Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Trouble with lsass.exe, ddccy.dll [RESOLVED]


  • This topic is locked This topic is locked

#1
Revolution660

Revolution660

    Member

  • Member
  • PipPip
  • 15 posts
Description again: lsass.exe consistently taking up ~20% processor, AVG continually reports that ddccy.dll is infected

Trying to heal or remove ddccy.dll with AVG has no effect, and it just continues to remind me of the problem.

I got some sort of infection a couple weeks ago - I think it was the Outerinfo one with possibly some other badness. I did my best to inspect my pc and remove what I could. I fear a couple things: first, that some of it is still there, and second, that I may have removed some things I shouldn't have (such as dll's or registry entries).

Also - I had trouble with Command.exe - which would take up some processor and (I think) open up browser windows on me. I think I got rid of it (it doesn't run anymore), but I get a message upon startup (when I get to Windows, but before anything else happens) that says it can't find command.exe - so it's still trying to be opened.

Occasionally I still get browser windows popping up.

I did everything in the 'read this before posting' page, except I couldn't get the Panda Scan to run. I tried it in both Opera and Firefox, but when I clicked 'Scan Now', the window popped up but nothing was in it.

I hope I'm in the right place here, and thanks in advance to anyone reading this. I am most worried about why lsass.exe is taking up the processor, because it is slowing things down in general. If I try to play a video file or do something more intensive, it is skippy.

So that about summarizes it, heres my HiJackThis:

------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:08:51 PM, on 3/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS.1\System32\smss.exe
C:\WINDOWS.1\system32\winlogon.exe
C:\WINDOWS.1\system32\services.exe
C:\WINDOWS.1\system32\lsass.exe
C:\WINDOWS.1\system32\Ati2evxx.exe
C:\WINDOWS.1\system32\svchost.exe
C:\WINDOWS.1\System32\svchost.exe
C:\WINDOWS.1\system32\Ati2evxx.exe
C:\WINDOWS.1\Explorer.EXE
C:\WINDOWS.1\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Alcohol Soft [Pro2]\Alcohol 120\StarWind\StarWindService.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS.1\system32\wscntfy.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS.1\system32\wuauclt.exe
C:\WINDOWS.1\system32\taskswitch.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\WINDOWS.1\system32\Rundll32.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Opera\Opera.exe
C:\WINDOWS.1\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {413BEFC4-0356-0E88-5110-2E00CECFDC9F} - C:\WINDOWS.1\system32\tnrmcmid.dll (file missing)
O2 - BHO: (no name) - {5F713D4F-B2D6-4EFF-AE68-515677E71C11} - C:\WINDOWS.1\system32\ddccy.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {ED120D76-BF31-412C-A99B-783C6676E128} - C:\WINDOWS.1\system32\nnnmmjj.dll (file missing)
O4 - HKLM\..\Run: [UnlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS.1\system32\taskswitch.exe
O4 - HKLM\..\Run: [{5B6DE3E0-0702-1033-0224-060503310001}] "C:\Program Files\Common Files\{5B6DE3E0-0702-1033-0224-060503310001}\Update.exe" mc-110-12-0001291
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [BM585ed0d3] Rundll32.exe "C:\WINDOWS.1\system32\ijuhurvv.dll",s
O4 - HKCU\..\Run: [xInsIDE] C:\Program Files\xInsIDE\xInsIDE.exe
O4 - HKCU\..\Run: [WinTouch] C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\WinTouch\WinTouch.exe
O4 - HKCU\..\Run: [zqwu] C:\PROGRA~1\COMMON~1\zqwu\zqwum.exe
O4 - HKCU\..\Run: [JavaCore] C:\Program Files\JavaCore\JavaCore.exe
O4 - HKCU\..\Run: [NoDNS] C:\Program Files\\NoDNS\\NoDNS.exe
O4 - HKCU\..\Run: [Rurt] "C:\WINDOWS.1\system32\YMANTE~1\taskmgr.exe" -vt ndrv
O4 - HKCU\..\Run: [Eijjjca] "C:\Program Files\s?stem32\r?ndll.exe"
O4 - HKCU\..\Run: [Ukn] "C:\Program Files\Common Files\F?nts\l?gonui.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: nnnmmjj - nnnmmjj.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS.1\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS.1\system32\ati2sgag.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft [Pro2]\Alcohol 120\StarWind\StarWindService.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Outlook Express\rteprehd.html

--
End of file - 6388 bytes


------------------------------------------------------------------------------------------

Uninstall List:


7-Zip 4.57
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Shockwave Player
Alt-Tab Task Switcher Powertoy for Windows XP
AnyDVD
Apple Software Update
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Control Panel
ATI Display Driver
AVG 8.0
Big Kahuna Words
Bonjour
CloneDVD2
Conexant AC-Link Audio
Creative Jukebox Driver
[bleep] NFO Viewer 2.10.0031 RC3
DivX Codec
DivX Converter
DivX Web Player
EA downloader
EA SPORTS online 2007
FIFA 08
Full Tilt Poker
Growler Guncam
HijackThis 2.0.2
Hurrican 1.0.0.4
Image Resizer Powertoy for Windows XP
iTunes
Java™ 6 Update 3
Marblez
Microsoft .NET Framework 2.0
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (2.0.0.12)
Mystery Case Files Huntsville
NYKO Gamepad Mapping Tools 2.0.0
Paint.NET v3.22
QuickTime
Realtek AC'97 Audio
Replay Music 2.51
SecondLife (remove only)
Snood for Windows version 3.01-W
SUPERAntiSpyware Free Edition
Synaptics Pointing Device Driver
Takatis - A Tribute To Manfred Trenz
Task Killer (remove only)
The Nightshift Code
Tiger Woods PGA TOUR 07
Tony Hawk's American Wasteland ™
Tony Hawk's Pro Skater 2
Tony Hawks Pro Skater 4
Virtual Desktop Manager Powertoy for Windows XP
Winamp
XviD MPEG-4 Video Codec
Yahoo! Install Manager
Yahoo! Widgets
  • 0

Advertisements


#2
Revolution660

Revolution660

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Update: AVG says that ddccy.dll is infected with 'Trojan horse Generic9.BHIL'.

Help?
  • 0

#3
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
Hi Revolution660

welcome to geekstogo :)

sorry to keep you waiting. lets do a deeper scan of your machine for me to analyse.

(if your problem has already been resolved, could you just let me know so that i an move onto other logs to help others, thanks)

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

you may need to post the logs over 2 replies to ensure all the information is posted.

andrewuk
  • 0

#4
Revolution660

Revolution660

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Waiting Room Request and Update:

Originally Posted Mar 20 2008, 04:09 PM

I think I've taken care of the biggest problem with this issue, which was that lsass.exe was taking up ~20% of my processor. In safe mode, I ran AVG's command line scanner (the only AVG scanner that works in safe mode, as far as I know). It took about eight hours... But upon restart, lsass.exe is using 0% of the processor and my fan is finally getting a rest.

However, AVG still tells me that ddccy.dll is infected with 'Trojan horse Generic9.BHIL', which is the same thing it said lsass.exe was infected with. It also occasionally tells me there is a bad dll in a Windows restore point (I think).

I also unchecked a couple of items in msconfig's startup section that seemed suspicious to me: ijuhurvv.dll, in system32, and zqwum.exe, in program files\common files\zqwu\zqwum.exe. The latter no longer exists, but ijuhurvv.dll does, and it seems that a number of programs are accessing it. Taking it off the startup list I think helped in getting rid of the 'command.exe' message I was getting at startup.

Lastly, Spybot S&D always reports that I have this:

Smitfraud-C.CoreService: Data (File, fixing failed)
C:\WINDOWS.1\system32\drivers\core.cache.dsk

...and as you maybe can see it is unable to fix it, even when it is run immediately at startup (WINDOWS.1 is my correct Windows folder). Any ideas here?
  • 0

#5
Revolution660

Revolution660

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Thanks for your help. Here is DSS, main.txt followed by extra.txt:


Deckard's System Scanner v20071014.68
Run by Administrator on 2008-03-24 15:52:12
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
7: 2008-03-24 19:52:24 UTC - RP90 - Deckard's System Scanner Restore Point
6: 2008-03-24 17:51:11 UTC - RP89 - Software Distribution Service 3.0
5: 2008-03-24 02:21:52 UTC - RP88 - System Checkpoint
4: 2008-03-22 23:27:56 UTC - RP87 - Software Distribution Service 3.0
3: 2008-03-22 19:24:54 UTC - RP86 - System Checkpoint


-- First Restore Point --
1: 2008-03-20 19:56:14 UTC - RP84 - 3-20 prehijack


Backed up registry hives.
Performed disk cleanup.

System Drive C: has 7 GiB (less than 15%) free.


-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:53:08 PM, on 3/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS.1\System32\smss.exe
C:\WINDOWS.1\system32\winlogon.exe
C:\WINDOWS.1\system32\services.exe
C:\WINDOWS.1\system32\lsass.exe
C:\WINDOWS.1\system32\Ati2evxx.exe
C:\WINDOWS.1\system32\svchost.exe
C:\WINDOWS.1\System32\svchost.exe
C:\WINDOWS.1\system32\Ati2evxx.exe
C:\WINDOWS.1\Explorer.EXE
C:\WINDOWS.1\system32\spoolsv.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS.1\system32\taskswitch.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS.1\system32\Rundll32.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Alcohol Soft [Pro2]\Alcohol 120\StarWind\StarWindService.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Documents and Settings\Administrator.TYLERSPRO2\Desktop\Deckard's System Scanner (DSS).exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Administrator.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {413BEFC4-0356-0E88-5110-2E00CECFDC9F} - C:\WINDOWS.1\system32\tnrmcmid.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [UnlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS.1\system32\taskswitch.exe
O4 - HKLM\..\Run: [{5B6DE3E0-0702-1033-0224-060503310001}] "C:\Program Files\Common Files\{5B6DE3E0-0702-1033-0224-060503310001}\Update.exe" mc-110-12-0001291
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [BM585ed0d3] Rundll32.exe "C:\WINDOWS.1\system32\ijuhurvv.dll",s
O4 - HKCU\..\Run: [Rurt] "C:\WINDOWS.1\system32\YMANTE~1\taskmgr.exe" -vt ndrv
O4 - HKCU\..\Run: [Eijjjca] "C:\Program Files\s?stem32\r?ndll.exe"
O4 - HKCU\..\Run: [Ukn] "C:\Program Files\Common Files\F?nts\l?gonui.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: nnnmmjj - nnnmmjj.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS.1\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS.1\system32\ati2sgag.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft [Pro2]\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 5404 bytes

-- File Associations -----------------------------------------------------------

.bat - batfile - shell\edit\command - fgherghjfg.exe %1
.ini - inifile - shell\open\command - fgherghjfg.exe %1
.reg - regfile - shell\edit\command - fgherghjfg.exe %1
.txt - txtfile - shell\open\command - fgherghjfg.exe %1


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 Vax347b - c:\windows.1\system32\drivers\vax347b.sys
R0 Vax347s - c:\windows.1\system32\drivers\vax347s.sys
R1 intelppmm - c:\windows.1\system32\drivers\intelppmm.sys
R2 ElbyCDIO (ElbyCDIO Driver) - c:\windows.1\system32\drivers\elbycdio.sys <Not Verified; Elaborate Bytes AG; CDRTools>
R3 AnyDVD - c:\windows.1\system32\drivers\anydvd.sys <Not Verified; SlySoft, Inc.; AnyDVD>
R3 ElbyDelay - c:\windows.1\system32\drivers\elbydelay.sys <Not Verified; Elaborate Bytes AG; CDRTools>

S3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>

S3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Mass Storage Controller
Device ID: PCI\VEN_104C&DEV_8033&SUBSYS_3091103C&REV_00\4&13826118&0&4BA4
Manufacturer:
Name: Mass Storage Controller
PNP Device ID: PCI\VEN_104C&DEV_8033&SUBSYS_3091103C&REV_00\4&13826118&0&4BA4
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Modem
Device ID: PCI\VEN_1002&DEV_4378&SUBSYS_3091103C&REV_02\3&13C0B0C5&0&A6
Manufacturer:
Name: PCI Modem
PNP Device ID: PCI\VEN_1002&DEV_4378&SUBSYS_3091103C&REV_02\3&13C0B0C5&0&A6
Service:


-- Files created between 2008-02-24 and 2008-03-24 -----------------------------

2008-03-23 15:38:21 0 d-------- C:\WINDOWS.1\pss
2008-03-22 23:40:35 0 d-------- C:\Documents and Settings\All Users.WINDOWS.1\Application Data\Creative
2008-03-21 22:04:56 0 d--h----- C:\WINDOWS.1\$hf_mig$
2008-03-21 21:58:16 0 d-------- C:\WINDOWS.1\system32\SoftwareDistribution
2008-03-20 17:08:01 0 d-------- C:\Program Files\Trend Micro
2008-03-20 01:00:44 0 d---s---- C:\Documents and Settings\Administrator.TYLERSPRO2\UserData
2008-03-19 15:41:46 90688 --a------ C:\WINDOWS.1\system32\ijuhurvv.dll
2008-03-18 15:53:38 0 d-------- C:\WINDOWS.1\system32\NtmsData
2008-03-18 15:36:35 91200 --a------ C:\WINDOWS.1\system32\lpgtsydt.dll
2008-03-18 15:27:18 0 d-------- C:\Program Files\Takatis
2008-03-17 13:57:32 0 d-------- C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\Google
2008-03-14 00:17:48 0 d-------- C:\Program Files\Winamp
2008-03-14 00:17:48 0 d-------- C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\Winamp
2008-03-12 15:15:21 0 d-------- C:\Documents and Settings\All Users.WINDOWS.1\Application Data\SUPERAntiSpyware.com
2008-03-12 15:14:20 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-03-12 15:14:20 0 d-------- C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\SUPERAntiSpyware.com
2008-03-12 15:13:08 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-09 20:53:05 0 d-------- C:\VundoFix Backups
2008-03-08 22:41:50 149504 --a------ C:\WINDOWS.1\UNWISE.EXE
2008-03-08 22:41:50 0 d-------- C:\Program Files\Creative
2008-03-07 13:30:30 0 d-------- C:\Program Files\Hurrican
2008-03-07 12:52:16 0 d--h----- C:\$AVG8.VAULT$
2008-03-07 12:47:29 0 d-------- C:\WINDOWS.1\system32\drivers\Avg
2008-03-07 12:46:41 0 d-------- C:\Program Files\AVG
2008-03-07 12:46:39 0 d-------- C:\Documents and Settings\All Users.WINDOWS.1\Application Data\avg8
2008-03-07 12:07:48 0 d-------- C:\Documents and Settings\All Users.WINDOWS.1\Application Data\Rabio
2008-03-06 19:15:32 0 d-------- C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\AdobeUM
2008-03-05 19:10:41 0 d-------- C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\Lavasoft
2008-03-05 19:07:35 0 d-------- C:\Program Files\Task Killer
2008-03-05 18:50:51 0 d-------- C:\WINDOWS.1\CSC
2008-03-05 14:36:07 0 d-------- C:\WINDOWS.1\Registration
2008-03-05 14:22:16 0 d-------- C:\Documents and Settings\All Users.WINDOWS.1\Application Data\Spybot - Search & Destroy
2008-03-05 14:11:06 86016 --a------ C:\WINDOWS.1\system32\drivers\intelppmm.sys
2008-03-05 14:02:01 0 d-------- C:\WINDOWS.1\Sun
2008-03-04 16:32:30 0 d-------- C:\Program Files\Activision Value
2008-03-03 16:37:37 0 -ra------ C:\logwmemory.bin
2008-03-03 16:32:16 0 d-------- C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\Soldat
2008-03-03 00:39:19 0 d-------- C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\SlySoft
2008-02-29 21:06:43 0 d-------- C:\CloneDVDTemp
2008-02-28 21:00:13 0 d-------- C:\Documents and Settings\All Users.WINDOWS.1\Application Data\Spadester
2008-02-24 23:58:32 0 d-------- C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\Cat's Eye Games
2008-02-24 23:47:42 0 d-------- C:\Program Files\[bleep] NFO Viewer


-- Find3M Report ---------------------------------------------------------------

2008-03-23 22:06:12 0 d-------- C:\Program Files\Full Tilt Poker
2008-03-22 17:57:51 0 d-------- C:\Program Files\Microsoft Silverlight
2008-03-12 15:13:08 0 d-------- C:\Program Files\Common Files
2008-03-11 12:05:34 0 d-------- C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\Mozilla
2008-03-08 02:01:18 0 d-------- C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\dvdcss
2008-03-07 17:38:33 0 d-------- C:\Program Files\Reflex
2008-03-07 12:47:14 0 d-------- C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\Azureus
2008-03-06 19:14:55 0 d-------- C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\Adobe
2008-03-03 00:37:27 83 ---hs---- C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\.zreglib
2008-02-23 16:45:03 0 d-------- C:\Program Files\eclipse
2008-02-22 20:31:45 0 d-------- C:\Program Files\SecondLife
2008-02-22 20:05:49 0 d-------- C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\SecondLife
2008-02-20 19:16:55 0 d-------- C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\PlayFirst
2008-02-19 18:59:00 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-02-18 20:14:11 0 d-------- C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\Video DVD Maker FREE
2008-02-18 16:37:04 0 d-------- C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\SI Swimsuit Calendar
2008-02-18 16:36:49 0 d-------- C:\Program Files\Sports Illustrated
2008-02-17 19:08:13 0 d-------- C:\Program Files\7-Zip
2008-02-13 15:46:57 0 d-------- C:\Program Files\Paint.NET
2008-02-11 19:11:35 664 --a------ C:\WINDOWS.1\system32\d3d9caps.dat
2008-02-11 14:48:45 0 d-------- C:\Program Files\EasyCleaner
2008-02-11 14:39:27 0 d-------- C:\Program Files\TextPad 4
2008-02-11 14:39:22 0 d-------- C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\TextPad
2008-02-11 14:36:11 0 d-------- C:\Program Files\Common Files\Adobe
2008-02-11 14:27:59 0 d-------- C:\Program Files\Replay Music 2
2008-02-11 14:25:04 737280 --a------ C:\WINDOWS.1\iun6002.exe <Not Verified; Indigo Rose Corporation; Setup Factory 6.0 Runtime Module>
2008-02-11 14:17:17 0 d-------- C:\Program Files\DC++
2008-02-11 04:18:44 0 d-------- C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\vlc
2008-02-10 21:54:38 10 --a------ C:\Program Files\.autoreg
2008-02-10 19:33:42 0 d-------- C:\Program Files\thriXXX
2008-02-10 19:31:56 0 d-------- C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\Oxin's Style!
2008-02-09 04:12:46 0 d-------- C:\Program Files\Plasma Pong
2008-02-09 02:20:40 0 d-------- C:\Program Files\Growler Guncam
2008-02-09 02:15:56 0 d-------- C:\Program Files\XviD
2008-02-08 18:46:49 0 d-------- C:\Program Files\Common Files\GC Install
2008-02-08 18:32:23 0 d-------- C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\DivX
2008-02-07 14:25:46 0 d-------- C:\Program Files\DivX
2008-02-06 14:59:24 0 d-------- C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\Taito Legends
2008-02-06 14:10:17 54 --a------ C:\WINDOWS.1\popcinfo.dat
2008-02-06 13:13:07 0 d-------- C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\EA
2008-02-01 19:27:22 0 d-------- C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\Earthsim
2008-01-26 18:23:46 0 d-------- C:\Program Files\Snood
2008-01-25 01:21:17 0 d-------- C:\Program Files\EA SPORTS
2008-01-24 22:04:32 0 d-------- C:\Program Files\GameSpy Arcade
2008-01-23 14:31:11 4096 --a------ C:\WINDOWS.1\d3dx.dat
2008-01-20 22:54:31 21640 --a------ C:\WINDOWS.1\system32\emptyregdb.dat
2008-01-20 17:13:05 62 --ahs---- C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\desktop.ini
2008-01-04 17:58:50 3596288 --a------ C:\WINDOWS.1\system32\qt-dx331.dll
2008-01-04 17:57:22 196608 --a------ C:\WINDOWS.1\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-01-04 17:57:22 81920 --a------ C:\WINDOWS.1\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-01-04 17:57:12 823296 --a------ C:\WINDOWS.1\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX>
2008-01-04 17:57:10 802816 --a------ C:\WINDOWS.1\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-01-04 17:57:10 823296 --a------ C:\WINDOWS.1\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX>
2008-01-04 17:57:10 682496 --a------ C:\WINDOWS.1\system32\DivX.dll <Not Verified; DivX, Inc.; DivX>
2008-01-04 17:56:24 12288 --a------ C:\WINDOWS.1\system32\DivXWMPExtType.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{413BEFC4-0356-0E88-5110-2E00CECFDC9F}]
C:\WINDOWS.1\system32\tnrmcmid.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [02/18/2006 07:23 AM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [11/14/2006 05:02 PM]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [07/13/2005 10:05 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 02:11 AM]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [11/10/2006 01:35 PM]
"CoolSwitch"="C:\WINDOWS.1\system32\taskswitch.exe" [03/19/2002 06:30 PM]
"{5B6DE3E0-0702-1033-0224-060503310001}"="C:\Program Files\Common Files\{5B6DE3E0-0702-1033-0224-060503310001}\Update.exe" []
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [03/07/2008 12:46 PM]
"BM585ed0d3"="C:\WINDOWS.1\system32\ijuhurvv.dll" [03/19/2008 03:41 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Rurt"="C:\WINDOWS.1\system32\YMANTE~1\taskmgr.exe" []
"Eijjjca"="C:\Program Files\s?stem32\r?ndll.exe" []
"Ukn"="C:\Program Files\Common Files\F?nts\l?gonui.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 01:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnmmjj]
nnnmmjj.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS.1\system32\ddccy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM585ed0d3]
Rundll32.exe "C:\WINDOWS.1\system32\ijuhurvv.dll",s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zqwu]
C:\PROGRA~1\COMMON~1\zqwu\zqwum.exe


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\X]
AutoRun\command- X:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\Y]
AutoRun\command- Y:\setup.exe
dinstall\command- Y:\directx\dxsetup.exe




-- End of Deckard's System Scanner: finished at 2008-03-24 15:53:49 ------------





========================================================================





Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Turion™ 64 Mobile Technology ML-32
Percentage of Memory in Use: 39%
Physical Memory (total/avail): 894.48 MiB / 537.71 MiB
Pagefile Memory (total/avail): 2168.78 MiB / 1813.84 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1922.57 MiB

C: is Fixed (NTFS) - 74.53 GiB total, 7 GiB free.
D: is CDROM (UDF)
X: is CDROM (CDFS)
Y: is CDROM (CDFS)

\\.\PHYSICALDRIVE0 - ST98823A - 74.53 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 74.53 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before download.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: AVG Anti-Virus Professional Edition v8.0 (GRISOFT)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\DC++\\DCPlusPlus.exe"="C:\\Program Files\\DC++\\DCPlusPlus.exe:*:Enabled:DC++"
"C:\\WINDOWS.1\\system32\\javaw.exe"="C:\\WINDOWS.1\\system32\\javaw.exe:*:Enabled:Java™ Platform SE binary"
"C:\\Program Files\\Soldat\\Soldat.exe"="C:\\Program Files\\Soldat\\Soldat.exe:*:Enabled:Soldat"
"C:\\Program Files\\Activision Value\\WSOP 2008\\WSOPBFTB.exe"="C:\\Program Files\\Activision Value\\WSOP 2008\\WSOPBFTB.exe:*:Enabled:WSOPBFTB"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"="C:\\Program Files\\AVG\\AVG8\\avgnsx.exe:*:Enabled:avgnsx.exe"
"C:\\WINDOWS.1\\system32\\mmc.exe"="C:\\WINDOWS.1\\system32\\mmc.exe:*:Enabled:Microsoft Management Console"
"C:\\Program Files\\Opera\\Opera.exe"="C:\\Program Files\\Opera\\Opera.exe:*:Enabled:Opera Internet Browser"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users.WINDOWS.1
APPDATA=C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=TYLERSPRO2
ComSpec=C:\WINDOWS.1\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Administrator.TYLERSPRO2
LOGONSERVER=\\TYLERSPRO2
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS.1\system32;C:\WINDOWS.1;C:\WINDOWS.1\System32\Wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\ATI Technologies\ATI.ACE\Core-Static
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 36 Stepping 2, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=2402
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS.1
TEMP=C:\DOCUME~1\ADMINI~2.TYL\LOCALS~1\Temp
TMP=C:\DOCUME~1\ADMINI~2.TYL\LOCALS~1\Temp
USERDOMAIN=TYLERSPRO2
USERNAME=Administrator
USERPROFILE=C:\Documents and Settings\Administrator.TYLERSPRO2
windir=C:\WINDOWS.1


-- User Profiles ---------------------------------------------------------------

Administrator.TYLERSPRO2 (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
--> MsiExec.exe /X{E9F81423-211E-46B6-9AE0-38568BC5CF6F}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS.1\INF\PCHealth.inf
7-Zip 4.57 --> "C:\Program Files\7-Zip\Uninstall.exe"
Adobe Flash Player ActiveX --> C:\WINDOWS.1\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS.1\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Shockwave Player --> C:\WINDOWS.1\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS.1\system32\Macromed\SHOCKW~1\Install.log
Alt-Tab Task Switcher Powertoy for Windows XP --> MsiExec.exe /I{A7050037-F0EA-4BAB-BCD5-FC05507D6147}
AnyDVD --> "C:\Program Files\SlySoft\AnyDVD\AnyDVD-uninst.exe" /D="C:\Program Files\SlySoft\AnyDVD"
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Catalyst Control Center --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{055EE59D-217B-43A7-ABFF-507B966405D8}\setup.exe" -l0x0
ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver --> rundll32 C:\WINDOWS.1\system32\atiiiexx.dll,[email protected] -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
AVG 8.0 --> C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
Big Kahuna Words --> "C:\WINDOWS.1\Big Kahuna Words\uninstall.exe" "/U:C:\Program Files\Reflex\Big Kahuna Words\Uninstall\uninstall.xml"
Bonjour --> MsiExec.exe /I{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}
CloneDVD2 --> "C:\Program Files\Elaborate Bytes\CloneDVD2\CloneDVD2-uninst.exe" /D="C:\Program Files\Elaborate Bytes\CloneDVD2"
Conexant AC-Link Audio --> C:\Program Files\CONEXANT\CNXT_AUDIO\HXFSETUP.EXE -U -Iqta3091.inf
Creative Jukebox Driver --> C:\Program Files\Creative\Jukebox 3 Drivers\DrvUnins.exe /s
[bleep] NFO Viewer 2.10.0031 RC3 --> MsiExec.exe /I{DA5E6A2D-DEAA-4152-A43A-FDBDE29AA724}
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Converter --> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
EA downloader --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{1D171963-9063-4423-898B-8EC4F1F190B7} /l1033
EA SPORTS online 2007 --> C:\Program Files\EA SPORTS\EA SPORTS online\EASOUNInstaller.exe
FIFA 08 --> MsiExec.exe /X{0A2A5039-B37F-489D-B1DC-A5258DF9E697}
Full Tilt Poker --> "C:\Program Files\InstallShield Installation Information\{D4C9692E-4EFA-4DA0-8B7F-9439466D9E31}\setup.exe" -runfromtemp -l0x0009 -removeonly
Growler Guncam --> MsiExec.exe /I{9B743536-28E5-4A48-A1CC-8600A18386C3}
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hurrican 1.0.0.4 --> "C:\Program Files\Hurrican\unins000.exe"
Image Resizer Powertoy for Windows XP --> MsiExec.exe /I{1CB92574-96F2-467B-B793-5CEB35C40C29}
iTunes --> MsiExec.exe /I{B85C4D19-6CEB-48CF-BD98-C887AC8C6F94}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Marblez --> "C:\Program Files\Reflex\Marblez\ReflexiveArcade\unins000.exe"
Microsoft Silverlight --> MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mozilla Firefox (2.0.0.12) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
Mystery Case Files Huntsville --> "C:\Program Files\Reflex\Mystery Case Files Huntsville\unins000.exe"
NYKO Gamepad Mapping Tools 2.0.0 --> "C:\Program Files\NYKO\Gamepad Mapping Tools\unins000.exe"
Paint.NET v3.22 --> MsiExec.exe /X{96C267DA-0926-4C11-B4E7-4D3EF85130D0}
QuickTime --> MsiExec.exe /I{6EC874C2-F950-4B7E-A5B7-B1066D6B74AA}
Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" -l0x9 -removeonly
Replay Music 2.51 --> C:\WINDOWS.1\iun6002.exe "C:\Program Files\Replay Music 2\irunin.ini"
SecondLife (remove only) --> "C:\Program Files\SecondLife\uninst.exe" /P="SecondLife"
Snood for Windows version 3.01-W --> "C:\Program Files\Snood\unins000.exe"
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Synaptics Pointing Device Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
Takatis - A Tribute To Manfred Trenz --> "C:\Program Files\Takatis\Uninstall Takatis - A Tribute To Manfred Trenz.exe"
Task Killer (remove only) --> \uninstall.exe
The Nightshift Code --> "C:\Program Files\Reflex\The Nightshift Code\ReflexiveArcade\unins000.exe"
Tiger Woods PGA TOUR 07 --> C:\Program Files\EA SPORTS\Tiger Woods PGA TOUR 07\EAUninstall.exe
Tony Hawk's American Wasteland ™ --> MsiExec.exe /I{3293C06B-003F-4027-8380-FFD79E38167D}
Tony Hawk's Pro Skater 2 --> C:\PROGRA~1\ACTIVI~1\THPS2\UNINST~1\UNINST~1.EXE C:\Program Files\Activision\THPS2\uninstall\Tony Hawk's Pro Skater 2.log
Tony Hawks Pro Skater 4 --> MsiExec.exe /X{E0F07676-2C60-4465-A727-20DE3BFCABAC}
Virtual Desktop Manager Powertoy for Windows XP --> MsiExec.exe /I{F251B999-08A9-4704-999C-9962F0DFD88E}
Winamp --> "C:\Program Files\Winamp\UninstWA.exe"
XviD MPEG-4 Video Codec --> "C:\Program Files\XviD\unins000.exe"
Yahoo! Install Manager --> C:\WINDOWS.1\system32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
Yahoo! Widgets --> C:\PROGRA~1\Yahoo!\Widgets\uninstall.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type522 / Error
Event Submitted/Written: 03/24/2008 02:09:12 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application opera.exe, version 9.21.8776.0, faulting module unknown, version 0.0.0.0, fault address 0x00d8197b.
Processing media-specific event for [opera.exe!ws!]

Event Record #/Type521 / Error
Event Submitted/Written: 03/24/2008 02:09:10 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application explorer.exe, version 6.0.2900.3156, faulting module unknown, version 0.0.0.0, fault address 0x1000197b.
Processing media-specific event for [explorer.exe!ws!]

Event Record #/Type520 / Error
Event Submitted/Written: 03/24/2008 02:09:09 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application taskmgr.exe, version 5.1.2600.2180, faulting module unknown, version 0.0.0.0, fault address 0x00bd197b.
Processing media-specific event for [taskmgr.exe!ws!]

Event Record #/Type492 / Error
Event Submitted/Written: 03/22/2008 10:52:37 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application drwtsn32.exe, version 5.1.2600.0, faulting module dbghelp.dll, version 5.1.2600.2180, fault address 0x0001295d.
Processing media-specific event for [drwtsn32.exe!ws!]

Event Record #/Type491 / Error
Event Submitted/Written: 03/22/2008 10:52:29 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application rundll32.exe, version 5.1.2600.2180, faulting module axshlex.dll, version 1.4.9.1024, fault address 0x0000587b.
Processing media-specific event for [rundll32.exe!ws!]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type9178 / Error
Event Submitted/Written: 03/24/2008 03:49:27 PM
Event ID/Source: 10000 / DCOM
Event Description:
Unable to start a DCOM Server: {0002DF01-0000-0000-C000-000000000046}.
The error:
"%%2"
Happened while starting this command:
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

Event Record #/Type9177 / Error
Event Submitted/Written: 03/24/2008 03:48:28 PM
Event ID/Source: 10000 / DCOM
Event Description:
Unable to start a DCOM Server: {0002DF01-0000-0000-C000-000000000046}.
The error:
"%%2"
Happened while starting this command:
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

Event Record #/Type9176 / Error
Event Submitted/Written: 03/24/2008 02:56:10 PM
Event ID/Source: 10000 / DCOM
Event Description:
Unable to start a DCOM Server: {0002DF01-0000-0000-C000-000000000046}.
The error:
"%%2"
Happened while starting this command:
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

Event Record #/Type9175 / Error
Event Submitted/Written: 03/24/2008 02:55:53 PM
Event ID/Source: 10000 / DCOM
Event Description:
Unable to start a DCOM Server: {0002DF01-0000-0000-C000-000000000046}.
The error:
"%%2"
Happened while starting this command:
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

Event Record #/Type9158 / Error
Event Submitted/Written: 03/24/2008 02:29:26 PM
Event ID/Source: 10000 / DCOM
Event Description:
Unable to start a DCOM Server: {0002DF01-0000-0000-C000-000000000046}.
The error:
"%%2"
Happened while starting this command:
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding



-- End of Deckard's System Scanner: finished at 2008-03-24 15:53:49 ------------
  • 0

#6
Revolution660

Revolution660

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
I just got an alert from AVG which included some dll's and sys files it says are infected with a trojan. The weird thing is it says they are connected to both DSS and HiJackThis. I thought the easiest way to post this is with a pic of the alert.

avg_alert.jpg
  • 0

#7
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
before we start, a question first:

I just got an alert from AVG which included some dll's and sys files it says are infected with a trojan. The weird thing is it says they are connected to both DSS and HiJackThis. I thought the easiest way to post this is with a pic of the alert.

i am pretty sure that this is a rogue version of AVG which gave you the infections in the first place.

did you pay for this AVG version from http://free.grisoft.com/doc/2/

andrewuk
  • 0

#8
Revolution660

Revolution660

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Well this could be true... I did get it in a torrent :) ... but I definitely did so after my computer was infected. Also, it did successfully eliminate the thing that was most worrisome - lsass.exe using 20% of my processor. Lastly, this is the first time I have seen an alert that had anything to do with HiJackThis (or DSS); they have mostly been about ddccy.dll or a file in my system volume info folder.

Regardless I bet the thing to do would be to make sure it isn't rogue... is there a certain way I should go about removing it?
  • 0

#9
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts

Well this could be true... I did get it in a torrent ... but I definitely did so after my computer was infected. Also, it did successfully eliminate the thing that was most worrisome - lsass.exe using 20% of my processor. Lastly, this is the first time I have seen an alert that had anything to do with HiJackThis (or DSS); they have mostly been about ddccy.dll or a file in my system volume info folder.

Regardless I bet the thing to do would be to make sure it isn't rogue... is there a certain way I should go about removing it?

we will uninstall it, clear some other malware and run another fix tool. (i have never heard of DSS and hijackthis being picked up as malware.)

in the next or the post afterwards we will install an antivirus program on your machine. before then, please keep your online usage to a minimum.

====STEP 1====
Please download the OTMoveIt2 by OldTimer and Save it to your desktop.

Do not run it yet


Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {413BEFC4-0356-0E88-5110-2E00CECFDC9F} - C:\WINDOWS.1\system32\tnrmcmid.dll (file missing)
O4 - HKLM\..\Run: [BM585ed0d3] Rundll32.exe "C:\WINDOWS.1\system32\ijuhurvv.dll",s
O4 - HKCU\..\Run: [Rurt] "C:\WINDOWS.1\system32\YMANTE~1\taskmgr.exe" -vt ndrv
O4 - HKCU\..\Run: [Eijjjca] "C:\Program Files\s?stem32\r?ndll.exe"
O4 - HKCU\..\Run: [Ukn] "C:\Program Files\Common Files\F?nts\l?gonui.exe"
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O20 - Winlogon Notify: nnnmmjj - nnnmmjj.dll (file missing)

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

AVG 8.0

Please note any other programs that you dont recognize in that list in your next response



Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS.1\system32\tnrmcmid.dll
    C:\WINDOWS.1\system32\ijuhurvv.dll
    C:\WINDOWS.1\system32\YMANTE~1\taskmgr.exe
    C:\WINDOWS.1\system32\lpgtsydt.dll
    C:\WINDOWS.1\popcinfo.dat
    C:\WINDOWS.1\d3dx.dat
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    purity
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM585ed0d3
    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\X
    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\Y
  • Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.



====STEP 2====
Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**



In your next reply could i see:
1. the OTMoveIT log
2. the combofix log
3. a new hijackthis log

there will be a lot of information to post in the next reply, therefore you may need to post the information over more than one reply to ensure it is all posted.

andrewuk
  • 0

#10
Revolution660

Revolution660

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
OTMoveIt Log:


File/Folder C:\WINDOWS.1\system32\tnrmcmid.dll not found.
DllUnregisterServer procedure not found in C:\WINDOWS.1\system32\ijuhurvv.dll
C:\WINDOWS.1\system32\ijuhurvv.dll NOT unregistered.
C:\WINDOWS.1\system32\ijuhurvv.dll moved successfully.
File/Folder C:\WINDOWS.1\system32\YMANTE~1\taskmgr.exe not found.
DllUnregisterServer procedure not found in C:\WINDOWS.1\system32\lpgtsydt.dll
C:\WINDOWS.1\system32\lpgtsydt.dll NOT unregistered.
C:\WINDOWS.1\system32\lpgtsydt.dll moved successfully.
C:\WINDOWS.1\popcinfo.dat moved successfully.
C:\WINDOWS.1\d3dx.dat moved successfully.
[Custom Input]
< purity >
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM585ed0d3 >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM585ed0d3\\ deleted successfully.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\X >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\X\\ deleted successfully.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\Y >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\Y\\ deleted successfully.

OTMoveIt2 by OldTimer - Version 1.0.21 log created on 03252008_120945



===========================================================



ComboFix Log:


ComboFix 08-03-25.1 - Administrator 2008-03-25 12:15:39.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.605 [GMT -4:00]
Running from: C:\Documents and Settings\Administrator.TYLERSPRO2\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
TimedOut: progfile.dat
-- Script messages for sUBs --
Findstr -MIF:/ "\\TTC\.pdb InsertAdvertisement"
GREP -i "C:\\Program Files\\[^\\]*\\[^\\]*$"
VFind -tf -s282624 "C:\Program Files\????????*[0-9].dll"
VFind.exe -ltf -s-1000000 -d+2007-12-25 "C:\Program Files\*"

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator.TYLERSLAPTOP\Application Data\macromedia\Flash Player\#SharedObjects\2XRR8YDZ\www.broadcaster.com
C:\Documents and Settings\Administrator.TYLERSLAPTOP\Application Data\macromedia\Flash Player\#SharedObjects\2XRR8YDZ\www.inter-focus.cn
C:\Documents and Settings\Administrator.TYLERSLAPTOP\Application Data\macromedia\Flash Player\#SharedObjects\2XRR8YDZ\www.inter-focus.cn\IFFLASHAD_PLAYER.sol
C:\Documents and Settings\Administrator.TYLERSLAPTOP\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Administrator.TYLERSLAPTOP\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Documents and Settings\Administrator.TYLERSLAPTOP\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.inter-focus.cn
C:\Documents and Settings\Administrator.TYLERSLAPTOP\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.inter-focus.cn\settings.sol
C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\NetMon
C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\NetMon\log.txt
C:\WINDOWS.1\BM585ed0d3.xml
C:\WINDOWS.1\pskt.ini
C:\WINDOWS.1\system32\drivers\intelppmm.sys
C:\WINDOWS.1\system32\mcrh.tmp
C:\WINDOWS.1\system32\pac.txt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_COM+_MESSAGES
-------\Legacy_INTELPPMM
-------\Legacy_TNIDRIVER
-------\Service_intelppmm


((((((((((((((((((((((((( Files Created from 2008-02-25 to 2008-03-25 )))))))))))))))))))))))))))))))
.

2008-03-25 12:09 . 2008-03-25 12:09 <DIR> d-------- C:\_OTMoveIt
2008-03-24 15:51 . 2008-03-24 15:51 <DIR> d-------- C:\Deckard
2008-03-22 23:40 . 2008-03-22 23:40 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS.1\Application Data\Creative
2008-03-22 19:32 . 2006-08-21 05:14 128,896 -----c--- C:\WINDOWS.1\system32\dllcache\fltmgr.sys
2008-03-22 19:32 . 2006-08-21 05:14 23,040 -----c--- C:\WINDOWS.1\system32\dllcache\fltmc.exe
2008-03-22 19:32 . 2006-08-21 08:21 16,896 -----c--- C:\WINDOWS.1\system32\dllcache\fltlib.dll
2008-03-22 19:28 . 2002-12-31 08:00 221,184 --a------ C:\WINDOWS.1\system32\wmpns.dll
2008-03-22 19:28 . 2005-06-28 11:21 22,752 --a------ C:\WINDOWS.1\system32\spupdsvc.exe
2008-03-21 22:31 . 2007-07-09 09:16 582,656 -----c--- C:\WINDOWS.1\system32\dllcache\rpcrt4.dll
2008-03-21 22:18 . 2006-12-07 01:29 2,374,472 -----c--- C:\WINDOWS.1\system32\dllcache\wmvcore.dll
2008-03-21 22:04 . 2008-03-22 19:48 <DIR> d--h----- C:\WINDOWS.1\$hf_mig$
2008-03-21 21:58 . 2007-07-30 20:19 271,224 --a------ C:\WINDOWS.1\system32\mucltui.dll
2008-03-21 21:58 . 2007-07-30 20:18 34,136 --a------ C:\WINDOWS.1\system32\wucltui.dll.mui
2008-03-21 21:58 . 2007-07-30 20:19 30,072 --a------ C:\WINDOWS.1\system32\mucltui.dll.mui
2008-03-21 21:58 . 2007-07-30 20:19 25,944 --a------ C:\WINDOWS.1\system32\wuaucpl.cpl.mui
2008-03-21 21:58 . 2007-07-30 20:19 25,944 --a------ C:\WINDOWS.1\system32\wuapi.dll.mui
2008-03-21 21:58 . 2007-07-30 20:18 20,312 --a------ C:\WINDOWS.1\system32\wuaueng.dll.mui
2008-03-20 17:08 . 2008-03-20 17:08 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-20 01:00 . 2008-03-20 01:00 <DIR> d---s---- C:\Documents and Settings\Administrator.TYLERSPRO2\UserData
2008-03-18 15:53 . 2008-03-18 15:54 <DIR> d-------- C:\WINDOWS.1\system32\NtmsData
2008-03-18 15:27 . 2008-03-18 15:38 <DIR> d-------- C:\Program Files\Takatis
2008-03-14 00:17 . 2008-03-14 00:18 <DIR> d-------- C:\Program Files\Winamp
2008-03-14 00:17 . 2008-03-16 22:20 <DIR> d-------- C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\Winamp
2008-03-12 15:15 . 2008-03-12 15:15 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS.1\Application Data\SUPERAntiSpyware.com
2008-03-12 15:14 . 2008-03-12 15:14 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-03-12 15:14 . 2008-03-12 15:14 <DIR> d-------- C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\SUPERAntiSpyware.com
2008-03-12 15:13 . 2008-03-12 15:13 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-09 20:53 . 2008-03-09 20:53 <DIR> d-------- C:\VundoFix Backups
2008-03-08 22:42 . 2003-10-17 02:00 32,768 --a------ C:\WINDOWS.1\system32\Jb4Inst.crl
2008-03-08 22:41 . 2008-03-09 02:24 <DIR> d-------- C:\Program Files\Creative
2008-03-08 22:41 . 1999-06-25 11:55 149,504 --a------ C:\WINDOWS.1\UNWISE.EXE
2008-03-07 13:30 . 2008-03-17 03:49 <DIR> d-------- C:\Program Files\Hurrican
2008-03-07 12:46 . 2008-03-07 12:46 <DIR> d-------- C:\Program Files\AVG
2008-03-07 12:46 . 2008-03-25 00:01 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS.1\Application Data\avg8
2008-03-07 12:07 . 2008-03-11 12:06 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS.1\Application Data\Rabio
2008-03-06 19:15 . 2008-03-06 19:15 <DIR> d-------- C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\AdobeUM
2008-03-05 19:10 . 2008-03-05 19:10 <DIR> d-------- C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\Lavasoft
2008-03-05 19:07 . 2008-03-05 19:07 <DIR> d-------- C:\Program Files\Task Killer
2008-03-05 15:25 . 2008-03-25 02:22 913 --a------ C:\WINDOWS.1\wininit.ini
2008-03-05 14:22 . 2008-03-05 15:30 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS.1\Application Data\Spybot - Search & Destroy
2008-03-05 14:02 . 2008-03-05 14:02 <DIR> d-------- C:\WINDOWS.1\Sun
2008-03-04 17:01 . 2007-03-12 17:42 3,495,784 --a------ C:\WINDOWS.1\system32\d3dx9_33.dll
2008-03-04 16:32 . 2008-03-04 16:32 <DIR> d-------- C:\Program Files\Activision Value
2008-03-03 16:37 . 2008-03-03 16:37 0 -ra------ C:\logwmemory.bin
2008-03-03 16:32 . 2008-03-03 16:32 <DIR> d-------- C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\Soldat
2008-03-03 00:39 . 2008-03-03 00:39 <DIR> d-------- C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\SlySoft
2008-02-29 21:06 . 2008-02-29 21:06 <DIR> d-------- C:\CloneDVDTemp
2008-02-28 21:00 . 2008-03-03 17:04 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS.1\Application Data\Spadester
2008-02-28 01:05 . 2008-02-28 01:05 9,662 --a------ C:\WINDOWS.1\system32\ZoneAlarmIconUS.ico

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-24 02:06 --------- d-----w C:\Program Files\Full Tilt Poker
2008-03-22 21:57 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-03-08 06:01 --------- d-----w C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\dvdcss
2008-03-07 21:38 --------- d-----w C:\Program Files\Reflex
2008-03-07 16:47 --------- d-----w C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\Azureus
2008-03-05 18:24 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-25 03:58 --------- d-----w C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\Cat's Eye Games
2008-02-25 03:47 --------- d-----w C:\Program Files\[bleep] NFO Viewer
2008-02-23 20:45 --------- d-----w C:\Program Files\eclipse
2008-02-23 00:31 --------- d-----w C:\Program Files\SecondLife
2008-02-23 00:05 --------- d-----w C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\SecondLife
2008-02-20 23:16 --------- d-----w C:\Documents and Settings\All Users.WINDOWS.1\Application Data\PlayFirst
2008-02-20 23:16 --------- d-----w C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\PlayFirst
2008-02-19 22:59 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-19 00:14 --------- d-----w C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\Video DVD Maker FREE
2008-02-18 20:37 --------- d-----w C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\SI Swimsuit Calendar
2008-02-18 20:36 --------- d-----w C:\Program Files\Sports Illustrated
2008-02-18 20:36 --------- d-----w C:\Documents and Settings\All Users.WINDOWS.1\Application Data\SI Swimsuit Calendar
2008-02-17 23:08 --------- d-----w C:\Program Files\7-Zip
2008-02-13 19:46 --------- d-----w C:\Program Files\Paint.NET
2008-02-11 18:48 --------- d-----w C:\Program Files\EasyCleaner
2008-02-11 18:39 --------- d-----w C:\Program Files\TextPad 4
2008-02-11 18:39 --------- d-----w C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\TextPad
2008-02-11 18:36 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-11 18:31 --------- d-----w C:\Documents and Settings\All Users.WINDOWS.1\Application Data\FLEXnet
2008-02-11 18:27 --------- d-----w C:\Program Files\Replay Music 2
2008-02-11 18:25 737,280 ----a-w C:\WINDOWS.1\iun6002.exe
2008-02-11 18:17 --------- d-----w C:\Program Files\DC++
2008-02-11 08:18 --------- d-----w C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\vlc
2008-02-11 01:54 10 ----a-w C:\Program Files\.autoreg
2008-02-10 23:33 --------- d-----w C:\Program Files\thriXXX
2008-02-10 23:31 --------- d-----w C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\Oxin's Style!
2008-02-09 08:12 --------- d-----w C:\Program Files\Plasma Pong
2008-02-09 06:20 --------- d-----w C:\Program Files\Growler Guncam
2008-02-09 06:15 --------- d-----w C:\Program Files\XviD
2008-02-08 22:46 --------- d-----w C:\Program Files\Common Files\GC Install
2008-02-08 22:32 --------- d-----w C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\DivX
2008-02-07 18:25 --------- d-----w C:\Program Files\DivX
2008-02-06 18:59 --------- d-----w C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\Taito Legends
2008-02-06 17:13 --------- d-----w C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\EA
2008-02-06 16:42 --------- d-----w C:\Documents and Settings\All Users.WINDOWS.1\Application Data\HipSoft
2008-02-01 23:27 --------- d-----w C:\Documents and Settings\All Users.WINDOWS.1\Application Data\Earthsim
2008-02-01 23:27 --------- d-----w C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\Earthsim
2008-01-26 22:23 --------- d-----w C:\Program Files\Snood
2008-01-25 05:21 --------- d-----w C:\Program Files\EA SPORTS
2008-01-25 02:04 --------- d-----w C:\Program Files\GameSpy Arcade
2008-01-24 01:40 94,208 ----a-w C:\WINDOWS.1\DUMP4df1.tmp
2008-01-24 01:28 94,208 ----a-w C:\WINDOWS.1\DUMP4eeb.tmp
2007-02-12 21:20 364 ----a-w C:\Program Files\INSTALL.LOG
2007-01-16 08:52 1,395,659 ----a-w C:\Documents and Settings\Administrator.TYLERSLAPTOP\Application Data\Install.dat
2006-10-30 02:36 13,195 ----a-w C:\Documents and Settings\Tyler\zguicfgw.dat
2006-09-20 20:54 0 ----a-w C:\Documents and Settings\Tyler\Application Data\wklnhst.dat
2006-08-23 05:16 620,032 --sha-w C:\Program Files\iexplore.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2006-02-18 07:23 6144]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-14 17:02 815104]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-07-13 22:05 344064]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 13:35 90112]
"CoolSwitch"="C:\WINDOWS.1\system32\taskswitch.exe" [2002-03-19 18:30 45632]
"{5B6DE3E0-0702-1033-0224-060503310001}"="C:\Program Files\Common Files\{5B6DE3E0-0702-1033-0224-060503310001}\Update.exe" [ ]
"BM585ed0d3"="C:\WINDOWS.1\system32\ijuhurvv.dll" [ ]

C:\Documents and Settings\Tyler\Start Menu\Programs\Startup\
Stardock Keyboard Launchpad.lnk - C:\Program Files\Stardock\Object Desktop\KLP\Keys.exe [2006-09-18 01:15:36 409600]
Yahoo! Widget Engine.lnk - C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe [2006-05-23 17:17:00 1806336]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-01-15 04:22 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-10 16:27 385024 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zqwu]
C:\PROGRA~1\COMMON~1\zqwu\zqwum.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\DC++\\DCPlusPlus.exe"=
"C:\\WINDOWS.1\\system32\\javaw.exe"=
"C:\\WINDOWS.1\\system32\\mmc.exe"=
"C:\\Program Files\\Opera\\Opera.exe"=


.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-25 12:26:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
"ImagePath"="C:\Program Files\Alcohol Soft
[Pro2]\Alcohol 120\StarWind\StarWindService.exe"


[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\StarWindService]
"ImagePath"="C:\Program Files\Alcohol Soft
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS.1\explorer.exe
-> C:\Program Files\Unlocker\UnlockerHook.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS.1\system32\Ati2evxx.exe
C:\WINDOWS.1\system32\Ati2evxx.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Alcohol Soft [Pro2]\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\WINDOWS.1\system32\Rundll32.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS.1\system32\wdfmgr.exe
C:\WINDOWS.1\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-03-25 12:35:05 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-25 16:35:02
.
2008-03-24 17:53:00 --- E O F ---
  • 0

Advertisements


#11
Revolution660

Revolution660

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
HiJackThis Log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:51:54 PM, on 3/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS.1\System32\smss.exe
C:\WINDOWS.1\system32\winlogon.exe
C:\WINDOWS.1\system32\services.exe
C:\WINDOWS.1\system32\lsass.exe
C:\WINDOWS.1\system32\Ati2evxx.exe
C:\WINDOWS.1\system32\svchost.exe
C:\WINDOWS.1\System32\svchost.exe
C:\WINDOWS.1\system32\Ati2evxx.exe
C:\WINDOWS.1\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Alcohol Soft [Pro2]\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS.1\system32\taskswitch.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\WINDOWS.1\system32\Rundll32.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS.1\system32\wscntfy.exe
C:\WINDOWS.1\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [UnlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS.1\system32\taskswitch.exe
O4 - HKLM\..\Run: [{5B6DE3E0-0702-1033-0224-060503310001}] "C:\Program Files\Common Files\{5B6DE3E0-0702-1033-0224-060503310001}\Update.exe" mc-110-12-0001291
O4 - HKLM\..\Run: [BM585ed0d3] Rundll32.exe "C:\WINDOWS.1\system32\ijuhurvv.dll",s
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS.1\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS.1\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft [Pro2]\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 4082 bytes
  • 0

#12
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
in this post we will clear out the malware i can see.

====STEP 1====
Please download DAFT and save it to your desktop:
  • Double-click the daft.exe icon. Read the disclaimer and click OK.
  • Click on the Scan button.
  • If it finds faulty file associations, they will appear in red beside a checkbox. If this occurs, just place a tick in the boxes in question.
  • Click the Fix button.
  • Re-scan and save a logfile. By default, it will save as daft.txt.
Post the contents of that logfile with your next post.


====STEP 2====
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS.1\wininit.ini
C:\Documents and Settings\Tyler\zguicfgw.dat
C:\Documents and Settings\Tyler\Application Data\wklnhst.dat
C:\Program Files\Common Files\{5B6DE3E0-0702-1033-0224-060503310001}\Update.exe
C:\WINDOWS.1\system32\ijuhurvv.dll
C:\PROGRA~1\COMMON~1\zqwu\zqwum.exe

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"{5B6DE3E0-0702-1033-0224-060503310001}"=-
"BM585ed0d3"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zqwu]


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.


In your next reply could i see:
4. the daft.txt log
2. the combofix log
3. a new hijackthis log

there will be a lot of information to post in the next reply, therefore you may need to post the information over more than one reply to ensure it is all posted.

andrewuk
  • 0

#13
Revolution660

Revolution660

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Daft Log (Note: There were four red items prior to doing the fix):

DAFT Log saved on 2008-03-25 14:49:20
-----------------------------------------------------------------------
All associations okay!


====================================================================


ComboFix 08-03-25.1 - Administrator 2008-03-25 15:21:04.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.496 [GMT -4:00]
Running from: C:\Documents and Settings\Administrator.TYLERSPRO2\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator.TYLERSPRO2\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\Tyler\Application Data\wklnhst.dat
C:\Documents and Settings\Tyler\zguicfgw.dat
C:\PROGRA~1\COMMON~1\zqwu\zqwum.exe
C:\Program Files\Common Files\{5B6DE3E0-0702-1033-0224-060503310001}\Update.exe
C:\WINDOWS.1\system32\ijuhurvv.dll
C:\WINDOWS.1\wininit.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator.TYLERSLAPTOP\Application Data\install.dat
C:\Documents and Settings\Administrator.TYLERSLAPTOP\Favorites\Online Security Guide.lnk
C:\Documents and Settings\Tyler\Application Data\wklnhst.dat
C:\Documents and Settings\Tyler\zguicfgw.dat
C:\WINDOWS.1\wininit.ini

.
((((((((((((((((((((((((( Files Created from 2008-02-25 to 2008-03-25 )))))))))))))))))))))))))))))))
.

2008-03-25 12:09 . 2008-03-25 12:09 <DIR> d-------- C:\_OTMoveIt
2008-03-24 15:51 . 2008-03-24 15:51 <DIR> d-------- C:\Deckard
2008-03-22 23:40 . 2008-03-22 23:40 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS.1\Application Data\Creative
2008-03-22 19:32 . 2006-08-21 05:14 128,896 -----c--- C:\WINDOWS.1\system32\dllcache\fltmgr.sys
2008-03-22 19:32 . 2006-08-21 05:14 23,040 -----c--- C:\WINDOWS.1\system32\dllcache\fltmc.exe
2008-03-22 19:32 . 2006-08-21 08:21 16,896 -----c--- C:\WINDOWS.1\system32\dllcache\fltlib.dll
2008-03-22 19:28 . 2002-12-31 08:00 221,184 --a------ C:\WINDOWS.1\system32\wmpns.dll
2008-03-22 19:28 . 2005-06-28 11:21 22,752 --a------ C:\WINDOWS.1\system32\spupdsvc.exe
2008-03-21 22:31 . 2007-07-09 09:16 582,656 -----c--- C:\WINDOWS.1\system32\dllcache\rpcrt4.dll
2008-03-21 22:18 . 2006-12-07 01:29 2,374,472 -----c--- C:\WINDOWS.1\system32\dllcache\wmvcore.dll
2008-03-21 22:04 . 2008-03-22 19:48 <DIR> d--h----- C:\WINDOWS.1\$hf_mig$
2008-03-21 21:58 . 2007-07-30 20:19 271,224 --a------ C:\WINDOWS.1\system32\mucltui.dll
2008-03-21 21:58 . 2007-07-30 20:18 34,136 --a------ C:\WINDOWS.1\system32\wucltui.dll.mui
2008-03-21 21:58 . 2007-07-30 20:19 30,072 --a------ C:\WINDOWS.1\system32\mucltui.dll.mui
2008-03-21 21:58 . 2007-07-30 20:19 25,944 --a------ C:\WINDOWS.1\system32\wuaucpl.cpl.mui
2008-03-21 21:58 . 2007-07-30 20:19 25,944 --a------ C:\WINDOWS.1\system32\wuapi.dll.mui
2008-03-21 21:58 . 2007-07-30 20:18 20,312 --a------ C:\WINDOWS.1\system32\wuaueng.dll.mui
2008-03-20 17:08 . 2008-03-20 17:08 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-20 01:00 . 2008-03-20 01:00 <DIR> d---s---- C:\Documents and Settings\Administrator.TYLERSPRO2\UserData
2008-03-18 15:53 . 2008-03-18 15:54 <DIR> d-------- C:\WINDOWS.1\system32\NtmsData
2008-03-18 15:27 . 2008-03-18 15:38 <DIR> d-------- C:\Program Files\Takatis
2008-03-14 00:17 . 2008-03-14 00:18 <DIR> d-------- C:\Program Files\Winamp
2008-03-14 00:17 . 2008-03-16 22:20 <DIR> d-------- C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\Winamp
2008-03-12 15:15 . 2008-03-12 15:15 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS.1\Application Data\SUPERAntiSpyware.com
2008-03-12 15:14 . 2008-03-12 15:14 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-03-12 15:14 . 2008-03-12 15:14 <DIR> d-------- C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\SUPERAntiSpyware.com
2008-03-12 15:13 . 2008-03-12 15:13 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-09 20:53 . 2008-03-09 20:53 <DIR> d-------- C:\VundoFix Backups
2008-03-08 22:42 . 2003-10-17 02:00 32,768 --a------ C:\WINDOWS.1\system32\Jb4Inst.crl
2008-03-08 22:41 . 2008-03-09 02:24 <DIR> d-------- C:\Program Files\Creative
2008-03-08 22:41 . 1999-06-25 11:55 149,504 --a------ C:\WINDOWS.1\UNWISE.EXE
2008-03-07 13:30 . 2008-03-17 03:49 <DIR> d-------- C:\Program Files\Hurrican
2008-03-07 12:46 . 2008-03-07 12:46 <DIR> d-------- C:\Program Files\AVG
2008-03-07 12:46 . 2008-03-25 00:01 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS.1\Application Data\avg8
2008-03-07 12:07 . 2008-03-11 12:06 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS.1\Application Data\Rabio
2008-03-06 19:15 . 2008-03-06 19:15 <DIR> d-------- C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\AdobeUM
2008-03-05 19:10 . 2008-03-05 19:10 <DIR> d-------- C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\Lavasoft
2008-03-05 19:07 . 2008-03-05 19:07 <DIR> d-------- C:\Program Files\Task Killer
2008-03-05 14:22 . 2008-03-05 15:30 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS.1\Application Data\Spybot - Search & Destroy
2008-03-05 14:02 . 2008-03-05 14:02 <DIR> d-------- C:\WINDOWS.1\Sun
2008-03-04 17:01 . 2007-03-12 17:42 3,495,784 --a------ C:\WINDOWS.1\system32\d3dx9_33.dll
2008-03-04 16:32 . 2008-03-04 16:32 <DIR> d-------- C:\Program Files\Activision Value
2008-03-03 16:37 . 2008-03-03 16:37 0 -ra------ C:\logwmemory.bin
2008-03-03 16:32 . 2008-03-03 16:32 <DIR> d-------- C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\Soldat
2008-03-03 00:39 . 2008-03-03 00:39 <DIR> d-------- C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\SlySoft
2008-02-29 21:06 . 2008-02-29 21:06 <DIR> d-------- C:\CloneDVDTemp
2008-02-28 21:00 . 2008-03-03 17:04 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS.1\Application Data\Spadester
2008-02-28 01:05 . 2008-02-28 01:05 9,662 --a------ C:\WINDOWS.1\system32\ZoneAlarmIconUS.ico

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-25 17:33 104 ----a-w C:\Program Files\Internet Explorer.lnk
2008-03-24 02:06 --------- d-----w C:\Program Files\Full Tilt Poker
2008-03-22 21:57 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-03-08 06:01 --------- d-----w C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\dvdcss
2008-03-07 21:38 --------- d-----w C:\Program Files\Reflex
2008-03-07 16:47 --------- d-----w C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\Azureus
2008-03-05 18:24 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-25 03:58 --------- d-----w C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\Cat's Eye Games
2008-02-25 03:47 --------- d-----w C:\Program Files\[bleep] NFO Viewer
2008-02-23 20:45 --------- d-----w C:\Program Files\eclipse
2008-02-23 00:31 --------- d-----w C:\Program Files\SecondLife
2008-02-23 00:05 --------- d-----w C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\SecondLife
2008-02-20 23:16 --------- d-----w C:\Documents and Settings\All Users.WINDOWS.1\Application Data\PlayFirst
2008-02-20 23:16 --------- d-----w C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\PlayFirst
2008-02-19 22:59 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-19 00:14 --------- d-----w C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\Video DVD Maker FREE
2008-02-18 20:37 --------- d-----w C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\SI Swimsuit Calendar
2008-02-18 20:36 --------- d-----w C:\Program Files\Sports Illustrated
2008-02-18 20:36 --------- d-----w C:\Documents and Settings\All Users.WINDOWS.1\Application Data\SI Swimsuit Calendar
2008-02-17 23:08 --------- d-----w C:\Program Files\7-Zip
2008-02-13 19:46 --------- d-----w C:\Program Files\Paint.NET
2008-02-11 18:48 --------- d-----w C:\Program Files\EasyCleaner
2008-02-11 18:39 --------- d-----w C:\Program Files\TextPad 4
2008-02-11 18:39 --------- d-----w C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\TextPad
2008-02-11 18:36 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-11 18:31 --------- d-----w C:\Documents and Settings\All Users.WINDOWS.1\Application Data\FLEXnet
2008-02-11 18:27 --------- d-----w C:\Program Files\Replay Music 2
2008-02-11 18:25 737,280 ----a-w C:\WINDOWS.1\iun6002.exe
2008-02-11 18:17 --------- d-----w C:\Program Files\DC++
2008-02-11 08:18 --------- d-----w C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\vlc
2008-02-11 01:54 10 ----a-w C:\Program Files\.autoreg
2008-02-10 23:33 --------- d-----w C:\Program Files\thriXXX
2008-02-10 23:31 --------- d-----w C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\Oxin's Style!
2008-02-09 08:12 --------- d-----w C:\Program Files\Plasma Pong
2008-02-09 06:20 --------- d-----w C:\Program Files\Growler Guncam
2008-02-09 06:15 --------- d-----w C:\Program Files\XviD
2008-02-08 22:46 --------- d-----w C:\Program Files\Common Files\GC Install
2008-02-08 22:32 --------- d-----w C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\DivX
2008-02-07 18:25 --------- d-----w C:\Program Files\DivX
2008-02-06 18:59 --------- d-----w C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\Taito Legends
2008-02-06 17:13 --------- d-----w C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\EA
2008-02-06 16:42 --------- d-----w C:\Documents and Settings\All Users.WINDOWS.1\Application Data\HipSoft
2008-02-01 23:27 --------- d-----w C:\Documents and Settings\All Users.WINDOWS.1\Application Data\Earthsim
2008-02-01 23:27 --------- d-----w C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\Earthsim
2008-01-26 22:23 --------- d-----w C:\Program Files\Snood
2008-01-25 05:21 --------- d-----w C:\Program Files\EA SPORTS
2008-01-25 02:04 --------- d-----w C:\Program Files\GameSpy Arcade
2008-01-24 01:40 94,208 ----a-w C:\WINDOWS.1\DUMP4df1.tmp
2008-01-24 01:28 94,208 ----a-w C:\WINDOWS.1\DUMP4eeb.tmp
2008-01-04 21:59 524,288 ----a-w C:\WINDOWS.1\system32\DivXsm.exe
2008-01-04 21:58 3,596,288 ----a-w C:\WINDOWS.1\system32\qt-dx331.dll
2008-01-04 21:58 200,704 ----a-w C:\WINDOWS.1\system32\ssldivx.dll
2008-01-04 21:58 1,044,480 ----a-w C:\WINDOWS.1\system32\libdivx.dll
2008-01-04 21:57 823,296 ----a-w C:\WINDOWS.1\system32\divx_xx0c.dll
2008-01-04 21:57 823,296 ----a-w C:\WINDOWS.1\system32\divx_xx07.dll
2008-01-04 21:57 81,920 ----a-w C:\WINDOWS.1\system32\dpl100.dll
2008-01-04 21:57 802,816 ----a-w C:\WINDOWS.1\system32\divx_xx11.dll
2008-01-04 21:57 682,496 ----a-w C:\WINDOWS.1\system32\DivX.dll
2008-01-04 21:57 593,920 ----a-w C:\WINDOWS.1\system32\dpuGUI11.dll
2008-01-04 21:57 57,344 ----a-w C:\WINDOWS.1\system32\dpv11.dll
2008-01-04 21:57 53,248 ----a-w C:\WINDOWS.1\system32\dpuGUI10.dll
2008-01-04 21:57 344,064 ----a-w C:\WINDOWS.1\system32\dpus11.dll
2008-01-04 21:57 294,912 ----a-w C:\WINDOWS.1\system32\dpu11.dll
2008-01-04 21:57 294,912 ----a-w C:\WINDOWS.1\system32\dpu10.dll
2008-01-04 21:57 196,608 ----a-w C:\WINDOWS.1\system32\dtu100.dll
2008-01-04 21:56 156,992 ----a-w C:\WINDOWS.1\system32\DivXCodecVersionChecker.exe
2008-01-04 21:56 12,288 ----a-w C:\WINDOWS.1\system32\DivXWMPExtType.dll
2007-02-12 21:20 364 ----a-w C:\Program Files\INSTALL.LOG
2006-08-23 05:16 620,032 --sha-w C:\Program Files\iexplore.exe
.

((((((((((((((((((((((((((((( [email protected]_12.34.50.85 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-03-25 16:06:04 58,998 ----a-w C:\WINDOWS.1\system32\perfc009.dat
+ 2008-03-25 16:30:56 58,998 ----a-w C:\WINDOWS.1\system32\perfc009.dat
- 2008-03-25 16:06:04 392,864 ----a-w C:\WINDOWS.1\system32\perfh009.dat
+ 2008-03-25 16:30:56 392,864 ----a-w C:\WINDOWS.1\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2006-02-18 07:23 6144]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-14 17:02 815104]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-07-13 22:05 344064]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 13:35 90112]
"CoolSwitch"="C:\WINDOWS.1\system32\taskswitch.exe" [2002-03-19 18:30 45632]

C:\Documents and Settings\Tyler\Start Menu\Programs\Startup\
Stardock Keyboard Launchpad.lnk - C:\Program Files\Stardock\Object Desktop\KLP\Keys.exe [2006-09-18 01:15:36 409600]
Yahoo! Widget Engine.lnk - C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe [2006-05-23 17:17:00 1806336]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-01-15 04:22 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-10 16:27 385024 C:\Program Files\QuickTime\QTTask.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\DC++\\DCPlusPlus.exe"=
"C:\\WINDOWS.1\\system32\\javaw.exe"=
"C:\\WINDOWS.1\\system32\\mmc.exe"=
"C:\\Program Files\\Opera\\Opera.exe"=


.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-25 15:23:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
"ImagePath"="C:\Program Files\Alcohol Soft
[Pro2]\Alcohol 120\StarWind\StarWindService.exe"


[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\StarWindService]
"ImagePath"="C:\Program Files\Alcohol Soft
.
Completion time: 2008-03-25 15:25:25
ComboFix-quarantined-files.txt 2008-03-25 19:25:11
ComboFix2.txt 2008-03-25 16:35:05
.
2008-03-24 17:53:00 --- E O F ---




====================================================================




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:29:18 PM, on 3/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS.1\System32\smss.exe
C:\WINDOWS.1\system32\winlogon.exe
C:\WINDOWS.1\system32\services.exe
C:\WINDOWS.1\system32\lsass.exe
C:\WINDOWS.1\system32\Ati2evxx.exe
C:\WINDOWS.1\system32\svchost.exe
C:\WINDOWS.1\System32\svchost.exe
C:\WINDOWS.1\system32\Ati2evxx.exe
C:\WINDOWS.1\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Alcohol Soft [Pro2]\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS.1\system32\taskswitch.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS.1\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS.1\system32\taskmgr.exe
C:\WINDOWS.1\explorer.exe
C:\WINDOWS.1\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [UnlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS.1\system32\taskswitch.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS.1\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS.1\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft [Pro2]\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 3871 bytes
  • 0

#14
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
looking good so far :)

in this post we will install an antivirus and run some scans to see what else is lurking on your machine. i expect those scans to pick up traces at least, possibly more.

the scans will likely take 3 hours, quite possibly much longer. so just let them run.

====STEP 1====
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


====STEP 2====
This program is basic for the security of your computer and in todays age not having one will probably lead to disaster for your computer. this is a free version so i would advise you to keep it on your machine unless you replace it with another antivirus program (only ever have one antivirus program on your machine).

Please go http://www.avast.com.../down_home.html and download avast! 4 Home Edition to your desktop. Locate the file that you just downloaded, double-click on the file to launch the installation of avast!

Click Next on the avast! Setup window and on the next window with the ReadMe File.
Now you will see the Legal Agreement, just click I agree, and then click Next to continue.

You will be prompted with Configuration window, make sure that you choose Typical configuration and then click Next. Click Next to the windows that will follow, when the installation will finish, you will be given an option to schedule a boot time scan, select No

Now you have to restart your machine, select Restart and then click Finish.

After you restart you will get a message about avast! it will give you the general "Hello and Thank you for choosing our Product." Also after you restart you will notice 2 new icons in the bottom right corner of the screen.

VERY IMPORTANT - after restarting, right click on the a in the taskbar and select Updating, then highlight and click Program.

You will get popup after its done updating. If avast! had to download anything for your computer you may get a message asking you to restart.

After you have updated avast! right click the small icon a in task bar and click Start Avast! AntiVirus

Click Program Registration and you will be taken to their website. Fill out the form and then check you e-mail. Once you get an e-mail from them (usually about 1 minute after submitting the form) copy and paste the serial they provided into the highlighted box. Then click ok.

After this, you will need to Schedule Boot-Time Scan with avast! Click on the little button placed up in the left corner, and select Schedule Boot-Time Scan. Read also this tutorial http://www.schmahl.n...astbootscan.htm it may make it easier to you to follow the steps.

Next, choose
Scan all local disks
scan archive files
click on Schedule
On the next dialog Operating system restart needed select Yes
Now avast! will restart your computer and start to scan before Windows fully loads.

IMPORTANT NOTE since your system has infections on it, avast! will give you dialog box with recommended actions, and options, please make sure if this happens, to click the Move to Chest button, and not to delete any reported files.

On completion of the boot scan there will be a report at this location C:\Program Files\Alwil Software\Avast4\DATA\report\AswBoot.txt Please post that in your next reply.


====STEP 3====
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


====STEP 4====
Please go HERE to run Panda's TotalScan
  • Select the bubble for Full scan
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • Then the scan will begin
  • When the scan completes, click the Save button on the right of Scan details
  • Save it to a convenient location. Post the contents of the TotalScan report


In your next reply could i see:
1. the AVAST log
2. the malwarebytes log
3. the Totalscan log
4. a new hijackthis log

there will be a lot of information to post in the next reply, therefore you may need to post the information over more than one reply to ensure it is all posted

andrewuk
  • 0

#15
Revolution660

Revolution660

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Avast and Malwarebytes scans ran fine, but when I tried Panda's TotalScan, Avast said it was a virus. So I did not continue, and moved the following infected file to the chest:

C:\Program Files\Panda Security\TotalScan\pskavs.dll
Malware Name: Win32:CTX
Malware Type: Virus/Worm

On a second attempt it was the same result with a different file:

http://www.nanoscan.com/cabs/PSNFLG.CAB\psnflg.dll
Malware Name: Win32:Agent-TOS [Trj]
Malware Type: Trojan Horse

Sooo now I'm a tad suspicious of that Panda scan.

Also to note is that upon trying to update Malwarebytes, the little window would pop up showing that it was trying to connect, but then nothing would happen. However, it says its current database is from 3/19/08, so that seems pretty good.

Here's the logs:

Avast:

03/25/2008 16:56
Scan of all local drives
File C:\Documents and Settings\Administrator.TYLERSPRO2\My Documents\Azureus Downloads\Reflexive Arcade [All Games] Keygen.zip\Reflexive Arcade [All Games] Keygen\Reflexive Arcade [Any Game] Keygen.exe is infected by Win32:Trojan-gen {Other}, Moved to chest
File C:\Download\homestar_df.exe is infected by Win32:Adware-gen [Adw], Moved to chest
File C:\Download\ppstreamsetup.exe\{app}\PPStream.exe is infected by Win32:Trojan-gen {VC}, Moved to chest
File C:\Download\ppstreamsetup.exe\{app}\partner\update.exe is infected by Win32:Delf-IWR [Trj], Move to chest: Error 42010 {File is not packed.}, Move to chest: Error 42010 {File is not packed.}, Repair: Error 42060 {The file was not repaired.}, Delete: Error 42010 {File is not packed.}, Delete: Error 42010 {File is not packed.}, Move: Error 42010 {File is not packed.}
File C:\Download\ppstreamsetup.exe is infected by Win32:Agent-TLQ [Trj], Move to chest: Error 0xC0000034 {Object Name not found.}, Delete: Error 0xC0000034 {Object Name not found.}, Move: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}
File C:\Program Files\Advanced Sound Recorder\Patch.exe is infected by Win32:Trojano-704 [Trj], Moved to chest
File C:\Program Files\HPQ\Default Settings\CpqsetVer.exe is infected by Win32:Trojan-gen {VC}, Moved to chest
File C:\System Volume Information\_restore{B4749A99-455C-4E77-801A-1917A77DD9FA}\RP94\A0048864.exe is infected by Win32:Adware-gen [Adw], Moved to chest
File C:\System Volume Information\_restore{B4749A99-455C-4E77-801A-1917A77DD9FA}\RP94\A0048865.exe\{app}\PPStream.exe is infected by Win32:Trojan-gen {VC}, Moved to chest
File C:\System Volume Information\_restore{B4749A99-455C-4E77-801A-1917A77DD9FA}\RP94\A0048865.exe\{app}\partner\update.exe is infected by Win32:Delf-IWR [Trj], Move to chest: Error 42010 {File is not packed.}, Delete: Error 42010 {File is not packed.}, Move: Error 42010 {File is not packed.}, Move to chest: Error 42010 {File is not packed.}, Repair: Error 42060 {The file was not repaired.}
File C:\System Volume Information\_restore{B4749A99-455C-4E77-801A-1917A77DD9FA}\RP94\A0048865.exe is infected by Win32:Agent-TLQ [Trj], Move to chest: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}
File C:\System Volume Information\_restore{B4749A99-455C-4E77-801A-1917A77DD9FA}\RP94\A0048866.exe is infected by Win32:Trojano-704 [Trj], Moved to chest
File C:\System Volume Information\_restore{B4749A99-455C-4E77-801A-1917A77DD9FA}\RP94\A0048867.exe is infected by Win32:Trojan-gen {VC}, Moved to chest

Number of searched folders: 22586
Number of tested files: 475036
Number of infected files: 13


==================================================================



Malwarebytes' Anti-Malware 1.09
Database version: 507

Scan type: Full Scan (C:\|D:\|X:\|Y:\|)
Objects scanned: 233490
Time elapsed: 1 hour(s), 38 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\RABCO (Adware.RABCO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\RABCO (Adware.RABCO) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\Adsense Helper Object (Trojan.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS.1\Application Data\Rabio (Adware.Rabio) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\Adsense Helper Object\aho.v1.dll (Trojan.BHO) -> Quarantined and deleted successfully.



=============================================================



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:56:13 PM, on 3/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS.1\System32\smss.exe
C:\WINDOWS.1\system32\winlogon.exe
C:\WINDOWS.1\system32\services.exe
C:\WINDOWS.1\system32\lsass.exe
C:\WINDOWS.1\system32\Ati2evxx.exe
C:\WINDOWS.1\system32\svchost.exe
C:\WINDOWS.1\System32\svchost.exe
C:\WINDOWS.1\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS.1\Explorer.EXE
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS.1\system32\taskswitch.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\WINDOWS.1\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Alcohol Soft [Pro2]\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS.1\system32\wuauclt.exe
C:\WINDOWS.1\system32\NOTEPAD.EXE
C:\WINDOWS.1\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [UnlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS.1\system32\taskswitch.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS.1\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS.1\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft [Pro2]\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 4635 bytes
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP