Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Troj-Huntbar.A ? [RESOLVED]

Started by liverman , Feb 03 2008 05:08 AM

  • This topic is locked This topic is locked

#16
RatHat
Posted 05 February 2008 - 12:32 AM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
That looks good Peter, now could I ask you to act as a guinea pig and try out a little application that we have been developing that should confirm that the Recovery Console is indeed in place and correctly installed?

Please download BootCheck.exe to your desktop.
  • Double click BootCheck.exe to run the check
  • When complete, a Notepad window will open with some text in it
  • Save the Notepad file to your desktop as BootCheck.txt
  • Copy the contents of BootCheck.txt and post it in your next reply
You can then delete BootCheck.exe

Regards,
RatHat
  • 0

Advertisements

#17
liverman
Posted 05 February 2008 - 12:40 AM

liverman

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
RatHat,

Bootcheck log:

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons


Hope that helps.
Peter.
  • 0

#18
liverman
Posted 05 February 2008 - 12:46 AM

liverman

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
Oops, sorry....I think I pasted the wrong log; try this:


CMDCONS Folder exists!

Contents of C:\boot.ini:

[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons


Peter.
  • 0

#19
RatHat
Posted 05 February 2008 - 12:50 AM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Peter,

You downloaded the Installation file for Windows XP Service Pack 2 (SP2) didn't you? It should have created a folder in your root drive named C:\CMDCONS

At the moment that is not showing in the log. Could you re-download from this direct link, and then install it via Combofix again. When it has completed, post me the log from Combofix, and another one from BootCheck.exe

Regards,
RatHat
  • 0

#20
liverman
Posted 05 February 2008 - 01:04 AM

liverman

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
Rat Hat,

Did as you asked. Five minutes in a window popped up saying something like: This machine already has Recovery Console installed. aborting operation. OK. I pressed OK and window disappeared and Combo-Fix window closed.
  • 0

#21
RatHat
Posted 05 February 2008 - 01:55 AM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Could you run BootCheck.exe again, and also have a look at your C:\ drive to see if the folder CMDCONS is there.

Regards,
RatHat
  • 0

#22
liverman
Posted 05 February 2008 - 02:34 AM

liverman

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
CMDCONS folder is in the c drive


Bootcheck log:

CMDCONS Folder exists!

Contents of C:\boot.ini:

[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

P.
  • 0

#23
liverman
Posted 05 February 2008 - 02:41 AM

liverman

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
RatHat,

I mistakenly launched combofix instead of bootcheck before! So I include combofix log in case something stuffed up:


ComboFix 08-02.03.1 - Peter 2008-02-05 19:10:27.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.371 [GMT 11:00]
Running from: C:\Documents and Settings\Peter\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft\Network\Downloader\qmgr0.dat
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Possible infected sites -----

hxxp://www.j+|C̛v+@J:NGD_DQ{zt һHG.XI-,XIvPs
hxxp://www.
.
((((((((((((((((((((((((( Files Created from 2008-01-05 to 2008-02-05 )))))))))))))))))))))))))))))))
.

2008-02-05 17:01 . 2004-08-03 23:00 260,272 --a------ C:\cmldr
2008-02-05 17:01 . 2006-05-13 10:45 211 --a------ C:\Boot.bak
2008-02-05 16:43 . 2008-02-05 17:02 <DIR> d-------- C:\ComboFix
2008-02-05 16:43 . 2004-08-04 23:00 388,608 --a------ C:\WINDOWS\system32\kmd.exe
2008-02-04 22:30 . 2008-02-04 22:30 <DIR> d-------- C:\Documents and Settings\Peter\Application Data\Grisoft
2008-02-04 22:30 . 2008-02-04 22:30 <DIR> d-------- C:\DOCUME~1\Peter\APPLIC~1\Grisoft
2008-02-04 22:27 . 2008-02-04 22:28 126,656 --a------ C:\WINDOWS\system32\GDIPFONTCACHEV1.DAT
2008-02-04 22:02 . 2008-02-04 22:02 <DIR> d-------- C:\WINDOWS\ERUNT
2008-02-04 07:51 . 2008-02-04 07:51 <DIR> d-------- C:\Documents and Settings\Peter\DoctorWeb
2008-02-03 16:41 . 2008-02-03 16:41 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2008-02-03 16:40 . 2008-02-03 22:22 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-03 13:04 . 2008-02-03 13:04 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Grisoft
2008-01-28 23:01 . 2008-01-28 23:01 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\nView_Profiles
2008-01-28 22:58 . 2007-04-17 20:28 2,455,488 --------- C:\WINDOWS\system32\SETCD.tmp
2008-01-28 22:57 . 2008-01-28 22:59 <DIR> d-------- C:\WINDOWS\LastGood(2).Tmp
2008-01-28 20:48 . 2008-01-29 17:09 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2008-01-26 08:23 . 2007-01-31 17:47 991,232 --------- C:\WINDOWS\system32\SETCC.tmp
2008-01-26 07:59 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-01-26 07:59 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-01-25 17:50 . 2007-08-13 18:52 66,048 --a------ C:\WINDOWS\ieResetIcons.exe
2008-01-25 17:29 . 2008-01-25 17:29 1,158 --a------ C:\WINDOWS\mozver.dat
2008-01-25 16:10 . 2008-01-25 16:10 0 --a------ C:\WINDOWS\nsreg.dat
2008-01-25 16:04 . 2008-01-25 16:15 <DIR> d-------- C:\WINDOWS\nview
2008-01-25 16:04 . 2005-03-30 13:48 176,128 --a------ C:\WINDOWS\system32\nvudisp.exe
2008-01-25 16:04 . 2005-03-30 13:48 14,601 --a------ C:\WINDOWS\system32\nvdisp.nvu
2008-01-25 16:00 . 2004-08-04 00:56 1,888,992 --a--c--- C:\WINDOWS\system32\dllcache\ati3duag.dll
2008-01-25 16:00 . 2004-08-04 00:56 1,888,992 --a------ C:\WINDOWS\system32\ati3duag.dll
2008-01-25 16:00 . 2004-08-04 00:56 870,784 --a--c--- C:\WINDOWS\system32\dllcache\ati3d1ag.dll
2008-01-25 16:00 . 2004-08-04 00:56 870,784 --a------ C:\WINDOWS\system32\ati3d1ag.dll
2008-01-25 16:00 . 2004-08-04 00:56 516,768 --a--c--- C:\WINDOWS\system32\dllcache\ativvaxx.dll
2008-01-25 16:00 . 2004-08-04 00:56 516,768 --a------ C:\WINDOWS\system32\ativvaxx.dll
2008-01-25 16:00 . 2004-08-04 00:56 229,376 --a--c--- C:\WINDOWS\system32\dllcache\ati2cqag.dll
2008-01-25 16:00 . 2004-08-04 00:56 229,376 --a------ C:\WINDOWS\system32\ati2cqag.dll
2008-01-25 16:00 . 2004-08-04 00:56 201,728 --a--c--- C:\WINDOWS\system32\dllcache\ati2dvag.dll
2008-01-25 16:00 . 2004-08-04 00:56 201,728 --a------ C:\WINDOWS\system32\ati2dvag.dll
2008-01-25 15:45 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-01-25 14:31 . 2008-01-28 22:59 <DIR> d----c--- C:\WINDOWS\ie7(2)
2008-01-17 11:43 . 2008-01-17 11:43 <DIR> d-------- C:\Program Files\iPod
2008-01-14 15:18 . 2007-09-17 14:31 1,126,072 --a------ C:\WINDOWS\system32\drivers\vsapint.sys
2008-01-14 15:18 . 2006-12-29 17:53 288,848 --a------ C:\WINDOWS\system32\drivers\TM_CFW.sys
2008-01-14 15:18 . 2007-09-17 14:40 202,768 --a------ C:\WINDOWS\system32\drivers\tmxpflt.sys
2008-01-14 15:18 . 2006-12-29 17:53 111,888 --a------ C:\WINDOWS\system32\drivers\tm_mbd_c.sys
2008-01-14 15:18 . 2006-12-29 17:53 75,088 --a------ C:\WINDOWS\system32\drivers\tmtdi.sys
2008-01-14 15:18 . 2007-09-17 14:40 35,856 --a------ C:\WINDOWS\system32\drivers\tmpreflt.sys
2008-01-14 15:17 . 2008-01-14 15:19 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Trend Micro
2008-01-14 15:16 . 2008-01-14 15:16 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-10 15:27 . 2008-01-10 15:27 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-01-10 15:27 . 2008-01-10 15:27 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-05 02:59 --------- d-----w C:\Program Files\Java
2008-02-05 02:17 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-04 00:31 --------- d-----w C:\Program Files\Azureus
2008-01-28 12:01 --------- d-----w C:\Program Files\FastStone Image Viewer
2008-01-25 05:09 502,272 ----a-w C:\WINDOWS\system32\winlogon.exe
2008-01-17 00:43 --------- d-----w C:\Program Files\iTunes
2008-01-17 00:40 --------- d-----w C:\Program Files\QuickTime
2008-01-14 20:25 --------- d-----w C:\Program Files\FreePOPs
2008-01-14 10:57 20 ---h--w C:\DOCUME~1\ALLUSE~1\APPLIC~1\PKP_DLec.DAT
2008-01-14 10:57 20 ---h--w C:\DOCUME~1\ALLUSE~1\APPLIC~1\PKP_DLds.DAT
2008-01-14 06:28 --------- d-----w C:\Program Files\PacificPoker
2008-01-14 04:12 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\CA
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2001-11-23 04:08 712,704 ----a-w C:\WINDOWS\inf\OTHER\AUDIO3D.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe" [ ]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 23:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2006-03-23 17:06 1398272]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [ ]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe" [2006-12-29 17:52 3429904]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 15:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-03-30 13:48 5898240]
"nwiz"="nwiz.exe" [2005-03-30 13:48 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-03-30 13:48 86016]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 23:00 15360]

C:\Documents and Settings\Peter\Start Menu\Programs\Startup\
Yahoo! Widget Engine.lnk - C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe [2007-07-21 04:57:16 2913584]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
GN-WP01GS Utility.lnk - C:\Program Files\Gigabyte\Gigabyte GN-WP01GS Wireless PCI Adapter SoftAP\Installer\WINXP\RaConfig61.exe [2006-05-15 18:46:13 716800]

C:\DOCUME~1\Peter\STARTM~1\Programs\Startup\
Yahoo! Widget Engine.lnk - C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe [2007-07-21 04:57:16 2913584]

S3 pmxscan;USB ScanMaker 3630 Driver;C:\WINDOWS\system32\DRIVERS\usbscan.sys [1999-10-13 18:19]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{85d86efa-3bfb-11dc-9b1d-0014852df153}]
\Shell\AutoRun\command - E:\.\MigWiz\migsetup.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-05 19:23:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-05 19:27:38
ComboFix-quarantined-files.txt 2008-02-05 08:27:28
.
2008-01-27 22:03:20 --- E O F ---

Thanks,
Peter.
  • 0

#24
RatHat
Posted 05 February 2008 - 03:13 AM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Well the recovery console is now installed properly. DO NOT delete the folder C:\CMDCONS OK.

Now if you want to post me the logs from the other two computers, and I will have a look at them to make sure they are clean.

I will also have a word with sUBs, the writer of Combofix, to find out what this entry means:

hxxp://www.j+|C̛v+@J:NGD_DQ{zt һHG.XI-,XIvPs

Lastly, could you delete this folder: C:\Program Files\Azureus

Regards,
RatHat
  • 0

#25
liverman
Posted 05 February 2008 - 03:48 AM

liverman

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
Thanks RatHat,

I have deleted Azureus folder from Program Files.

Now for the other machines; firstly the notebook running vista business.

I scanned with AVG, couldn't generate a log, but it did find 13 tracking cookies, 17 traces.

No vista support for Panda.


Scan log for SUPERAntiSpyware:

SUPERAntiSpyware Scan Log
Generated 02/05/2008 at 07:57 PM

Application Version : 3.6.1000

Core Rules Database Version : 3395
Trace Rules Database Version: 1387

Scan type : Complete Scan
Total Scan Time : 01:33:29

Memory items scanned : 711
Memory threats detected : 0
Registry items scanned : 6926
Registry threats detected : 0
File items scanned : 97786
File threats detected : 27

Adware.Tracking Cookie
C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@dhdmedia[2].txt
C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@imrworldwide[2].txt
C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@mediaonenetwork[1].txt
C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@pornsgates[1].txt
C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Users\User\Application Data\Microsoft\Windows\Cookies\Low\user@dhdmedia[2].txt
C:\Users\User\Application Data\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Users\User\Application Data\Microsoft\Windows\Cookies\Low\user@imrworldwide[2].txt
C:\Users\User\Application Data\Microsoft\Windows\Cookies\Low\[email protected][2].txt
C:\Users\User\Application Data\Microsoft\Windows\Cookies\Low\user@mediaonenetwork[1].txt
C:\Users\User\Application Data\Microsoft\Windows\Cookies\Low\user@pornsgates[1].txt
C:\Users\User\Application Data\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Users\User\Application Data\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Users\User\Application Data\Microsoft\Windows\Cookies\Low\[email protected][1].txt
C:\Users\User\Cookies\Low\user@dhdmedia[2].txt
C:\Users\User\Cookies\Low\[email protected][1].txt
C:\Users\User\Cookies\Low\user@imrworldwide[2].txt
C:\Users\User\Cookies\Low\[email protected][2].txt
C:\Users\User\Cookies\Low\user@mediaonenetwork[1].txt
C:\Users\User\Cookies\Low\user@pornsgates[1].txt
C:\Users\User\Cookies\Low\[email protected][1].txt
C:\Users\User\Cookies\Low\[email protected][1].txt
C:\Users\User\Cookies\Low\[email protected][1].txt


Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:30:41 PM, on 5/02/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16575)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\ASUS Security Center\ASUS Security Protect Manager\Bin\AsGHost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\PC Connectivity Solution\Transports\NclMSBTSrv.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil9e.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.smh.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.asus.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: ASUS Security Protect Manager - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - C:\Program Files\ASUS Security Center\ASUS Security Protect Manager\Bin\ItIEAddIn.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [CognizanceTS] rundll32.exe C:\PROGRA~1\ASUSSE~1\ASUSSE~1\Bin\ASTSVCC.dll,RegisterModule
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'Default user')
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O20 - AppInit_DLLs: APSHook.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASLDR Service (ASLDRService) - Unknown owner - C:\Program Files\ATK Hotkey\ASLDRSrv.exe
O23 - Service: ATKGFNEX Service (ATKGFNEXSrv) - Unknown owner - C:\Program Files\ATKGFNEX\GFNEXSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Security Platform Management Service (IFXSpMgtSrv) - Infineon Technologies AG - C:\Windows\system32\ifxspmgt.exe
O23 - Service: Trusted Platform Core Service (IFXTCS) - Infineon Technologies AG - C:\Windows\system32\ifxtcs.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Personal Secure Drive Service (PersonalSecureDriveService) - Infineon Technologies AG - C:\Windows\system32\IfxPsdSv.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: spmgr - Unknown owner - C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 7688 bytes


Uninstall list:

Adobe Flash Player ActiveX
Adobe Reader 8
Apple Mobile Device Support
Apple Software Update
ASUS InstantFun
ASUS Security Protect Manager
ASUS Splendid Video Enhancement Technology
Asus_Camera_ScreenSaver
ATK Generic Function Service
ATK Hotkey
ATK Media
ATKOSD2
Attansic Ethernet Utility
Attansic L1 Gigabit Ethernet Driver
AuthenTec Fingerprint Sensor Minimum Install
AVG Anti-Spyware 7.5
Bonjour
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Google Updater
HijackThis 2.0.2
Infineon TPM Professional Package
Intel® Graphics Media Accelerator Driver
iTunes
LifeFrame2
Microsoft Office Standard Edition 2003
Motorola SM56 Speakerphone Modem
MSVC80_x86
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
NB Probe
Nero 7 Essentials
Nokia Connectivity Cable Driver
Nokia PC Suite
Nokia PC Suite
P4P
PC Connectivity Solution
Power4Gear eXtreme
QuickTime
Realtek High Definition Audio Driver
RICOH R5C83x/84x Flash Media Controller Driver Ver.3.51.01
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
SUPERAntiSpyware Free Edition
Synaptics Pointing Device Driver
Trend Micro PC-cillin Internet Security 2007
Trend Micro PC-cillin Internet Security 2007
USB 2.0 1.3M UVC WebCam
VistaFeaturePack
Windows Driver Package - Nokia Modem (08/03/2007 6.84.0.2)
Windows Driver Package - Nokia Modem (10/12/2007 3.6)
WinFlash
Wireless Console 2


Seems to run well, but is very new and I am not very familiar with it yet. I will post logs for other pc tomorrow, I haven't run the scans yet.


Thanks for your ongoing support.
Kind Regards,
Peter.
  • 0

Advertisements

#26
RatHat
Posted 05 February 2008 - 04:05 AM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
OK, Peter, that one looks OK.

I'll check the other one when you have chance to post again.

Regards,
RatHat
  • 0

#27
liverman
Posted 05 February 2008 - 04:14 AM

liverman

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
Thanks RatHat.

I'll post again tomorrow.

P.
  • 0

#28
liverman
Posted 06 February 2008 - 04:23 PM

liverman

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
Rat Hat,

Sorry about the delay, nature intervened.

Now for the last pc which is running vista home premium.

I scanned with AVG, couldn't generate a log, but it did find 20 odd tracking cookies.

No vista support for Panda.

SUPERAntiSpyware was running but got interrupted by a brief blackout due to an electrical storm. It had been running for over 11 hours and had found no threats. I have done some housekeeping and removed a lot of my son's extraneous stuff (11 hours seemed a long time) and will run it again after I post. Let me know if you need the log.

I have run Hijack this and include logs:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:07:54 AM, on 7/02/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16575)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.smh.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-910198982-3761137005-1607632198-1002\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'Jacko')
O4 - HKUS\S-1-5-21-910198982-3761137005-1607632198-1002\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'Jacko')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: NETGEAR WG111v2 Smart Wizard.lnk = ?
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix:
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: SCM_Service - Unknown owner - C:\Windows\System32\WinService.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 6872 bytes


Uninstall Log:

Adobe Common File Installer
Adobe Help Center 2.1
Adobe Photoshop Elements 5.0
Adobe Photoshop Elements 5.0.2 Patcher
Adobe Premiere Elements 3.0
Adobe Premiere Elements 3.0
Adobe Premiere Elements 3.0 Templates
Adobe Reader 8.1.1
Adobe Shockwave Player
Apple Mobile Device Support
Apple Software Update
AVG Anti-Spyware 7.5
Bonjour
EPSON PhotoQuicker3.5
EPSON Print CD
EPSON PRINT Image Framer Tool2.1
EPSON Printer Software
ESPR210 Reference Guide
ESPR210 Software Guide
FastStone Image Viewer 3.2
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
HijackThis 2.0.2
iTunes
Microsoft Office Standard Edition 2003
Microsoft Visual C++ 2005 Redistributable
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 Parser and SDK
NETGEAR WG111v2 wireless USB 2.0 adapter
Nikon Message Center
NVIDIA Drivers
PictureProject
PIF DESIGNER2.1
QuickTime
Realtek High Definition Audio Driver
ScanToWeb
SUPERAntiSpyware Free Edition
Trend Micro PC-cillin Internet Security 2007
Trend Micro PC-cillin Internet Security 2007
Windows Live Messenger
Windows Live Sign-in Assistant

Kind Regards,
Peter.
  • 0

#29
RatHat
Posted 06 February 2008 - 05:25 PM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
That log is also good Peter, though I would be interested to see the SUPERAntiSpyware report when complete, as 11 hours is a long time for it to run.

Regards,
RatHat
  • 0

#30
liverman
Posted 06 February 2008 - 05:30 PM

liverman

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
Thanks RatHat,

I'll post the log when the scan is complete...it's been running for a couple of hours so far.

Regards,
Peter.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP