My computer made a large amount of beeping sounds so I knew it wouldn't be good
I looked in the process list and noticed 4 new processes of which 3 were coming from temp. I end tasked them and they did not return. My first idea was to clear the temp files with atf cleaner, but it would close a few seconds after I opened it. My next thought was to get into safemode and I promptly unplugged my adapter.
Safemode didn't work for me. It just restarted my computer. So I used safebootfix.reg and went into safemode where I found ATF cleaner to be deleted off my system. I proceeded to then use CleanUp! I then used Hijack This! but didn't notice any anomalies which was odd. I went to Comboscan but I didn't know how to read that scan. So I went to Ad-Aware SE (Which happens to be my only virus protection atm. This is what came up
ArchiveData(auto-quarantine- 2008-03-04 19-39-31.bckp)
Referencefile : SE1R210 27.12.2007
======================================================
MRU LIST
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[0]=MRU FileReference : C:\Documents and Settings\Admin\Application Data\microsoft\office\recent\1199112607303.gif.LNK
obj[1]=MRU FileReference : C:\Documents and Settings\Admin\recent\??.txt.lnk
obj[2]=MRU FileReference : C:\Documents and Settings\Admin\Application Data\microsoft\office\recent\Act I Scene iii.doc.LNK
obj[3]=MRU RegReference : S-1-5-21-4253786913-2071758419-1731425918-1005\software\microsoft\direct3d\mostrecentapplication name
obj[4]=MRU RegReference : software\microsoft\direct3d\mostrecentapplication name
obj[5]=MRU RegReference : S-1-5-21-4253786913-2071758419-1731425918-1005\software\microsoft\direct3d\mostrecentapplication name
obj[6]=MRU RegReference : software\microsoft\direct3d\mostrecentapplication name
obj[7]=MRU RegReference : software\microsoft\directdraw\mostrecentapplication name
obj[8]=MRU RegReference : S-1-5-21-4253786913-2071758419-1731425918-1005\software\microsoft\directinput\mostrecentapplication name
obj[9]=MRU RegReference : S-1-5-21-4253786913-2071758419-1731425918-1005\software\microsoft\directinput\mostrecentapplication id
obj[10]=MRU RegReference : S-1-5-21-4253786913-2071758419-1731425918-1005\software\microsoft\mediaplayer\player\recentfilelist
obj[11]=MRU RegReference : S-1-5-21-4253786913-2071758419-1731425918-1005\software\microsoft\office\11.0\common\open find\microsoft office word\settings\open\file name mru value
obj[12]=MRU RegReference : S-1-5-21-4253786913-2071758419-1731425918-1005\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru\*
obj[13]=MRU RegReference : S-1-5-21-4253786913-2071758419-1731425918-1005\software\microsoft\windows\currentversion\explorer\recentdocs\.bmp
obj[14]=MRU RegReference : S-1-5-21-4253786913-2071758419-1731425918-1005\software\microsoft\windows\currentversion\explorer\recentdocs\.doc
obj[15]=MRU RegReference : S-1-5-21-4253786913-2071758419-1731425918-1005\software\microsoft\windows\currentversion\explorer\recentdocs\.gif
obj[16]=MRU RegReference : S-1-5-21-4253786913-2071758419-1731425918-1005\software\microsoft\windows\currentversion\explorer\recentdocs\.htm
obj[17]=MRU RegReference : S-1-5-21-4253786913-2071758419-1731425918-1005\software\microsoft\windows\currentversion\explorer\recentdocs\.jpg
obj[18]=MRU RegReference : S-1-5-21-4253786913-2071758419-1731425918-1005\software\microsoft\windows\currentversion\explorer\recentdocs\.log
obj[19]=MRU RegReference : S-1-5-21-4253786913-2071758419-1731425918-1005\software\microsoft\windows\currentversion\explorer\recentdocs\.png
obj[20]=MRU RegReference : S-1-5-21-4253786913-2071758419-1731425918-1005\software\microsoft\windows\currentversion\explorer\recentdocs\.psd
obj[21]=MRU RegReference : S-1-5-21-4253786913-2071758419-1731425918-1005\software\microsoft\windows\currentversion\explorer\recentdocs\.rar
obj[22]=MRU RegReference : S-1-5-21-4253786913-2071758419-1731425918-1005\software\microsoft\windows\currentversion\explorer\recentdocs\.txt
obj[23]=MRU RegReference : S-1-5-21-4253786913-2071758419-1731425918-1005\software\microsoft\windows\currentversion\explorer\recentdocs\.wmv
obj[24]=MRU RegReference : S-1-5-21-4253786913-2071758419-1731425918-1005\software\microsoft\windows\currentversion\explorer\recentdocs\.zip
obj[25]=MRU RegReference : S-1-5-21-4253786913-2071758419-1731425918-1005\software\microsoft\windows\currentversion\explorer\recentdocs\Folder
obj[27]=MRU RegReference : S-1-5-21-4253786913-2071758419-1731425918-1005\software\microsoft\windows media\wmsdk\general computername
obj[28]=MRU RegReference : S-1-5-21-4253786913-2071758419-1731425918-1005\software\winrar\dialogedithistory\extrpath
WIN32.SALITY
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[16]=RegValue : system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list "c:\windows\explorer.exe"
obj[17]=Regkey : system\currentcontrolset\services\ndisfileservices32
obj[18]=RegValue : system\currentcontrolset\services\ndisfileservices32 "Start"
obj[19]=RegValue : system\currentcontrolset\services\ndisfileservices32 "ImagePath"
obj[20]=RegValue : system\currentcontrolset\services\ndisfileservices32 "ErrorControl"
obj[21]=RegValue : system\currentcontrolset\services\ndisfileservices32 "DisplayName"
obj[22]=Regkey : system\currentcontrolset\enum\root\legacy_ndisfileservices32
obj[23]=RegValue : system\controlset001\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list "c:\windows\explorer.exe"
obj[24]=Regkey : system\controlset001\services\ndisfileservices32
obj[25]=RegValue : system\controlset001\services\ndisfileservices32 "Start"
obj[26]=RegValue : system\controlset001\services\ndisfileservices32 "ImagePath"
obj[27]=RegValue : system\controlset001\services\ndisfileservices32 "ErrorControl"
obj[28]=RegValue : system\controlset001\services\ndisfileservices32 "DisplayName"
obj[29]=Regkey : system\controlset001\enum\root\legacy_ndisfileservices32
obj[30]=Process : C:\WINDOWS\system32\wmdrtc32.dll
obj[31]=Process : C:\WINDOWS\system32\wmdrtc32.dll
obj[32]=File : C:\WINDOWS\system32\wmdrtc32.dll
obj[34]=File : C:\WINDOWS\system32\drivers\fngjmg.sys
WIN32.HACKTOOL.TOOLEVID
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[33]=File : C:\WINDOWS\system32\winresponse32.exe
I then proceeded to open !Killbox and put C:\WINDOWS\system32\wmdrtc32.dll as well as C:\WINDOWS\system32\wmdrtc32.dl_ as the kill on reboot. Everything went successfully. I don't notice any problems except I can't access virusscan.jotti. Can you please help me? I also noticed that I have a QooBox folder in my C:\ drive but it is empty. I know it to be a variant of a trojan, or am I wrong?
And on a side note, I'm sorry for having different topics. I have 3 computers and 3 children, as well as 1 father that do not know how to use a computer yet they use it for several hours a day every day.
Thank you for your help.
I can attach the comboscan report + the file I opened if you would like.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:11:30 PM, on 03/04/08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sony\Photo Server\appsrv\PhotoAppSrv.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WUSB54GSC.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Wireless LAN\WlanUtil.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
D:\Program Files\Mach5 Software\Kremlin\Kremlin Sentry.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\TEMP\windnifjm.exe
C:\WINDOWS\TEMP\wininvuve.exe
C:\WINDOWS\TEMP\winqbrn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
F2 - REG:system.ini: Shell=Explorer.exe "C:\WINDOWS\TEMP\windnifjm.exe"
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Startup: Kremlin Sentry.lnk = D:\Program Files\Mach5 Software\Kremlin\Kremlin Sentry.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: IEEE 802.11g USB Wireless LAN Utility.lnk = C:\Program Files\Wireless LAN\WlanUtil.exe
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.aajtak.co...er/tdserver.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload....Plugin11USA.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1185849481843
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1185849458718
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload....GPlugin9USA.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\Photo Server\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WUSB54GSCSVC - GEMTEKS - C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WLService.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Admin/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg
--
End of file - 6429 bytes