Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Hijack log [RESOLVED]

Started by jerris2 , Mar 19 2008 12:06 PM

This topic is locked

#16
andrewuk

Posted 28 March 2008 - 12:05 PM

Trusted Helper

Malware Removal
5,297 posts

no problem, i will be here

#17
jerris2

Posted 28 March 2008 - 06:38 PM

Member

Topic Starter
Member
35 posts

AndrewUK:

Ok, finally have that last log - here it is, I have not disinfected as reported in the log. Please advise of next step. Thanks

;*******************************************************************************
*********************************************************************************
*******************
ANALYSIS: 2008-03-28 20:33:06
PROTECTIONS: 2
MALWARE: 16
SUSPECTS: 0
;*******************************************************************************
*********************************************************************************
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
=================================================================================
===================
McAfee Internet Security Suite 2007 7.2 No Yes
McAfee VirusScan Plus 11.2 No Yes
;===============================================================================
=================================================================================
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
=================================================================================
===================
00020942 adware/exact.bargainbuddy Adware No 0 Yes No c:\winnt\launcher.exe
00027660 adware/savenow Adware No 0 Yes No hkey_local_machine\software\dsi
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\fr.bak\Application Data\Mozilla\Firefox\Profiles\5p6ldyrg.default\cookies.txt[.trafficmp.com/]
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\fr.bak\Application Data\Mozilla\Firefox\Profiles\5p6ldyrg.default\cookies.txt[.trafficmp.com/]
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\fr.bak\Application Data\Mozilla\Firefox\Profiles\5p6ldyrg.default\cookies.txt[.trafficmp.com/]
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\fr.bak\Application Data\Mozilla\Firefox\Profiles\5p6ldyrg.default\cookies.txt[.trafficmp.com/]
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\fr.bak\Application Data\Mozilla\Firefox\Profiles\5p6ldyrg.default\cookies.txt[.trafficmp.com/]
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\fr.bak\Application Data\Mozilla\Firefox\Profiles\5p6ldyrg.default\cookies.txt[.atdmt.com/]
00139535 Application/Processor HackTools No 0 Yes No C:\WINNT\system32\Process.exe
00139535 Application/Processor HackTools No 0 Yes No C:\Documents and Settings\fr.bak\Desktop\SmitfraudFix\Process.exe
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\fr.bak\Application Data\Mozilla\Firefox\Profiles\5p6ldyrg.default\cookies.txt[.fastclick.net/]
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\fr.bak\Application Data\Mozilla\Firefox\Profiles\5p6ldyrg.default\cookies.txt[.fastclick.net/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\fr.bak\Application Data\Mozilla\Firefox\Profiles\5p6ldyrg.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\fr.bak\Application Data\Mozilla\Firefox\Profiles\5p6ldyrg.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\fr.bak\Application Data\Mozilla\Firefox\Profiles\5p6ldyrg.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\fr.bak\Application Data\Mozilla\Firefox\Profiles\5p6ldyrg.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\fr.bak\Application Data\Mozilla\Firefox\Profiles\5p6ldyrg.default\cookies.txt[ad.yieldmanager.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\fr.bak\Application Data\Mozilla\Firefox\Profiles\5p6ldyrg.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\fr.bak\Application Data\Mozilla\Firefox\Profiles\5p6ldyrg.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\fr.bak\Application Data\Mozilla\Firefox\Profiles\5p6ldyrg.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\fr.bak\Application Data\Mozilla\Firefox\Profiles\5p6ldyrg.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\fr.bak\Application Data\Mozilla\Firefox\Profiles\5p6ldyrg.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\fr.bak\Application Data\Mozilla\Firefox\Profiles\5p6ldyrg.default\cookies.txt[.serving-sys.com/]
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\fr.bak\Application Data\Mozilla\Firefox\Profiles\5p6ldyrg.default\cookies.txt[.bs.serving-sys.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\fr.bak\Application Data\Mozilla\Firefox\Profiles\5p6ldyrg.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\fr.bak\Application Data\Mozilla\Firefox\Profiles\5p6ldyrg.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\fr.bak\Application Data\Mozilla\Firefox\Profiles\5p6ldyrg.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\fr.bak\Application Data\Mozilla\Firefox\Profiles\5p6ldyrg.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\fr.bak\Application Data\Mozilla\Firefox\Profiles\5p6ldyrg.default\cookies.txt[.advertising.com/]
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\fr.bak\Application Data\Mozilla\Firefox\Profiles\5p6ldyrg.default\cookies.txt[.zedo.com/]
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\fr.bak\Application Data\Mozilla\Firefox\Profiles\5p6ldyrg.default\cookies.txt[.zedo.com/]
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\fr.bak\Application Data\Mozilla\Firefox\Profiles\5p6ldyrg.default\cookies.txt[.zedo.com/]
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\fr.bak\Application Data\Mozilla\Firefox\Profiles\5p6ldyrg.default\cookies.txt[.zedo.com/]
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\fr.bak\Application Data\Mozilla\Firefox\Profiles\5p6ldyrg.default\cookies.txt[.zedo.com/]
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\fr.bak\Application Data\Mozilla\Firefox\Profiles\5p6ldyrg.default\cookies.txt[.adrevolver.com/]
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\fr.bak\Application Data\Mozilla\Firefox\Profiles\5p6ldyrg.default\cookies.txt[.adrevolver.com/]
00346367 Adware/VideoActiveXObject Adware No 0 Yes No C:\QooBox\Quarantine\C\Program Files\Video ActiveX Object\uninst.exe.vir
00517584 Application/SuperFast HackTools No 0 Yes No C:\Documents and Settings\fr.bak\Desktop\SmitfraudFix\restart.exe
02197130 Trj/Rebooter.J Virus/Trojan No 1 Yes No C:\Documents and Settings\fr.bak\Desktop\SmitfraudFix\Reboot.exe
02893893 Trj/Bancos.RQ Virus/Trojan No 0 No No C:\Documents and Settings\fr.bak\Desktop\ComboFix.exe[327882R2FWJFW\pv.cfexe]
;===============================================================================
=================================================================================
===================
SUSPECTS
Location
;===============================================================================
=================================================================================
===================
;===============================================================================
=================================================================================
===================

#18
jerris2

Posted 28 March 2008 - 06:46 PM

Member

Topic Starter
Member
35 posts

Andrew:

Just noticed this log is extremely difficult to read as opposed to the txt file it was saved with. It appears that that last item is the only one the program has indicated is NOT disinfectable (trojan bancos). That doesn't sound good to me (a novice). Anyways

#19
andrewuk

Posted 28 March 2008 - 06:49 PM

Trusted Helper

Malware Removal
5,297 posts

i can read it, i will be back with instructions soon

#20
andrewuk

Posted 28 March 2008 - 07:11 PM

Trusted Helper

Malware Removal
5,297 posts

the malwarebytes and SUPERantispyware scans cleared away remnants of past infections. the Panda Total Scan only found one new infected file which we will clear (the rest were either cookies or fix tools we used or already safely quarantined away -as for example is the item you mentioned)

in this post we will clear those final infections away and see how your machine is running now

1. Please open Notepad

Click Start , then Run
Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
c:\winnt\launcher.exe

Registry::
[-hkey_local_machine\software\dsi]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt
A new HijackThis log.

and could you tell me how your machine is running now?

andrewuk

#21
jerris2

Posted 28 March 2008 - 08:34 PM

Member

Topic Starter
Member
35 posts

Andrew:

I seem to have lost that icon. So I can't do as you indicated. Please give me alternate instructions. I have a couple of internet connection issues. When I use desktop icon in regular mode, I have real problems. If I go to start open up programs, window explorer, then go back to C: and click on internet explorer = it seems to open up and run fine. Do I simply need to delete the icon and reset it ? May need instruction for that. Also I do have Mozilla Firefox, so could I if I chose to uninstall windows explorer then reinstall from whatever source, possibly microsoft website thru firefox connection ? In firefox in safe mode I sometimes get shockwave flash error, recently uninstalled adob flash player 9.0 I think. If you want to finish what you were trying to walk me thru first and then go back to my other software questions, this is fine. So, still need instructions on how to get combofix to process your last instruction to me.

Thanks

#22
andrewuk

Posted 28 March 2008 - 08:49 PM

Trusted Helper

Malware Removal
5,297 posts

we will go another route and run an additional program to see if we can sort your icons out.

I have a couple of internet connection issues. When I use desktop icon in regular mode, I have real problems. If I go to start open up programs, window explorer, then go back to C: and click on internet explorer = it seems to open up and run fine. Do I simply need to delete the icon and reset it ? May need instruction for that. Also I do have Mozilla Firefox, so could I if I chose to uninstall windows explorer then reinstall from whatever source, possibly microsoft website thru firefox connection ? In firefox in safe mode I sometimes get shockwave flash error, recently uninstalled adob flash player 9.0 I think. If you want to finish what you were trying to walk me thru first and then go back to my other software questions, this is fine. So, still need instructions on how to get combofix to process your last instruction to me.

that may be beyond my knowledge but we can try a couple of things i know. otherwise, we will wrap up the malware issues and then take a look at those issues, though i suspect if they persist i will be pointing you to other parts of this forum.

====STEP 1====
Please download the OTMoveIt2 by OldTimer.

Save it to your desktop.
Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
```
c:\winnt\launcher.exe
```
Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
```
purity
hkey_local_machine\software\dsi
```
Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

====STEP 2====
click on Start, click on Run
copy and paste the following in bold in the open window and then click OK
"%userprofile%\desktop\dss.exe" /daft
This will open up Deckard's File Association Tool

Click on the Scan button.
Select everything it is displaying there
Click the Fix button.
Then rescan with DAFT again - it should say now that "All associations are OK"
Close DAFT if you receive that message. This means that it is fixed now.

====STEP 3====
click on Start, click on Run
copy and paste the following in bold in the open window and then click OK
regsvr32 /i shell32.dll

In your next reply could i see:
1. the OTMoveIT log
2. a new hijackthis log
3. some idea of how your machine is running now

andrewuk

#23
jerris2

Posted 28 March 2008 - 09:41 PM

Member

Topic Starter
Member
35 posts

Andrew:

I might have spoke a little too soon. When in regular mode it still sometimes has what seems to be time out issues like before. So, maybe we should finish the malware issues then I can test it again ?? I still have to reboot in reg mode and sometimes in safe mode to download properly. Then I can switch back to reg mode to run the application from the desktop (that's what I've been doing). Or do you want me to try as you suggested with the icon thing first ?

#24
andrewuk

Posted 28 March 2008 - 09:43 PM

Trusted Helper

Malware Removal
5,297 posts

no harm in trying the icon fixes first.

#25
jerris2

Posted 29 March 2008 - 09:06 PM

Member

Topic Starter
Member
35 posts

Step 1:

c:\winnt\launcher.exe moved successfully.
[Custom Input]
< purity >
< hkey_local_machine\software\dsi >
Registry key hkey_local_machine\software\dsi\\ deleted successfully.

OTMoveIt2 by OldTimer - Version 1.0.21 log created on 03292008_230504

#26
jerris2

Posted 29 March 2008 - 09:31 PM

Member

Topic Starter
Member
35 posts

I had a problem getting Step 2 to work properly. The path where dss.exe was different from what you wanted me to do. When I simply clicked on that icon it ran the exe file and the following generated. However, I was unable to get the file association tool to run as instructed. Haven't done this yet, but there are probably three subdirectories to go thru for where you indicated desktop. I believe what happened is that somehow the system moved many of those things that were in the desktop to c:\documents and settings\fr.bak\desktop. Should I manually move them back and try to then follow your instuctions again ?

Deckard's System Scanner v20071014.68
Run by friend on 2008-03-29 23:21:21
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- HijackThis (run as friend.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:21, on 2008-03-29
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\System32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINNT\system32\TpKmpSVC.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\tp4serv.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINNT\system32\RaConfig2500.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\WINNT\System32\taskmgr.exe
C:\Documents and Settings\fr.bak\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\friend.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: RaConfig2500.lnk = C:\WINNT\system32\RaConfig2500.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,26/mcgdmgr.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\System32\ibmpmsvc.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINNT\system32\TpKmpSVC.exe

--
End of file - 7691 bytes

-- Files created between 2008-02-29 and 2008-03-29 -----------------------------

2008-03-29 21:55:05 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_488.dat
2008-03-29 14:53:46 553796 ---h----- C:\WINNT\ShellIconCache
2008-03-28 21:45:55 0 d-------- C:\Documents and Settings\friend\Application Data\Logitech
2008-03-28 21:29:52 3712 --a------ C:\WINNT\system32\drivers\LBeepKE.sys <Not Verified; Logitech Inc.; Logitech SetPoint>
2008-03-28 21:29:51 69632 --a------ C:\WINNT\system32\KemXML.dll <Not Verified; Logitech Inc.; Logitech SetPoint>
2008-03-28 21:29:51 110592 --a------ C:\WINNT\system32\KemWnd.dll <Not Verified; Logitech Inc.; Logitech SetPoint>
2008-03-28 21:29:51 131072 --a------ C:\WINNT\system32\KemUtil.dll <Not Verified; Logitech Inc.; Logitech SetPoint>
2008-03-28 21:29:51 155648 --a------ C:\WINNT\system32\kemutb.dll <Not Verified; Logitech Inc.; Logitech SetPoint>
2008-03-28 21:29:47 0 d-------- C:\Program Files\Common Files\Logitech
2008-03-28 21:29:30 0 d-------- C:\Program Files\Logitech
2008-03-28 19:16:02 0 d-------- C:\Program Files\Panda Security
2008-03-27 22:10:06 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-27 22:09:43 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-03-27 22:09:43 0 d-------- C:\Documents and Settings\friend\Application Data\SUPERAntiSpyware.com
2008-03-27 22:08:44 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-27 21:45:17 0 d---s---- C:\Documents and Settings\friend\UserData
2008-03-27 19:26:03 0 d-------- C:\Documents and Settings\friend\Application Data\Malwarebytes
2008-03-27 19:25:53 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-27 19:25:51 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-27 19:14:23 0 d-------- C:\Documents and Settings\friend\Application Data\Adobe
2008-03-27 19:11:42 0 d-------- C:\Documents and Settings\friend\Application Data\Mozilla
2008-03-27 17:56:44 0 d-------- C:\Documents and Settings\friend\Application Data\Google
2008-03-27 17:52:00 0 d-------- C:\Documents and Settings\friend\Application Data\Share-to-Web Upload Folder
2008-03-27 17:50:18 0 d-------- C:\Documents and Settings\friend\Application Data\Identities
2008-03-27 17:47:57 0 dr------- C:\Documents and Settings\friend\Favorites
2008-03-27 17:47:57 0 d-------- C:\Documents and Settings\friend\Desktop
2008-03-27 17:47:57 0 d---s---- C:\Documents and Settings\friend\Cookies
2008-03-27 17:47:57 0 d--h----- C:\Documents and Settings\friend\Application Data
2008-03-27 17:47:57 0 d-------- C:\Documents and Settings\friend\Application Data\Macromedia
2008-03-27 17:47:56 0 d--h----- C:\Documents and Settings\friend\Templates
2008-03-27 17:47:56 0 d-------- C:\Documents and Settings\friend\Start Menu
2008-03-27 17:47:56 0 d--h----- C:\Documents and Settings\friend\SendTo
2008-03-27 17:47:56 0 dr-h----- C:\Documents and Settings\friend\Recent
2008-03-27 17:47:56 0 d--h----- C:\Documents and Settings\friend\PrintHood
2008-03-27 17:47:56 0 d--h----- C:\Documents and Settings\friend\NetHood
2008-03-27 17:47:56 0 d-------- C:\Documents and Settings\friend\My Documents
2008-03-27 17:47:56 0 d--h----- C:\Documents and Settings\friend\Local Settings
2008-03-27 17:47:55 610304 --ah----- C:\Documents and Settings\friend\NTUSER.DAT
2008-03-27 17:46:17 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_5bc.dat
2008-03-26 22:41:28 25600 --a------ C:\WINNT\system32\WS2Fix.exe
2008-03-26 22:41:28 289144 --a------ C:\WINNT\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-03-26 22:41:28 86528 --a------ C:\WINNT\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-03-26 22:41:28 82432 --a------ C:\WINNT\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-03-26 22:41:28 51200 --a------ C:\WINNT\system32\dumphive.exe
2008-03-26 22:41:27 288417 --a------ C:\WINNT\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-03-26 22:41:27 53248 --a------ C:\WINNT\system32\Process.exe
2008-03-26 20:54:45 2396 --a------ C:\WINNT\system32\tmp.reg
2008-03-26 18:13:30 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_500.dat
2008-03-26 18:13:13 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_4b0.dat
2008-03-26 18:12:55 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_324.dat
2008-03-25 20:13:30 68096 --a------ C:\WINNT\system32\zip.exe
2008-03-25 20:13:30 98816 --a------ C:\WINNT\system32\sed.exe
2008-03-25 20:13:30 80412 --a------ C:\WINNT\system32\grep.exe
2008-03-25 20:13:30 73728 --a------ C:\WINNT\system32\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-03-24 20:02:08 2359 --a------ C:\WINNT\mozver.dat
2008-03-23 21:20:22 0 d-------- C:\Documents and Settings\fr.bak\Application Data\Printer Info Cache
2008-03-23 11:55:17 0 d-------- C:\Program Files\Hewlett-Packard
2008-03-23 10:00:05 0 d-------- C:\Program Files\CCleaner
2008-03-22 16:38:42 3840 --a------ C:\WINNT\system32\drivers\BANTExt.sys
2008-03-22 16:38:42 0 d-------- C:\Program Files\Belarc
2008-03-20 21:27:46 0 d-------- C:\Documents and Settings\fr.bak\Application Data\Image Zone Express
2008-03-17 22:20:46 0 d-------- C:\Program Files\Trend Micro
2008-03-14 21:08:29 0 --a------ C:\WINNT\nsreg.dat
2008-03-14 21:08:25 0 d-------- C:\Documents and Settings\fr.bak\Application Data\Mozilla
2008-03-09 10:16:34 0 d-------- C:\WINNT\system32\Windows Media
2008-03-09 10:13:17 0 d--h---c- C:\WINNT\$NtUpdateRollupPackUninstall$
2008-03-09 10:13:04 0 d-------- C:\WINNT\msiinst.tmp
2008-03-09 09:46:20 0 d-------- C:\Documents and Settings\fr.bak\Application Data\Lavasoft
2008-03-08 13:17:01 0 d-------- C:\monitor
2008-03-08 13:11:00 0 d--h----- C:\WINNT\PIF
2008-03-08 09:14:53 0 d-------- C:\Documents and Settings\fr.bak\Application Data\McAfee
2008-03-08 08:52:19 0 d-------- C:\WINNT\system32\BITS
2008-03-07 22:00:15 0 d-------- C:\WINNT\system32\SoftwareDistribution
2008-03-07 21:42:30 143360 --a------ C:\WINNT\system32\dunzip32.dll <Not Verified; Inner Media, Inc.; DynaZIP-32 Multi-Threading UnZIP DLL>
2008-03-07 21:39:23 0 d-------- C:\Program Files\McAfee.com
2008-03-07 21:39:22 0 d-------- C:\Program Files\Common Files\McAfee
2008-03-07 21:39:16 0 d-------- C:\Program Files\McAfee
2008-03-07 21:32:08 0 d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-03-06 21:26:28 0 d-------- C:\WINNT\SoftwareDistribution
2008-03-06 18:55:08 0 d-------- C:\Documents and Settings\fr.bak\Application Data\Adobe

-- Find3M Report ---------------------------------------------------------------

2008-03-28 21:29:30 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-03-27 22:08:44 0 d-a------ C:\Program Files\Common Files
2008-03-11 22:16:58 0 d-------- C:\Program Files\RegistryFix
2008-03-11 22:16:19 0 d-------- C:\Program Files\Free Registry Fix
2008-03-07 21:58:51 0 d-ah----- C:\Program Files\WindowsUpdate
2008-02-13 22:01:17 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_410.dat
2008-01-17 10:59:28 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_3d0.dat

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TrackPointSrv"="tp4serv.exe" [05-07-13 03:55 C:\WINNT\system32\tp4serv.exe]
"Synchronization Manager"="mobsync.exe" [03-06-19 14:05 C:\WINNT\system32\mobsync.exe]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [02-10-23 10:15 ]
"TPHOTKEY"="C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [05-08-29 14:15 ]
"TP4EX"="tp4ex.exe" [05-08-24 01:10 C:\WINNT\system32\TP4EX.exe]
"BMMLREF"="C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE" [05-04-20 01:38 ]
"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [05-09-01 02:21 ]
"tgcmd"="C:\Program Files\support.com\bin\tgcmd.exe" [02-04-24 20:37 ]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [08-01-11 22:16 ]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [01-07-03 09:11 ]
"Logitech Hardware Abstraction Layer"="C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE" [06-07-19 12:03 ]
"@"="" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [08-02-29 16:03 ]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-03-28 21:39:31]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 22:05:56]
RaConfig2500.lnk - C:\WINNT\system32\RaConfig2500.exe [2005-12-10 11:14:22]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2005-12-31 10:12:11]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"disableregistrytools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [06-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 07-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
notifyf2.dll 05-07-05 23:45 28672 C:\WINNT\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
tphklock.dll 05-06-16 22:23 24576 C:\WINNT\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"

-- End of Deckard's System Scanner: finished at 2008-03-29 23:22:06 ------------

#27
andrewuk

Posted 30 March 2008 - 10:36 AM

Trusted Helper

Malware Removal
5,297 posts

we will run that program another way and i want to make a scan for another type of infection, its a long shot but no harm in doing:

===STEP 1====
Please download DAFT and save it to your desktop:

Double-click the daft.exe icon.
Click on the Scan button.
Select everything it is displaying there
Click the Fix button.
Then rescan with DAFT again - it should say now that "All associations are OK"
Close DAFT if you receive that message. This means that it is fixed now.

===STEP 2====
click on Start, click on Run
copy and paste the following in bold in the open window and then click OK
regsvr32 /i shell32.dll

===STEP 3====
Download FindAWF.exe from here or here, and save it to your desktop.

Double-click on the FindAWF.exe file to run it.
It will open a command prompt and ask you to "Press any key to continue".
You will be presented with a Menu.

1. Press 1 then Enter to scan for bak folders
2. Press 2 then Enter to restore files from bak folders
3. Press 3 then Enter to remove bak folders
4. Press 4 then Enter to reset domain zones
5. Press E then Enter to EXIT
Press 1, then press Enter
It may take a few minutes to complete so be patient.
When it is complete, it will open a text file in notepad called AWF.txt.
Please copy and paste the contents of the AWF.txt file in your next reply.

andrewuk

#28
jerris2

Posted 30 March 2008 - 01:41 PM

Member

Topic Starter
Member
35 posts

Andrew
I completed step 1 and 2, 2 errors found and corrected. After step 1 of Find AWR (step 3) this is the result, is this normal ? I didn't move past this step.

Thanks
Jeff

Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Sun 2008-03-30
The current time is: 15:36:52.53

bak folders found
~~~~~~~~~~~

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

end of report

#29
andrewuk

Posted 30 March 2008 - 04:06 PM

Trusted Helper

Malware Removal
5,297 posts

After step 1 of Find AWR (step 3) this is the result, is this normal ? I didn't move past this step.

this is normal, it indicates that you do not have this infection, which is good news

, no need to go any further with it.

I believe what happened is that somehow the system moved many of those things that were in the desktop to c:\documents and settings\fr.bak\desktop. Should I manually move them back and try to then follow your instuctions again ?

do you recognise fr.bak? any idea why your system should move things to this folder?

also, could you give me a description of how your system is running now?

andrewuk

#30
jerris2

Posted 30 March 2008 - 06:51 PM

Member

Topic Starter
Member
35 posts

Andrew:

That directory did not exist until just recently, those files were moved during one of the downloads and executions that you had me perform. The system itself seems better, although I am still having issues in whatever internet connection I use. In safe mode I seem to get that error message about Shock Flash causing activity to cease. In regular mode, sometimes I can open up an initial screen, when I click to go to an option, it basically slows down to a crawl and seems to time out (still). I haven't done a whole lot in the other applications so can't say for sure, although it does feel more responsive. Wonder what the next step might be ? Uninstall then reinstall internet explorer perhaps ?