtuur_City\server.zip\Overgrowth\Overgrowth.con
C:\Program Files\EA GAMES\Batth\Oã

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure AVP: 6.0.171, 2006-09-15
F-Secure Libra: 2.4.1, 2006-09-15
F-Secure Orion: 1.2.37, 2006-09-14
F-Secure Blacklight: 1.0.31, 0000-00-00
F-Secure Pegasus: 1.19.0, 2006-08-14
Scanning options:
Scan all files
Scan inside archives
Use Advanced heuristics

*****************************************************************

Logfile of HijackThis v1.99.1
Scan saved at 10:36:25 PM, on 9/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\program files\powerstrip\pstrip.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
D:\Program Files\Common Framework\UpdaterUI.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\CTsvcCDA.exe
D:\Program Files\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\AlienAutopsy\TEKS_Service.exe
D:\Program Files\Alcohol 120%\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
I:\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.alienware...mothership.aspx
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PowerStrip] c:\program files\powerstrip\pstrip.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "D:\Program Files\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ABIT uGuru] D:\Program Files\uGuru.exe
O4 - HKLM\..\Run: [GuruClock] D:\Program Files\GuruClock.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Transfer by Image Converter 2 - C:\Program Files\Sony\Image Converter 2\menu.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.alienware.com/mothership.aspx
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group Hardware Control) - https://disneyblast....wareControl.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp...ads/sysinfo.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-sec.../ols3/fscax.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.game...inematycoon.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://livewc01.cust...l/java/RntX.cab
O20 - Winlogon Notify: WB - C:\Program Files\AlienGUIse\fastload.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - D:\Program Files\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProductivIT Service (ProductivITService) - DynTek, Inc. - C:\Program Files\AlienAutopsy\TEKS_Service.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - D:\Program Files\Alcohol 120%\Alcohol 120\StarWind\StarWindService.exe

Seems like everything is good now..... I hope...

Edited by Green0j0s, 17 September 2006 - 11:52 PM.

#14
Wizard

Posted 18 September 2006 - 03:46 AM

Retired Staff

Retired Staff
5,661 posts

C:\avtemp\setup.exe<---- Thats the only item Im unsure about,maybe you know where that came from.

Other than that,the logs look fine to me! :whistling:

Go ahead and Renable System Restore and restart the PC,this will clear out all old nasty restore points and create a nice new fresh clean one for you to fall back on should you ever need it.

Updating Java and Clearing Cache

Go to Start > Control Panel double-click on the Java Icon (coffee cup) in the Control Panel.
It will say "Java Plug-in" under the icon.
Please find the update button or tab in the Java Control Panel. Update your Java then reboot.
If you are unable to update you can manually update by going here:
- http://www.java.com/en/download/manual.jsp
After the reboot, go back into the Control Panel and double-click the Java Icon.
Under Temporary Internet Files, click the Delete Files button.
There are three options in the window to clear the cache - Leave ALL 3 CheckedDownloaded Applets
Downloaded Applications
Other Files
Click OK on Delete Temporary Files Window
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
Click OK to leave the Java Control Panel.

It is suggested that you go and change all your passwords since some of these may have been compromised during the infection.

Read through those 3 little black links in my signature to get some extra ideas about how to avoid this in the future.

Please remember to check your AntiVirus and any Spyware Apps for updates atleast twice a week

Make sure you keep your Windows Operating System up to date by visiting Windows Updates regularly to download and install any critical updates and service packs.

If you ever need us again,you know how to find us! :blink: