Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Unknown malware killed my networking [RESOLVED]


  • This topic is locked This topic is locked

#1
Nates

Nates

    Member

  • Member
  • PipPip
  • 59 posts
First of all, thank you so much for the help. It's immensely appreciated. Here's the background story I posted in another forum...

This is happening on my Asus z70Va and appears to be related to the drivers.

I came home today to see that Norton had quarantined several files (mentioning hacktool.rootkit, trojans, downloaders, winlogon32.exe, and others). Unfortunately, I didn't realize it was still scanning, and I did as the program suggested and hit the Reboot button. Here's where the fun begins...

Windows refused to start up normally, so I had to get in using safe mode. In safe mode, I ran Norton again and did a full scan. After over three hours, it quarantined more files, but it then got stuck scanning a specific file (an old file that I doubt is actually causing any problems). I had to force a reboot, and this time Windows started up without having to go into safe mode. Upon startup, I was prompted with an error message from Norton saying something about how the TCP/IP transport is not installed. That was really unusual, so I tried hitting the wireless button on my notebook. Instead of turning on, it gave me the following error message:

"Unable to load the INTEL Muroc API, This function need to install INTEL Proset utility"

Odd (and yes, it was in that broken English), but that didn't seem too difficult (fortunately, I had access to a desktop computer). I went to the Asus site and downloaded the Proset utility and tried to do a repair. It went along, but got stuck when repairing 802.1x Supplicant. I tried cancelling, but then it got stuck on the "Program Cancellation in Progress... Please wait..." window. I eventually forced it to quit, and did some more searching on the net. Meanwhile, I ran a custom scan in Norton (starting after the file that it would get stuck on), and it quarantined a few more files again. Since then, the scans haven't turned up anything, though I must admit I haven't yet done a second full scan.

Anyway, back to the networking problem. Someone on a forum with a similar problem (although his didn't start with a virus) suggested that using the original drivers did the trick. I popped in my original laptop drivers CD, had it uninstall the drivers, and then reintall them. Again, it got stuck on 802.1x Supplicant. I tried this a few more times, and now it's starting to auto-cancel my attempts to install the drivers. It then gives me a report saying that the components that it installed have an error.

I should also mention that my Device Manager looks pretty ugly, with my Infrared Device, and all of my Network adapters showing up as being either corrupted or missing (Code 39).

Please help! I need my computer back!

It seems like things just keep getting worse. Was running a full scan and I got an error message about lsass.exe, and it automatically shut down my computer after a 60 second countdown. Once it got back into Windows, my laptop made this ugly beeping noise and a message popped up saying that my system.log file is corrupt (and I should run checkdsk). Then some System Busy message kept popping up, and my computer eventually froze up. I'm trying to reboot as I type. What a nightmare... Considering that I do take a number of precautions when it comes to viruses, I can't believe this is happening! I just rebooted and I'm crossing my fingers that Windows will even start...


Since then, I've noticed that an item called mroute~2.exe keeps appearing and disappearing in my Task Manager.

And now, here's the log...

Logfile of HijackThis v1.99.1
Scan saved at 8:41:36 AM, on 4/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCMTR.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Notebook Hardware Control\nhc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Generic\Wireless Console\wcourier.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Microsoft Location Finder\LocationFinder.exe
C:\Garmin\gStart.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CONNMN~1.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Documents and Settings\Nates\My Documents\fixplease\HijackThis.exe
c:\PROGRA~1\INTUWA~1\Shared\MROUTE~1\MROUTE~2.EXE

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Documents and Settings\Nates\My Documents\My Torrents\incomplete\BitComet\tools\BitCometBHO.dll
O2 - BHO: (no name) - {73364D99-1240-4dff-B12A-67E448373148} - C:\WINDOWS\system32\ipv6mons.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [Power_Gear] C:\Program Files\Generic\Power4 Gear\BatteryLife.exe 1
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [NotebookHardwareControl] "C:\Program Files\Notebook Hardware Control\nhc.exe" -quiet
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O5 "LPT1:" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P39 "EPSON Stylus Photo R200 Series (Copy 1)" /O6 "USB002" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04g\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [Wireless Console] C:\Program Files\Generic\Wireless Console\wcourier.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AdobeUpdateManager.exe AcPro7_0_5 -reboot 1
O4 - HKCU\..\Run: [Microsoft Location Finder] "C:\Program Files\Microsoft Location Finder\LocationFinder.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [gStart] C:\Garmin\gStart.exe
O4 - HKCU\..\Run: [userinit] C:\WINDOWS\system32\ntos.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O4 - Global Startup: Logo Calibration Loader.lnk = C:\Program Files\GretagMacbeth\i1\Eye-One Match 3\CalibrationLoader\CalibrationLoader.exe
O4 - Global Startup: Phone Connection Monitor.lnk = C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe
O4 - Global Startup: ProfileReminder.lnk = C:\Program Files\GretagMacbeth\i1\Eye-One Match 3\ProfileReminder.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Documents and Settings\Nates\My Documents\My Torrents\incomplete\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Documents and Settings\Nates\My Documents\My Torrents\incomplete\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Documents and Settings\Nates\My Documents\My Torrents\incomplete\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\vhfnsgk.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\vhfnsgk.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\vhfnsgk.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\vhfnsgk.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\vhfnsgk.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\vhfnsgk.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Unknown owner - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe" -win32service (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: OwnershipProtocol - Unknown owner - C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Unknown owner - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
  • 0

Advertisements


#2
Nates

Nates

    Member

  • Topic Starter
  • Member
  • PipPip
  • 59 posts
Quick update... this morning I woke up to find that Norton has deleted the following:

Trojan.Spabot - A0061014.dll
Downloader - A0061018.exe
Downloader - A0061019.exe
Hacktool.Rootkit - A0061020.sys
Trojan.Alpiok - A0061077.exe
Downloader - A0061078.exe

All of them were located in C:\SYSTEM~1|_RESTO~1\RP493

Oh, and quick question... is it smarter to leave my infected laptop up and running, or should I shut it down?

Edited by Nates, 28 April 2007 - 03:08 PM.

  • 0

#3
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi :whistling:

As long as you keep the laptop off the internet for the most part, I dont think it matters, shutting it down would be the best option though.

You have a nasty infection. Lets begin with this

Please download ComboFix and save it to your desktop.
Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  • 0

#4
Nates

Nates

    Member

  • Topic Starter
  • Member
  • PipPip
  • 59 posts
Hi loophole, thank you so much for helping me! No problem about not going on the internet, seeing as how my notebook's networking capabilities have been completely hosed. I'm currently using my girlfriend's old Mac, so please forgive me if I take a long time to get things done.

Here is the log (one of the directories contains my full name, so I changed them to "Nates" for posting)...

"Nates" - 07-04-29 21:44:17 Service Pack 2

ComboFix 07-04-25.4V - Running from: "C:\Documents and Settings\Nates\Desktop\fixer\"





(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))





C:\WINDOWS\system32\ipv6mons.dll

C:\WINDOWS\installer\3420b530.msi





((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))





-------\ntldr

-------\poof

-------\LEGACY_NTLDR

-------\LEGACY_POOF





((((((((((((((((((((((((((((((( Files Created from 2007-03-28 to 2007-04-29 ))))))))))))))))))))))))))))))))))





2007-04-29 21:39 51,056 --a------ C:\combofix.exe

2007-04-28 08:14 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys

2007-04-28 08:13 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys

2007-04-28 03:31 17,119 --a------ C:\WINDOWS\system32\drivers\AegisP.sys

2007-04-28 03:29 <DIR> d-------- C:\Program Files\Intel

2007-04-28 01:34 1,654,784 --a------ C:\WINDOWS\system32\W29MLRES.DLL

2007-04-27 20:03 21,504 --a------ C:\WINDOWS\system32\vhfnsgk.dll

2007-04-12 00:34 <DIR> d--hs---- C:\WINDOWS\system32\wsnpoem

2007-04-09 05:51 <DIR> d-------- C:\Program Files\Common Files\xing shared

2007-04-09 05:50 <DIR> d-------- C:\Program Files\Real

2007-04-09 05:50 <DIR> d-------- C:\Program Files\Common Files\Real

2007-04-09 05:50 <DIR> d-------- C:\DOCUME~1\NATHAN~1\APPLIC~1\Real

2007-04-09 05:48 <DIR> d-------- C:\My Downloads





(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))





2007-04-28 21:26 -------- d-------- C:\Program Files\symantec antivirus

2007-04-28 03:57 -------- d--h----- C:\Program Files\installshield installation information

2007-04-28 03:57 -------- d-------- C:\Program Files\generic

2007-04-28 01:23 -------- d-------- C:\Program Files\gmatprep

2007-03-26 19:57 -------- d-------- C:\Program Files\sony ericsson

2007-03-26 19:56 -------- d-------- C:\Program Files\intuwave ltd

2007-03-19 03:33 -------- d-------- C:\Program Files\emule





(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))





*Note* empty entries & legit default entries are not shown



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll

{39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} C:\Documents and Settings\Nates\My Documents\My Torrents\incomplete\BitComet\tools\BitCometBHO.dll

{AE7CD045-E861-484f-8273-0445EE161910} C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll



[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]

"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"

"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe"

"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"

"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"

"HControl"="C:\\WINDOWS\\ATK0100\\HControl.exe"

"SoundMan"="SOUNDMAN.EXE"

"AlcWzrd"="ALCWZRD.EXE"

"Alcmtr"="ALCMTR.EXE"

"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""

"vptray"="C:\\PROGRA~1\\SYMANT~1\\VPTray.exe"

"Adobe Version Cue CS2"="\"C:\\Program Files\\Adobe\\Adobe Version Cue CS2\\ControlPanel\\VersionCueCS2Tray.exe\""

"Acrobat Assistant 7.0"="\"C:\\Program Files\\Adobe\\Adobe Acrobat 7.0\\Distillr\\Acrotray.exe\""

"Power_Gear"="C:\\Program Files\\Generic\\Power4 Gear\\BatteryLife.exe 1"

"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"

"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_03\\bin\\jusched.exe"

"NotebookHardwareControl"="\"C:\\Program Files\\Notebook Hardware Control\\nhc.exe\" -quiet"

"EPSON Stylus Photo R200 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I2H1.EXE /P30 \"EPSON Stylus Photo R200 Series\" /O5 \"LPT1:\" /M \"Stylus Photo R200\""

"EPSON Stylus Photo R200 Series (Copy 1)"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I2H1.EXE /P39 \"EPSON Stylus Photo R200 Series (Copy 1)\" /O6 \"USB002\" /M \"Stylus Photo R200\""

"StatusClient"="C:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\Apache Tomcat 4.0\\webapps\\Toolbox\\StatusClient\\StatusClient.exe /auto"

"TomcatStartup"="C:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\hpbpsttp.exe"

"SSBkgdUpdate"="\"C:\\Program Files\\Common Files\\Scansoft Shared\\SSBkgdUpdate\\SSBkgdupdate.exe\" -Embedding -boot"

"PaperPort PTD"="C:\\Program Files\\ScanSoft\\PaperPort\\pptd40nt.exe"

"IndexSearch"="C:\\Program Files\\ScanSoft\\PaperPort\\IndexSearch.exe"

"SetDefPrt"="C:\\Program Files\\Brother\\Brmfl04g\\BrStDvPt.exe"

"ControlCenter2.0"="C:\\Program Files\\Brother\\ControlCenter2\\brctrcen.exe /autorun"

"Wireless Console"="C:\\Program Files\\Generic\\Wireless Console\\wcourier.exe"



[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]

"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"

"updateMgr"="C:\\Program Files\\Adobe\\Adobe Acrobat 7.0\\Acrobat\\AdobeUpdateManager.exe AcPro7_0_5 -reboot 1"

"Microsoft Location Finder"="\"C:\\Program Files\\Microsoft Location Finder\\LocationFinder.exe\""

"H/PC Connection Agent"="\"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe\""

"gStart"="C:\\Garmin\\gStart.exe"

"userinit"="C:\\WINDOWS\\system32\\ntos.exe"



[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]

"userinit"="C:\\WINDOWS\\system32\\ntos.exe"



HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa

Authentication Packages REG_MULTI_SZ msv1_0\0\0

Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0

Notification Packages REG_MULTI_SZ scecli\0\0





[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]

HTTPFilter REG_MULTI_SZ HTTPFilter\0\0

LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0

NetworkService REG_MULTI_SZ DnsCache\0\0

DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0

rpcss REG_MULTI_SZ RpcSs\0\0

imgsvc REG_MULTI_SZ StiSvc\0\0

termsvcs REG_MULTI_SZ TermService\0\0





[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2821f4ad-3c8e-11da-b865-806d6172696f}]

Shell\AutoRun\command D:\setup.exe

*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_NHCACPI_DRIVER



********************************************************************



catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-04-29 21:53:05

Windows 5.1.2600 Service Pack 2 NTFS



scanning hidden processes ...



scanning hidden services ...



scanning hidden autostart entries ...



scanning hidden files ...



scan completed successfully

hidden processes: 0

hidden services: 0

hidden files: 0





********************************************************************



Completion time: 07-04-29 21:53:25

C:\ComboFix-quarantined-files.txt ... 07-04-29 21:53
  • 0

#5
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi :whistling:

Can you post me a new Hijack log? Make sure wordwrap is turned off in notepad
  • 0

#6
Nates

Nates

    Member

  • Topic Starter
  • Member
  • PipPip
  • 59 posts
Logfile of HijackThis v1.99.1

Scan saved at 7:45:03 PM, on 4/30/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)



Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\WINDOWS\System32\dmadmin.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\ATK0100\HControl.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\ALCMTR.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe

C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe

C:\Program Files\Notebook Hardware Control\nhc.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE

C:\WINDOWS\ATK0100\ATKOSD.exe

C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe

C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

C:\Program Files\Brother\ControlCenter2\brctrcen.exe

C:\Program Files\Generic\Wireless Console\wcourier.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Program Files\Microsoft Location Finder\LocationFinder.exe

C:\Program Files\Microsoft ActiveSync\wcescomm.exe

C:\Garmin\gStart.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe

C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe

C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe

C:\Program Files\GretagMacbeth\i1\Eye-One Match 3\ProfileReminder.exe

C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CONNMN~1.EXE

C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe

C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe

C:\Documents and Settings\Nates\Desktop\fixer\HijackThis.exe

c:\PROGRA~1\INTUWA~1\Shared\MROUTE~1\MROUTE~2.EXE



F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Documents and Settings\Nates\My Documents\My Torrents\incomplete\BitComet\tools\BitCometBHO.dll

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe

O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"

O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"

O4 - HKLM\..\Run: [Power_Gear] C:\Program Files\Generic\Power4 Gear\BatteryLife.exe 1

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe

O4 - HKLM\..\Run: [NotebookHardwareControl] "C:\Program Files\Notebook Hardware Control\nhc.exe" -quiet

O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O5 "LPT1:" /M "Stylus Photo R200"

O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P39 "EPSON Stylus Photo R200 Series (Copy 1)" /O6 "USB002" /M "Stylus Photo R200"

O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto

O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe

O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe

O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04g\BrStDvPt.exe

O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun

O4 - HKLM\..\Run: [Wireless Console] C:\Program Files\Generic\Wireless Console\wcourier.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AdobeUpdateManager.exe AcPro7_0_5 -reboot 1

O4 - HKCU\..\Run: [Microsoft Location Finder] "C:\Program Files\Microsoft Location Finder\LocationFinder.exe"

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"

O4 - HKCU\..\Run: [gStart] C:\Garmin\gStart.exe

O4 - HKCU\..\Run: [userinit] C:\WINDOWS\system32\ntos.exe

O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?

O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Bluetooth Manager.lnk = ?

O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe

O4 - Global Startup: Logo Calibration Loader.lnk = C:\Program Files\GretagMacbeth\i1\Eye-One Match 3\CalibrationLoader\CalibrationLoader.exe

O4 - Global Startup: Phone Connection Monitor.lnk = C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe

O4 - Global Startup: ProfileReminder.lnk = C:\Program Files\GretagMacbeth\i1\Eye-One Match 3\ProfileReminder.exe

O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Documents and Settings\Nates\My Documents\My Torrents\incomplete\BitComet\BitComet.exe/AddLink.htm

O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Documents and Settings\Nates\My Documents\My Torrents\incomplete\BitComet\BitComet.exe/AddVideo.htm

O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Documents and Settings\Nates\My Documents\My Torrents\incomplete\BitComet\BitComet.exe/AddAllLink.htm

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Adobe Version Cue CS2 - Unknown owner - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe" -win32service (file missing)

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: OwnershipProtocol - Unknown owner - C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe (file missing)

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Unknown owner - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe (file missing)

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
  • 0

#7
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Good :whistling:

One more tool, and we are almost done

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

  • 0

#8
Nates

Nates

    Member

  • Topic Starter
  • Member
  • PipPip
  • 59 posts
If it makes a difference, SDFix mentioned the following:

FINDSTR Cannot open C:\WINDOWS\SYSEM32\DRIVERS\NDIS.SYS

Also, after everything was complete, SDFix suggested I run Catchme.exe, which I did, and it reported back that nothing was found.

Here's the SDFix log...



SDFix: Version 1.81



Run by Nates - Mon 04/30/2007 - 22:32:23.51



Microsoft Windows XP [Version 5.1.2600]



Running From: C:\SDFix



Safe Mode:

Checking Services:









Killing PID 212 'smss.exe'

Killing PID 284 'winlogon.exe'





Restoring Windows Registry Values

Restoring Windows Default Hosts File



Rebooting...



Normal Mode:

Checking Files:



Below files will be copied to Backups folder then removed:



C:\CP1041.NLS - Deleted

C:\CP1500.NLS - Deleted

C:\WINDOWS\odbc.INI - Deleted

C:\WINDOWS\system32\ntos.exe - Deleted

C:\WINDOWS\system32\wsnpoem\audio.dll - Deleted

C:\WINDOWS\system32\wsnpoem\video.dll - Deleted





Folder C:\WINDOWS\system32\wsnpoem - Removed



Removing Temp Files



ADS Check:



Checking if ADS is attached to system32 Folder

C:\WINDOWS\system32

No streams found.



Checking if ADS is attached to svchost.exe

C:\WINDOWS\system32\svchost.exe

No streams found.







Final Check:



Remaining Services:

------------------







Authorized Application Key Export:



[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"





[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"





Remaining Files:

---------------



Backups Folder: - C:\SDFix\backups\backups.zip



Checking For Files with Hidden Attributes:



C:\Documents and Settings\Nates\My Documents\My Videos\My Torrents\[isoHunt] Adobe After Effects v7[1].0 [DVD][www.pctorrent.com].torrent

C:\Documents and Settings\Nates\My Documents\My Torrents\incomplete\BitComet\dbghelp.dll

C:\Documents and Settings\Nates\My Documents\My Torrents\incomplete\BitComet\tools\BitCometAgent.dll

C:\Documents and Settings\Nates\My Documents\My Torrents\incomplete\BitComet\tools\BitCometBHO.dll

C:\Documents and Settings\Nates\My Documents\My Torrents\incomplete\BitComet\BitComet.exe

C:\Documents and Settings\Nates\My Documents\My Torrents\incomplete\BitComet\CrashReport.exe

C:\Documents and Settings\Nates\My Documents\My Torrents\incomplete\BitComet\uninst.exe

C:\Documents and Settings\Nates\My Documents\My Torrents\incomplete\BitComet\tools\CodecCheck.exe

C:\Documents and Settings\Nates\My Documents\My Torrents\incomplete\BitComet\tools\curl.exe

C:\Documents and Settings\Nates\My Documents\My Torrents\incomplete\BitComet\tools\FlvPlayer.exe

C:\Documents and Settings\Nates\My Documents\My Torrents\incomplete\BitComet\tools\UPNP.exe

C:\Documents and Settings\Nates\My Documents\My Videos\My Torrents\PokerStarsInstallPM.exe

C:\Documents and Settings\Nates\My Documents\My Videos\My Torrents\wptInstaller.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\uccspecb.sys

C:\Documents and Settings\Nates\Application Data\Microsoft\Word\~WRL0530.tmp

C:\Documents and Settings\Nates\Application Data\Microsoft\Word\~WRL1952.tmp

C:\Documents and Settings\Nates\Application Data\Microsoft\Word\~WRL1966.tmp

C:\Documents and Settings\Nates\Application Data\Microsoft\Word\~WRL2727.tmp

C:\Documents and Settings\Nates\Application Data\Microsoft\Word\~WRL3986.tmp

C:\Documents and Settings\Nates\My Documents\~WRL0284.tmp

C:\Documents and Settings\Nates\My Documents\~WRL0352.tmp

C:\Documents and Settings\Nates\My Documents\~WRL0582.tmp

C:\Documents and Settings\Nates\My Documents\~WRL0606.tmp

C:\Documents and Settings\Nates\My Documents\~WRL0618.tmp

C:\Documents and Settings\Nates\My Documents\~WRL0861.tmp

C:\Documents and Settings\Nates\My Documents\~WRL0870.tmp

C:\Documents and Settings\Nates\My Documents\~WRL0895.tmp

C:\Documents and Settings\Nates\My Documents\~WRL1068.tmp

C:\Documents and Settings\Nates\My Documents\~WRL1419.tmp

C:\Documents and Settings\Nates\My Documents\~WRL1699.tmp

C:\Documents and Settings\Nates\My Documents\~WRL1794.tmp

C:\Documents and Settings\Nates\My Documents\~WRL2141.tmp

C:\Documents and Settings\Nates\My Documents\~WRL2249.tmp

C:\Documents and Settings\Nates\My Documents\~WRL2509.tmp

C:\Documents and Settings\Nates\My Documents\~WRL2510.tmp

C:\Documents and Settings\Nates\My Documents\~WRL2798.tmp

C:\Documents and Settings\Nates\My Documents\~WRL2862.tmp

C:\Documents and Settings\Nates\My Documents\~WRL2901.tmp

C:\Documents and Settings\Nates\My Documents\~WRL3142.tmp

C:\Documents and Settings\Nates\My Documents\~WRL3925.tmp

C:\Documents and Settings\Nates\My Documents\Bluetooth\SharedFolder\~WRL0967.tmp

C:\Documents and Settings\Nates\My Documents\Bluetooth\SharedFolder\~WRL0993.tmp

C:\Documents and Settings\Nates\My Documents\Bluetooth\SharedFolder\~WRL1362.tmp

C:\Documents and Settings\Nates\My Documents\Bluetooth\SharedFolder\~WRL3142.tmp

C:\Documents and Settings\Nates\My Documents\School\Interactive\~WRL0022.tmp

C:\Documents and Settings\Nates\My Documents\School\Interactive\~WRL0028.tmp

C:\Documents and Settings\Nates\My Documents\School\Interactive\~WRL0072.tmp

C:\Documents and Settings\Nates\My Documents\School\Interactive\~WRL0099.tmp

C:\Documents and Settings\Nates\My Documents\School\Interactive\~WRL0152.tmp

C:\Documents and Settings\Nates\My Documents\School\Interactive\~WRL0503.tmp

C:\Documents and Settings\Nates\My Documents\School\Interactive\~WRL0526.tmp

C:\Documents and Settings\Nates\My Documents\School\Interactive\~WRL0528.tmp

C:\Documents and Settings\Nates\My Documents\School\Interactive\~WRL0530.tmp

C:\Documents and Settings\Nates\My Documents\School\Interactive\~WRL0557.tmp

C:\Documents and Settings\Nates\My Documents\School\Interactive\~WRL0577.tmp

C:\Documents and Settings\Nates\My Documents\School\Interactive\~WRL0625.tmp

C:\Documents and Settings\Nates\My Documents\School\Interactive\~WRL0737.tmp

C:\Documents and Settings\Nates\My Documents\School\Interactive\~WRL0792.tmp

C:\Documents and Settings\Nates\My Documents\School\Interactive\~WRL0794.tmp

C:\Documents and Settings\Nates\My Documents\School\Interactive\~WRL0844.tmp

C:\Documents and Settings\Nates\My Documents\School\Interactive\~WRL0875.tmp

C:\Documents and Settings\Nates\My Documents\School\Interactive\~WRL0968.tmp

C:\Documents and Settings\Nates\My Documents\School\Interactive\~WRL1162.tmp

C:\Documents and Settings\Nates\My Documents\School\Interactive\~WRL1238.tmp

C:\Documents and Settings\Nates\My Documents\School\Interactive\~WRL1335.tmp

C:\Documents and Settings\Nates\My Documents\School\Interactive\~WRL1357.tmp

C:\Documents and Settings\Nates\My Documents\School\Interactive\~WRL1415.tmp

C:\Documents and Settings\Nates\My Documents\School\Interactive\~WRL1477.tmp

C:\Documents and Settings\Nates\My Documents\School\Interactive\~WRL1522.tmp

C:\Documents and Settings\Nates\My Documents\School\Interactive\~WRL1792.tmp

C:\Documents and Settings\Nates\My Documents\School\Interactive\~WRL1855.tmp

C:\Documents and Settings\Nates\My Documents\School\Interactive\~WRL1970.tmp

C:\Documents and Settings\Nates\My Documents\School\Interactive\~WRL2022.tmp

C:\Documents and Settings\Nates\My Documents\School\Interactive\~WRL2168.tmp

C:\Documents and Settings\Nates\My Documents\School\Interactive\~WRL2216.tmp

C:\Documents and Settings\Nates\My Documents\School\Interactive\~WRL2259.tmp

C:\Documents and Settings\Nates\My Documents\School\Interactive\~WRL2267.tmp

C:\Documents and Settings\Nates\My Documents\School\Interactive\~WRL2296.tmp

C:\Documents and Settings\Nates\My Documents\School\Interactive\~WRL2301.tmp

C:\Documents and Settings\Nates\My Documents\School\Interactive\~WRL2351.tmp

C:\Documents and Settings\Nates\My Documents\School\Interactive\~WRL2356.tmp

C:\Documents and Settings\Nates\My Documents\School\Interactive\~WRL2541.tmp

C:\Documents and Settings\Nates\My Documents\School\Interactive\~WRL2555.tmp

C:\Documents and Settings\Nates\My Documents\School\Interactive\~WRL2601.tmp

C:\Documents and Settings\Nates\My Documents\School\Interactive\~WRL2869.tmp

C:\Documents and Settings\Nates\My Documents\School\Interactive\~WRL2961.tmp

C:\Documents and Settings\Nates\My Documents\School\Interactive\~WRL2965.tmp

C:\Documents and Settings\Nates\My Documents\School\Interactive\~WRL3102.tmp

C:\Documents and Settings\Nates\My Documents\School\Interactive\~WRL3211.tmp

C:\Documents and Settings\Nates\My Documents\School\Interactive\~WRL3270.tmp

C:\Documents and Settings\Nates\My Documents\School\Interactive\~WRL3303.tmp

C:\Documents and Settings\Nates\My Documents\School\Interactive\~WRL3420.tmp

C:\Documents and Settings\Nates\My Documents\School\Interactive\~WRL3435.tmp

C:\Documents and Settings\Nates\My Documents\School\Interactive\~WRL3440.tmp

C:\Documents and Settings\Nates\My Documents\School\Interactive\~WRL3448.tmp

C:\Documents and Settings\Nates\My Documents\School\Interactive\~WRL3499.tmp

C:\Documents and Settings\Nates\My Documents\School\Interactive\~WRL3582.tmp

C:\Documents and Settings\Nates\My Documents\School\Interactive\~WRL3690.tmp

C:\Documents and Settings\Nates\My Documents\School\Interactive\~WRL3706.tmp

C:\Documents and Settings\Nates\My Documents\School\Interactive\~WRL3732.tmp

C:\Documents and Settings\Nates\My Documents\School\Interactive\~WRL3858.tmp

C:\Documents and Settings\Nates\My Documents\School\Interactive\~WRL3929.tmp

C:\Documents and Settings\Nates\My Documents\School\Interactive\~WRL3996.tmp

C:\Documents and Settings\Nates\My Documents\School\Interactive\~WRL4007.tmp

C:\Documents and Settings\Nates\My Documents\School\Interactive\~WRL4059.tmp

C:\Documents and Settings\Nates\My Documents\School\Interactive\~WRL4097.tmp



Finished
  • 0

#9
Nates

Nates

    Member

  • Topic Starter
  • Member
  • PipPip
  • 59 posts
And here's the latest HJT log...

Logfile of HijackThis v1.99.1

Scan saved at 10:58:26 PM, on 4/30/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)



Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\System32\dmadmin.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\ATK0100\HControl.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\ALCMTR.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\WINDOWS\ATK0100\ATKOSD.exe

C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe

C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe

C:\Program Files\Notebook Hardware Control\nhc.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE

C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe

C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

C:\Program Files\Brother\ControlCenter2\brctrcen.exe

C:\Program Files\Generic\Wireless Console\wcourier.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Program Files\Microsoft Location Finder\LocationFinder.exe

C:\Program Files\Microsoft ActiveSync\wcescomm.exe

C:\Garmin\gStart.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe

C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe

C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe

C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CONNMN~1.EXE

C:\Program Files\GretagMacbeth\i1\Eye-One Match 3\ProfileReminder.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe

C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe

C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe

C:\Documents and Settings\Nates\Desktop\fixer\HijackThis.exe

c:\PROGRA~1\INTUWA~1\Shared\MROUTE~1\MROUTE~2.EXE



O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Documents and Settings\Nates\My Documents\My Torrents\incomplete\BitComet\tools\BitCometBHO.dll

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe

O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"

O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"

O4 - HKLM\..\Run: [Power_Gear] C:\Program Files\Generic\Power4 Gear\BatteryLife.exe 1

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe

O4 - HKLM\..\Run: [NotebookHardwareControl] "C:\Program Files\Notebook Hardware Control\nhc.exe" -quiet

O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O5 "LPT1:" /M "Stylus Photo R200"

O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P39 "EPSON Stylus Photo R200 Series (Copy 1)" /O6 "USB002" /M "Stylus Photo R200"

O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto

O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe

O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe

O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04g\BrStDvPt.exe

O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun

O4 - HKLM\..\Run: [Wireless Console] C:\Program Files\Generic\Wireless Console\wcourier.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AdobeUpdateManager.exe AcPro7_0_5 -reboot 1

O4 - HKCU\..\Run: [Microsoft Location Finder] "C:\Program Files\Microsoft Location Finder\LocationFinder.exe"

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"

O4 - HKCU\..\Run: [gStart] C:\Garmin\gStart.exe

O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?

O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Bluetooth Manager.lnk = ?

O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe

O4 - Global Startup: Logo Calibration Loader.lnk = C:\Program Files\GretagMacbeth\i1\Eye-One Match 3\CalibrationLoader\CalibrationLoader.exe

O4 - Global Startup: Phone Connection Monitor.lnk = C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe

O4 - Global Startup: ProfileReminder.lnk = C:\Program Files\GretagMacbeth\i1\Eye-One Match 3\ProfileReminder.exe

O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Documents and Settings\Nates\My Documents\My Torrents\incomplete\BitComet\BitComet.exe/AddLink.htm

O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Documents and Settings\Nates\My Documents\My Torrents\incomplete\BitComet\BitComet.exe/AddVideo.htm

O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Documents and Settings\Nates\My Documents\My Torrents\incomplete\BitComet\BitComet.exe/AddAllLink.htm

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Adobe Version Cue CS2 - Unknown owner - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe" -win32service (file missing)

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: OwnershipProtocol - Unknown owner - C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe (file missing)

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Unknown owner - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe (file missing)

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
  • 0

#10
Nates

Nates

    Member

  • Topic Starter
  • Member
  • PipPip
  • 59 posts
Hello? :whistling:
  • 0

Advertisements


#11
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Dont do that please. Had a 15 hour day yesterday so I didnt really feel like posting when I finished work.

Rescan with combo fix and post the log, also how is the computer running.
  • 0

#12
Nates

Nates

    Member

  • Topic Starter
  • Member
  • PipPip
  • 59 posts
Ouch, 15 hours! Sorry about that, I just thought you might have forgot about this thread. :whistling: Won't happen again.

So far, the computer seems to run fine (although all the networking is still kaput), but I haven't done anything on it since we've started other than what you've instructed me to do. One thing I did notice was that whenever I pop in my USB key, it would open up a window to display its contents like usual, but it would then close the window automatically after about 20 seconds. I have no idea if this is something to be worried about. Also, I'm not sure if this is normal but mRouterRuntime.exe in Task Manager disappears and reappears every few seconds.

Thanks again for all the help, and here's the log...

"Nates" - 07-05-02 20:54:54 Service Pack 2

ComboFix 07-04-25.4V - Running from: "C:\Documents and Settings\Nates\Desktop\fixer\"





((((((((((((((((((((((((((((((( Files Created from 2007-04-02 to 2007-05-02 ))))))))))))))))))))))))))))))))))





2007-04-30 22:33 380,416 --a------ C:\WINDOWS\system32\rstrui.exe

2007-04-29 21:53 49,152 --a------ C:\WINDOWS\nircmd.exe

2007-04-29 21:39 51,056 --a------ C:\combofix.exe

2007-04-28 08:14 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys

2007-04-28 08:13 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys

2007-04-28 03:31 17,119 --a------ C:\WINDOWS\system32\drivers\AegisP.sys

2007-04-28 01:34 1,654,784 --a------ C:\WINDOWS\system32\W29MLRES.DLL

2007-04-27 20:03 21,504 --a------ C:\WINDOWS\system32\vhfnsgk.dll

2007-04-09 05:51 <DIR> d-------- C:\Program Files\Common Files\xing shared

2007-04-09 05:50 <DIR> d-------- C:\Program Files\Real

2007-04-09 05:50 <DIR> d-------- C:\Program Files\Common Files\Real

2007-04-09 05:50 <DIR> d-------- C:\DOCUME~1\NATHAN~1\APPLIC~1\Real

2007-04-09 05:48 <DIR> d-------- C:\My Downloads





(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))





2007-05-02 20:50 -------- d-------- C:\Program Files\symantec antivirus

2007-04-28 03:57 -------- d--h----- C:\Program Files\installshield installation information

2007-04-28 03:57 -------- d-------- C:\Program Files\generic

2007-04-28 01:23 -------- d-------- C:\Program Files\gmatprep

2007-03-26 19:57 -------- d-------- C:\Program Files\sony ericsson

2007-03-26 19:56 -------- d-------- C:\Program Files\intuwave ltd

2007-03-19 03:33 -------- d-------- C:\Program Files\emule





(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))





*Note* empty entries & legit default entries are not shown



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll

{39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} C:\Documents and Settings\Nates\My Documents\My Torrents\incomplete\BitComet\tools\BitCometBHO.dll

{AE7CD045-E861-484f-8273-0445EE161910} C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll



[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]

"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"

"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe"

"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"

"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"

"HControl"="C:\\WINDOWS\\ATK0100\\HControl.exe"

"SoundMan"="SOUNDMAN.EXE"

"AlcWzrd"="ALCWZRD.EXE"

"Alcmtr"="ALCMTR.EXE"

"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""

"vptray"="C:\\PROGRA~1\\SYMANT~1\\VPTray.exe"

"Adobe Version Cue CS2"="\"C:\\Program Files\\Adobe\\Adobe Version Cue CS2\\ControlPanel\\VersionCueCS2Tray.exe\""

"Acrobat Assistant 7.0"="\"C:\\Program Files\\Adobe\\Adobe Acrobat 7.0\\Distillr\\Acrotray.exe\""

"Power_Gear"="C:\\Program Files\\Generic\\Power4 Gear\\BatteryLife.exe 1"

"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"

"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_03\\bin\\jusched.exe"

"NotebookHardwareControl"="\"C:\\Program Files\\Notebook Hardware Control\\nhc.exe\" -quiet"

"EPSON Stylus Photo R200 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I2H1.EXE /P30 \"EPSON Stylus Photo R200 Series\" /O5 \"LPT1:\" /M \"Stylus Photo R200\""

"EPSON Stylus Photo R200 Series (Copy 1)"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I2H1.EXE /P39 \"EPSON Stylus Photo R200 Series (Copy 1)\" /O6 \"USB002\" /M \"Stylus Photo R200\""

"StatusClient"="C:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\Apache Tomcat 4.0\\webapps\\Toolbox\\StatusClient\\StatusClient.exe /auto"

"TomcatStartup"="C:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\hpbpsttp.exe"

"SSBkgdUpdate"="\"C:\\Program Files\\Common Files\\Scansoft Shared\\SSBkgdUpdate\\SSBkgdupdate.exe\" -Embedding -boot"

"PaperPort PTD"="C:\\Program Files\\ScanSoft\\PaperPort\\pptd40nt.exe"

"IndexSearch"="C:\\Program Files\\ScanSoft\\PaperPort\\IndexSearch.exe"

"SetDefPrt"="C:\\Program Files\\Brother\\Brmfl04g\\BrStDvPt.exe"

"ControlCenter2.0"="C:\\Program Files\\Brother\\ControlCenter2\\brctrcen.exe /autorun"

"Wireless Console"="C:\\Program Files\\Generic\\Wireless Console\\wcourier.exe"



[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]

"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"

"updateMgr"="C:\\Program Files\\Adobe\\Adobe Acrobat 7.0\\Acrobat\\AdobeUpdateManager.exe AcPro7_0_5 -reboot 1"

"Microsoft Location Finder"="\"C:\\Program Files\\Microsoft Location Finder\\LocationFinder.exe\""

"H/PC Connection Agent"="\"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe\""

"gStart"="C:\\Garmin\\gStart.exe"



HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa

Authentication Packages REG_MULTI_SZ msv1_0\0\0

Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0

Notification Packages REG_MULTI_SZ scecli\0\0





[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]

HTTPFilter REG_MULTI_SZ HTTPFilter\0\0

LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0

NetworkService REG_MULTI_SZ DnsCache\0\0

DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0

rpcss REG_MULTI_SZ RpcSs\0\0

imgsvc REG_MULTI_SZ StiSvc\0\0

termsvcs REG_MULTI_SZ TermService\0\0





[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]

Shell\AutoRun\command D:\setup.exe



[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2821f4ad-3c8e-11da-b865-806d6172696f}]

Shell\AutoRun\command D:\setup.exe

*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_NHCACPI_DRIVER



********************************************************************



catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-05-02 21:01:13

Windows 5.1.2600 Service Pack 2 NTFS



scanning hidden processes ...



scanning hidden services ...



scanning hidden autostart entries ...



scanning hidden files ...



scan completed successfully

hidden processes: 0

hidden services: 0

hidden files: 0





********************************************************************



Completion time: 07-05-02 21:01:35

C:\ComboFix-quarantined-files.txt ... 07-05-02 21:01

C:\ComboFix2.txt ... 07-04-29 21:53
  • 0

#13
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
No problem, just one of those days

Please go *here and in the "Browse to the file you want to submit:" box, copy and paste the following line in

C:\WINDOWS\system32\vhfnsgk.dll

Then click the send file button. ( you can fill out the rest of the info if you wish but its not important)

1.) Download WinsockFix.zip. (by: Option^Explicit)
2.) UnZip WinsockFix.zip (Pay close attention to where the file is extracted to.)
3.) Run WinsockFix.exe.
4.) Click the Fix button.

Test your networking and see if the problem still persist, and post any information you feel pertinent. Every little bit helps Also post a hijack log :whistling:
  • 0

#14
Nates

Nates

    Member

  • Topic Starter
  • Member
  • PipPip
  • 59 posts
Hi loophole, I can't directly submit that file since I don't have internet access on the infected computer. Does it matter if I put the file in question onto a USB key, transfer it to this Mac, and then upload it?

I'll be posting again shortly after following the rest of your instruction.
  • 0

#15
Nates

Nates

    Member

  • Topic Starter
  • Member
  • PipPip
  • 59 posts
I ran WinsockFix, but my networking still doesn't work. Mind you, prior to coming here, I tried to fix/uninstall/reinstall the drivers. Upon startup, Norton says "TCP/IP is not installed..." and Mobile Device Properties says "The TCP/IP network transport is not installed." I also got a Server Busy message pop-up like I did before. Furthermore, whenever I try to hit the notebook button to activate wireless, I still get "Unable to load the INTEL Muroc API, This function need to install INTEL Proset utility."

Here is the latest HJT log:

Logfile of HijackThis v1.99.1

Scan saved at 10:06:12 PM, on 5/2/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)



Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\System32\dmadmin.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\ATK0100\HControl.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\ALCMTR.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe

C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe

C:\WINDOWS\ATK0100\ATKOSD.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe

C:\Program Files\Notebook Hardware Control\nhc.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE

C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe

C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

C:\Program Files\Brother\ControlCenter2\brctrcen.exe

C:\Program Files\Generic\Wireless Console\wcourier.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Program Files\Microsoft Location Finder\LocationFinder.exe

C:\Garmin\gStart.exe

C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\acrobat_sl.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe

C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe

C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CONNMN~1.EXE

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe

C:\Documents and Settings\Nates\Desktop\fixer\HijackThis.exe

c:\PROGRA~1\INTUWA~1\Shared\MROUTE~1\MROUTE~2.EXE



O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Documents and Settings\Nates\My Documents\My Torrents\incomplete\BitComet\tools\BitCometBHO.dll

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe

O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"

O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"

O4 - HKLM\..\Run: [Power_Gear] C:\Program Files\Generic\Power4 Gear\BatteryLife.exe 1

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe

O4 - HKLM\..\Run: [NotebookHardwareControl] "C:\Program Files\Notebook Hardware Control\nhc.exe" -quiet

O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O5 "LPT1:" /M "Stylus Photo R200"

O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P39 "EPSON Stylus Photo R200 Series (Copy 1)" /O6 "USB002" /M "Stylus Photo R200"

O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto

O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe

O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe

O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04g\BrStDvPt.exe

O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun

O4 - HKLM\..\Run: [Wireless Console] C:\Program Files\Generic\Wireless Console\wcourier.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AdobeUpdateManager.exe AcPro7_0_5 -reboot 1

O4 - HKCU\..\Run: [Microsoft Location Finder] "C:\Program Files\Microsoft Location Finder\LocationFinder.exe"

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"

O4 - HKCU\..\Run: [gStart] C:\Garmin\gStart.exe

O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?

O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Bluetooth Manager.lnk = ?

O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe

O4 - Global Startup: Logo Calibration Loader.lnk = C:\Program Files\GretagMacbeth\i1\Eye-One Match 3\CalibrationLoader\CalibrationLoader.exe

O4 - Global Startup: Phone Connection Monitor.lnk = C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe

O4 - Global Startup: ProfileReminder.lnk = C:\Program Files\GretagMacbeth\i1\Eye-One Match 3\ProfileReminder.exe

O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Documents and Settings\Nates\My Documents\My Torrents\incomplete\BitComet\BitComet.exe/AddLink.htm

O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Documents and Settings\Nates\My Documents\My Torrents\incomplete\BitComet\BitComet.exe/AddVideo.htm

O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Documents and Settings\Nates\My Documents\My Torrents\incomplete\BitComet\BitComet.exe/AddAllLink.htm

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Adobe Version Cue CS2 - Unknown owner - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe" -win32service (file missing)

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: OwnershipProtocol - Unknown owner - C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe (file missing)

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: RegSrvc - Unknown owner - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe (file missing)

O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Unknown owner - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe (file missing)

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP