Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Invisible process? Popup? [RESOLVED]

Started by MatrixEquilibrium , Jun 25 2008 05:35 PM

  • This topic is locked This topic is locked

#1
MatrixEquilibrium
Posted 25 June 2008 - 05:35 PM

MatrixEquilibrium

    Member

  • Member
  • PipPipPip
  • 329 posts
I'm not sure what the problem is, but when I'm using anything, explorer, or a program, the window I'm using becomes inactive as though some other window opened up, and then about 5-10 seconds later it becomes active again.

I opened Task Manager to see what comes up, and what I found was that "iexplore.exe" would come up as a System process and then disappear in literally 5 seconds.

There was something installed on my computer apparently called Adronmedia or something of the sort, based in India somewhere I believe.

I scanned my computer with Ad-Aware and it found some tracking cookies, I deleted those. I used SpyBot and AVG and found some different cookies, I deleted them. I also constantly use CCleaner to remove all cookies, along with ATF Cleaner. My Internet Explorer and Firefox cookie settings are on "Medium-High", and pop-ups are blocked (Medium).

Here's a HJT log, followed by a MalwareBytes Anti-Malware log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:33:03 PM, on 6/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\YsS6tem0.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 222.190.118.27:8080
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 3378 bytes




Malwarebytes' Anti-Malware 1.09
Database version: 578

Scan type: Quick Scan
Objects scanned: 31821
Time elapsed: 3 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Typelib\{50ccd00a-66b6-4d95-aaef-8ee959498f92} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorertoolbar (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\mwc (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


The problem still exists as I type this.

Edited by MatrixEquilibrium, 25 June 2008 - 08:15 PM.

  • 0

Advertisements

#2
Ltangelic
Posted 26 June 2008 - 05:27 AM

Ltangelic

    Angel Annihilator of Malware

  • Retired Staff
  • 2,008 posts
Hey MatrixEquilibrium,

Welcome to GeekstoGo! I'm Ltangelic and I'll be helping you fix your computer problem.

Take note that I'm still in training, and my posts will have to be checked by an expert. This may cause delays in between my responses, I ask for your patience. :)

I'm looking at your log now, and I'll post back with a fix when I'm ready. Thanks for your patience.

LT
  • 0

#3
MatrixEquilibrium
Posted 26 June 2008 - 10:03 AM

MatrixEquilibrium

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 329 posts
Hello Ltangelic,

Take your time, I noticed the GeekU Senior image under your username, and I'm actually kind of glad that you'll be responding, as I applied yesterday to GeekU, and it'd be nice to see what I can do in a couple of months, or years.

Don't rush it ;-)

Suli
  • 0

#4
Ltangelic
Posted 27 June 2008 - 06:50 PM

Ltangelic

    Angel Annihilator of Malware

  • Retired Staff
  • 2,008 posts
Hey Suli,

Sorry for the long wait, it took a while for an expert to look at my reply. :) Seeing that you applied to GeekU, I wish you all the best for your training.

PS. In the future, if you're wondering why I am taking so long to respond, feel free to give me a PM and I'll explain it to you.

From your log, it seems that you have two anti-spyware resident protection running. This is not recommended as multiple protection of the same kind can cause conflicts and reduce the efficiency of the protection softwares. Please only set one resident protection on, you can choose between the following two as your AS resident protection:

Ad-Aware 2007
AVG Anti-Spyware 7.5

Also, you do not seem to have an anti-virus on your computer. This is extremely dangerous as your computer is vunerable to all kinds of infection. Please go to the download links below and download ONE of the following anti-virus and install it immediately:

Avira Antivir (Recommended)
Avast! antivirus home edition
AVG 8 Free

Please follow my instructions in the order they were given, and print out a copy of it as you may not be able to access the forums during the fix.

1) Update Java

  • Download the latest version of Java Runtime Environment (JRE) 6 Update 6.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u6-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.
2) Download and run ATF cleaner

Please download ATF Cleaner by Atribune.
This program is for Windows 98/ME/2K/XP and VistaDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

3) Upload a suspicious file for analysis

We have a suspicious file that needs to be checked. Before going to the site below, please do the following:
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
  • Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan" box on the top of the page:

    • C:\WINDOWS\system32\YsS6tem0.exe
  • Click on the submit button
  • Please post the results in your next reply.

4) Run Deckard's System Scanner (DSS)

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.
Next reply (please include):

Fresh HijackThis log
Jotti Malware scan results
DSS scan log (main.txt and extra.txt)

Edited by Ltangelic, 27 June 2008 - 07:33 PM.

  • 0

#5
MatrixEquilibrium
Posted 28 June 2008 - 02:41 PM

MatrixEquilibrium

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 329 posts
Hello Ltangelic,

Sorry for the delay, there was a power outage in the area due to severe weather conditions.

I'm glad to say there is some considerable progress. I found the following files on my computer:

C:\WINDOWS\system32\buvexano.exe
C:\WINDOWS\system32\nwlypavs.exe
C:\WINDOWS\system32\StHP10a2.exe
C:\WINDOWS\system32\YsS6tem0.exe
C:\WINDOWS\system32\YsS6tem0.exe_
C:\WINDOWS\system32\ActiveScan\pskavs.dll
C:\Documents and Settings\All Users\Application Data\zoxsbmjy\xmpwlsho.exe
C:\Downloads\avitompeg15.exe

These were all from the same source, wherever the virus came from, and I removed them all successfuly. Prior to my posting of the HJT log, I noticed the process "YsS6tem0.exe" wouldn't close, and I googled it but found nothing, so it was obviously not a system file. I used Jotti's malware scan and the results are as follows (prior to my removing of the above):

2008 05:52:08 (GMT)
A-Squared Found nothing
AntiVir Found TR/Crypt.ULPM.Gen
ArcaVir Found nothing
Avast Found Win32:Trojan-gen {Other}
AVG Antivirus Found Generic10.AOWW
BitDefender Found nothing
ClamAV Found Trojan.Spy-41149
CPsecure Found nothing
Dr.Web Found Trojan.Click.19260
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found Trojan-GameThief.Win32.OnLineGames.arxy
Fortinet Found W32/OnLineGames.ARXY!tr.pws
Ikarus Found Trojan.Crypt.ULPM
Kaspersky Anti-Virus Found Trojan-GameThief.Win32.OnLineGames.arxy
NOD32 Found probably unknown NewHeur_PE (probable variant)
Norman Virus Control Found W32/DLoader.HSQD
Panda Antivirus Found Generic
Sophos Antivirus Found Mal/EncPk-F
VirusBuster Found nothing
VBA32 Found Trojan-PSW.Win32.OnLineGames.arxy



Here are the results for Deckard's system scanner:
(The extra.txt file is attached)

Deckard's System Scanner v20071014.68
Run by Administrator on 2008-06-28 16:12:01
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 1 Restore Point(s) --
1: 2008-06-28 21:12:16 UTC - RP202 - Deckard's System Scanner Restore Point


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 510 MiB (512 MiB recommended).


-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:14:21 PM, on 6/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Administrator.exe
C:\WINDOWS\system32\notepad.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 222.190.118.27:8080
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 3960 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080401-134307-493 O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
backup-20080401-134523-207 O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
backup-20080402-130318-548 O4 - HKLM\..\Policies\Explorer\Run: [9goXcGXZAM] C:\Documents and Settings\All Users\Application Data\zoxsbmjy\xmpwlsho.exe
backup-20080402-130327-848 O4 - HKCU\..\Run: [vgiauuwe] C:\WINDOWS\system32\nwlypavs.exe
backup-20080402-130546-380 O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
backup-20080402-130558-272 O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
backup-20080402-150507-247 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
backup-20080402-150507-257 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
backup-20080402-150507-340 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
backup-20080402-150507-432 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
backup-20080625-031407-146 O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
backup-20080625-031407-321 O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
backup-20080625-031407-478 O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
backup-20080625-031407-925 O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
backup-20080625-031514-875 O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
backup-20080625-031526-901 O2 - BHO: adsonmedia browser optimizer - {94cc7750-5b38-44fe-84c6-5d6aca55925d} - C:\WINDOWS\system32\{3ed62066-a709-5363-e318-6cdafed8b076}.dll
backup-20080625-031541-212 F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - regedit.exe"%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>

S1 InCDPass - c:\windows\system32\drivers\incdpass.sys (file missing)
S1 InCDRm (InCD Reader) - c:\windows\system32\drivers\incdrm.sys (file missing)
S2 zntport (NTPort Library Driver) - c:\windows\system32\zntport.sys (file missing)
S3 catchme - c:\docume~1\admini~1\locals~1\temp\catchme.sys (file missing)
S4 InCDFs (InCD File System) - c:\windows\system32\drivers\incdfs.sys (file missing)
S4 VFILT (Outpost Firewall Kernel Driver) - c:\progra~1\agnitum\outpos~1.0\kernel\2000\filtnt.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 AntiVirScheduler (Avira AntiVir Personal – Free Antivirus Scheduler) - "c:\program files\avira\antivir personaledition classic\sched.exe" <Not Verified; Avira GmbH; AntiVir Workstation>

S2 Bonjour Service (##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##) - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Computer, Inc.; Bonjour>
S3 ServiceLayer - "c:\program files\pc connectivity solution\servicelayer.exe" <Not Verified; Nokia.; PC Connectivity Solution>
S4 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-06-28 16:00:00 350 --a------ C:\WINDOWS\Tasks\At41.job
2008-06-28 16:00:00 350 --a------ C:\WINDOWS\Tasks\At17.job
2008-06-28 15:32:02 350 --a------ C:\WINDOWS\Tasks\At39.job
2008-06-28 15:00:10 350 --a------ C:\WINDOWS\Tasks\At40.job
2008-06-28 15:00:02 350 --a------ C:\WINDOWS\Tasks\At16.job
2008-06-28 14:00:02 350 --a------ C:\WINDOWS\Tasks\At15.job
2008-06-28 13:16:06 350 --a------ C:\WINDOWS\Tasks\At25.job
2008-06-28 03:00:10 350 --a------ C:\WINDOWS\Tasks\At28.job
2008-06-28 03:00:02 350 --a------ C:\WINDOWS\Tasks\At4.job
2008-06-28 02:00:10 350 --a------ C:\WINDOWS\Tasks\At27.job
2008-06-28 02:00:01 350 --a------ C:\WINDOWS\Tasks\At3.job
2008-06-28 01:00:10 350 --a------ C:\WINDOWS\Tasks\At26.job
2008-06-28 01:00:01 350 --a------ C:\WINDOWS\Tasks\At2.job
2008-06-28 00:22:01 350 --a------ C:\WINDOWS\Tasks\At1.job
2008-06-27 15:45:54 350 --a------ C:\WINDOWS\Tasks\At36.job
2008-06-26 17:00:10 350 --a------ C:\WINDOWS\Tasks\At42.job
2008-06-26 17:00:02 350 --a------ C:\WINDOWS\Tasks\At18.job
2008-06-26 13:00:10 350 --a------ C:\WINDOWS\Tasks\At38.job
2008-06-26 13:00:01 350 --a------ C:\WINDOWS\Tasks\At14.job
2008-06-26 12:00:10 350 --a------ C:\WINDOWS\Tasks\At37.job
2008-06-26 12:00:01 350 --a------ C:\WINDOWS\Tasks\At13.job
2008-06-26 11:00:02 350 --a------ C:\WINDOWS\Tasks\At12.job
2008-06-26 10:05:55 350 --a------ C:\WINDOWS\Tasks\At44.job
2008-06-25 23:00:10 350 --a------ C:\WINDOWS\Tasks\At48.job
2008-06-25 23:00:02 350 --a------ C:\WINDOWS\Tasks\At24.job
2008-06-25 22:00:10 350 --a------ C:\WINDOWS\Tasks\At47.job
2008-06-25 22:00:01 350 --a------ C:\WINDOWS\Tasks\At23.job
2008-06-25 21:00:10 350 --a------ C:\WINDOWS\Tasks\At46.job
2008-06-25 21:00:02 350 --a------ C:\WINDOWS\Tasks\At22.job
2008-06-25 20:00:10 350 --a------ C:\WINDOWS\Tasks\At45.job
2008-06-25 20:00:02 350 --a------ C:\WINDOWS\Tasks\At21.job
2008-06-25 19:00:01 350 --a------ C:\WINDOWS\Tasks\At20.job
2008-06-25 04:00:10 350 --a------ C:\WINDOWS\Tasks\At29.job
2008-06-25 04:00:01 350 --a------ C:\WINDOWS\Tasks\At5.job
2008-06-25 02:13:57 350 --a------ C:\WINDOWS\Tasks\At43.job
2008-06-25 02:13:57 350 --a------ C:\WINDOWS\Tasks\At35.job
2008-06-25 02:13:57 350 --a------ C:\WINDOWS\Tasks\At34.job
2008-06-25 02:13:57 350 --a------ C:\WINDOWS\Tasks\At33.job
2008-06-25 02:13:57 350 --a------ C:\WINDOWS\Tasks\At32.job
2008-06-25 02:13:57 350 --a------ C:\WINDOWS\Tasks\At31.job
2008-06-25 02:13:57 350 --a------ C:\WINDOWS\Tasks\At30.job
2008-06-24 18:00:01 350 --a------ C:\WINDOWS\Tasks\At19.job
2008-06-24 01:00:32 350 --a------ C:\WINDOWS\Tasks\At9.job
2008-06-24 01:00:32 350 --a------ C:\WINDOWS\Tasks\At8.job
2008-06-24 01:00:32 350 --a------ C:\WINDOWS\Tasks\At7.job
2008-06-24 01:00:32 350 --a------ C:\WINDOWS\Tasks\At6.job
2008-06-24 01:00:32 350 --a------ C:\WINDOWS\Tasks\At11.job
2008-06-24 01:00:32 350 --a------ C:\WINDOWS\Tasks\At10.job


-- Files created between 2008-05-28 and 2008-06-28 -----------------------------

2008-06-28 15:21:18 0 d-------- C:\Program Files\Avira
2008-06-28 15:21:18 0 d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-06-26 12:05:34 0 d-------- C:\Program Files\Pawsoft
2008-06-25 21:20:03 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Macromedia
2008-06-25 19:59:36 0 d-------- C:\Documents and Settings\Islam\Application Data\Macromedia
2008-06-25 19:58:05 0 d-------- C:\Documents and Settings\Islam\Application Data\Adobe
2008-06-25 12:54:57 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-06-25 03:03:17 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Adobe
2008-06-25 03:00:12 0 dr------- C:\Documents and Settings\NetworkService\Favorites
2008-06-25 02:13:57 20480 --a------ C:\WINDOWS\system32\UoO6pai0.dll
2008-06-20 21:04:35 0 d-------- C:\Program Files\PowerISO
2008-06-12 01:28:49 56108 --a------ C:\WINDOWS\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>
2008-06-11 23:03:40 0 d-------- C:\Program Files\Counter Strike Condition Zero
2008-06-11 23:02:03 6 --a------ C:\Documents and Settings\Administrator\MK3NAME.DAT
2008-06-11 23:02:03 2 --a------ C:\Documents and Settings\Administrator\MK3.DAT
2008-06-02 17:06:30 0 d-------- C:\WINDOWS\system32\Adobe


-- Find3M Report ---------------------------------------------------------------

2008-06-28 15:36:42 0 d-------- C:\Program Files\Java
2008-06-26 01:10:07 0 d-------- C:\Documents and Settings\Administrator\Application Data\Move Networks
2008-06-23 16:26:36 0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2008-06-18 23:57:38 0 d-------- C:\Program Files\Messenger
2008-06-18 23:48:12 0 d-------- C:\Program Files\Windows Live
2008-06-15 02:31:06 0 d-------- C:\Program Files\Nokia
2008-06-15 02:31:06 0 d-------- C:\Program Files\Common Files\Nokia
2008-06-11 01:03:08 0 d-------- C:\Program Files\Common Files\Adobe
2008-04-03 21:40:32 1394 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-28 23:19:34 86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [09/20/2005 09:32 AM]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [02/12/2008 10:06 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [02/16/2007 10:54 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [03/25/2008 04:28 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/03/2004 05:56 PM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [04/12/2007 01:43 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Nokia.PCSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{650CA63D-4A01-4BF8-A608-9B1EBB36292E}"= C:\WINDOWS\system32\UoO6pai0.dll [06/27/2008 04:10 PM 20480]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
"C:\Program Files\BitTorrent_DNA\dna.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1140464654\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Media Access]
C:\Program Files\Media Access\MediaAccK.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
"C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
"C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"usnjsvc"=3 (0x3)

*Newly Created Service* - SSMDRV



-- Hosts -----------------------------------------------------------------------

127.0.0.1 localhost


-- End of Deckard's System Scanner: finished at 2008-06-28 16:14:57 ------------



The problem of the inactive window no longer occurs, and I've monitored the running processes. "iexplore.exe" no longer comes up temporarily.

As for my Hosts files and the ATF cleaner, I have both, and a folder with some other G2G programs; I run CCleaner daily as I use the computer often.

Thanks, and if there are any other problems with the logs I posted above, take your time in responding. :)

Suli

PS: Thanks for the best wishes, I completed reading the majority of the tutorials and will start on the PLs soon.

Attached Files


Edited by MatrixEquilibrium, 28 June 2008 - 03:32 PM.

  • 0

#6
Ltangelic
Posted 29 June 2008 - 12:10 AM

Ltangelic

    Angel Annihilator of Malware

  • Retired Staff
  • 2,008 posts
Hey Suli,

No worries, sorry to hear about the power outage, hope everything is ok now. :) It's great to hear there has been progress in fixing your computer. I'm also happy to say that your computer aren't showing big problems. We just need to run some tools and scans to ensure that your system is clean. :)

Just one little problem: it seems that you are still running two anti-spyware resident, is it because you did not know how to disable one of your AS resident? If that is so, please go to the following link and disable either AVG Antispyware or Ad Aware 2007:

http://wiki.castleco...toring_Programs

1) Uninstall programs

Please go to Add or Remove Programs in Control Panel and remove the following (if they are present):

BitTorrent <-- BitTorrent is a P2P program that can cause security risks to your computer. It is recommended that you remove it. Please have a look here and decide if you want to remove it
BitTorrent DNA <--Related to BitTorrent
Media Access
J2SE Runtime Environment 5.0 Update 12

Reboot your computer.

2) Run OTMoveIt2

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    [kill explorer]
C:\WINDOWS\Tasks\At41.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At39.job
C:\WINDOWS\Tasks\At40.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At15.job
 C:\WINDOWS\Tasks\At25.job
C:\WINDOWS\Tasks\At28.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At27.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At26.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At36.job
C:\WINDOWS\Tasks\At42.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At38.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At37.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At44.job
C:\WINDOWS\Tasks\At48.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At47.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At46.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At45.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At29.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At43.job
C:\WINDOWS\Tasks\At35.job
C:\WINDOWS\Tasks\At34.job
C:\WINDOWS\Tasks\At33.job
C:\WINDOWS\Tasks\At32.job
C:\WINDOWS\Tasks\At31.job
C:\WINDOWS\Tasks\At30.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At9.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\system32\UoO6pai0.dll
C:\Program Files\BitTorrent
C:\Program Files\BitTorrent DNA
C:\Program Files\Media Access
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{650CA63D-4A01-4BF8-A608-9B1EBB36292E}
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Media Access
[start explorer]
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

3) Run a scan with SUPERAntispyware

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

Next reply (please include):

Fresh HijackThis log
OTMoveIt2 log
SUPERAntispyware scan log


LT

Edited by Ltangelic, 29 June 2008 - 04:32 AM.

  • 0

#7
MatrixEquilibrium
Posted 29 June 2008 - 03:51 PM

MatrixEquilibrium

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 329 posts
Hey LT,

The power outage was the second one within the past few weeks; it kills me not to have Internet, let alone electricity. :)

Anyway, here's the SUPERAntiSpyware log:


Generated 06/29/2008 at 05:33 PM

Application Version : 4.15.1000

Core Rules Database Version : 3493
Trace Rules Database Version: 1484

Scan type : Complete Scan
Total Scan Time : 01:20:55

Memory items scanned : 353
Memory threats detected : 0
Registry items scanned : 6570
Registry threats detected : 1
File items scanned : 92419
File threats detected : 38

Adware.Tracking Cookie
C:\Documents and Settings\Administrator\Cookies\administrator@specificclick[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@revsci[2].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@2o7[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@tribalfusion[2].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@chitika[1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@adultadworld[1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@imrworldwide[2].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@kontera[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@questionmarket[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@serving-sys[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@trafficmp[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@burstnet[2].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@tacoda[2].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@insightexpressai[1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@realmedia[1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\NetworkService\Cookies\system@trafficmp[2].txt

Trojan.DNSChanger-Codec
HKU\S-1-5-21-854245398-606747145-725345543-500\Software\uninstall

Adware.AdRotate/System
C:\PROGRAM FILES\TREND MICRO\HIJACKTHIS\BACKUPS\BACKUP-20080625-031526-901.DLL

Adware.Unknown Origin
C:\WINDOWS\SYSTEM32\IESH12052004.CFG

This is the OTMoveIt log:

Explorer killed successfully
C:\WINDOWS\Tasks\At41.job moved successfully.
C:\WINDOWS\Tasks\At17.job moved successfully.
C:\WINDOWS\Tasks\At39.job moved successfully.
C:\WINDOWS\Tasks\At40.job moved successfully.
C:\WINDOWS\Tasks\At16.job moved successfully.
C:\WINDOWS\Tasks\At15.job moved successfully.
C:\WINDOWS\Tasks\At25.job moved successfully.
C:\WINDOWS\Tasks\At28.job moved successfully.
C:\WINDOWS\Tasks\At4.job moved successfully.
C:\WINDOWS\Tasks\At27.job moved successfully.
C:\WINDOWS\Tasks\At3.job moved successfully.
C:\WINDOWS\Tasks\At26.job moved successfully.
C:\WINDOWS\Tasks\At2.job moved successfully.
C:\WINDOWS\Tasks\At1.job moved successfully.
C:\WINDOWS\Tasks\At36.job moved successfully.
C:\WINDOWS\Tasks\At42.job moved successfully.
C:\WINDOWS\Tasks\At18.job moved successfully.
C:\WINDOWS\Tasks\At38.job moved successfully.
C:\WINDOWS\Tasks\At14.job moved successfully.
C:\WINDOWS\Tasks\At37.job moved successfully.
C:\WINDOWS\Tasks\At13.job moved successfully.
C:\WINDOWS\Tasks\At12.job moved successfully.
C:\WINDOWS\Tasks\At44.job moved successfully.
C:\WINDOWS\Tasks\At48.job moved successfully.
C:\WINDOWS\Tasks\At24.job moved successfully.
C:\WINDOWS\Tasks\At47.job moved successfully.
C:\WINDOWS\Tasks\At23.job moved successfully.
C:\WINDOWS\Tasks\At46.job moved successfully.
C:\WINDOWS\Tasks\At22.job moved successfully.
C:\WINDOWS\Tasks\At45.job moved successfully.
C:\WINDOWS\Tasks\At21.job moved successfully.
C:\WINDOWS\Tasks\At20.job moved successfully.
C:\WINDOWS\Tasks\At29.job moved successfully.
C:\WINDOWS\Tasks\At5.job moved successfully.
C:\WINDOWS\Tasks\At43.job moved successfully.
C:\WINDOWS\Tasks\At35.job moved successfully.
C:\WINDOWS\Tasks\At34.job moved successfully.
C:\WINDOWS\Tasks\At33.job moved successfully.
C:\WINDOWS\Tasks\At32.job moved successfully.
C:\WINDOWS\Tasks\At31.job moved successfully.
C:\WINDOWS\Tasks\At30.job moved successfully.
C:\WINDOWS\Tasks\At19.job moved successfully.
C:\WINDOWS\Tasks\At9.job moved successfully.
C:\WINDOWS\Tasks\At8.job moved successfully.
C:\WINDOWS\Tasks\At7.job moved successfully.
C:\WINDOWS\Tasks\At6.job moved successfully.
C:\WINDOWS\Tasks\At11.job moved successfully.
C:\WINDOWS\Tasks\At10.job moved successfully.
C:\WINDOWS\system32\UoO6pai0.dll unregistered successfully.
C:\WINDOWS\system32\UoO6pai0.dll moved successfully.
File/Folder C:\Program Files\BitTorrent not found.
File/Folder C:\Program Files\BitTorrent DNA not found.
File/Folder C:\Program Files\Media Access not found.
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{650CA63D-4A01-4BF8-A608-9B1EBB36292E} >
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{650CA63D-4A01-4BF8-A608-9B1EBB36292E}\ not found.
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA\\ deleted successfully.
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Media Access >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Media Access\\ deleted successfully.
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 06292008_160707

And here's a fresh HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:45:45 PM, on 6/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 222.190.118.27:8080
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 3887 bytes

Just one little problem: it seems that you are still running two anti-spyware resident, is it because you did not know how to disable one of your AS resident? If that is so, please go to the following link and disable either AVG Antispyware or Ad Aware 2007:


:) I'm so sorry for forgetting about that - I know how to remove and/or disable one or the other, it just slipped my mind (excuse: bad effect of not sleeping at night :)).

Thanks LT,

Suli
  • 0

#8
Ltangelic
Posted 30 June 2008 - 03:06 AM

Ltangelic

    Angel Annihilator of Malware

  • Retired Staff
  • 2,008 posts
Hey Suli,

Wow, that does seem serious. Sorry to hear that. :)

Great work, your computer looks fine to me. :)

Just a few more steps to closing this:

1) Run ATF Cleaner to clean up temporary files

PS. I know you already have Ccleaner, but ATF Cleaner will clean up files that CCleaner misses, so I recommend that you clean with ATF as well. :)

Please download ATF Cleaner by Atribune.
This program is for Windows 98/ME/2K/XP and VistaDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

2) Clean up with OTMoveIt2

Double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")

* Click on the CleanUp! button
* A list of tool components used in the Cleanup of malware will be downloaded.
* If your Firewall or Real Time protection attempts to block OtMoveit2 to reach the Internet, please allow the application to do so.
* Click Yes to begin the Cleanup process and remove these components, including this application.
* You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.

3) Clear and Reset system Restore

[*]Right click on "My Computer" and click on "Properties".
[*]Go to "System Restore" tab and check "Turn off System Restore on all drives". Click "Yes" at the prompt. (Wait a while for it to finish)
[*]Then UNcheck "Turn off System Restore on all drives". Click "Yes" at the prompt. (Wait a while for it to finish)
[*]Your System Restore is now turned on.

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:
  • SpywareBlaster to help prevent spyware from installing in the first place.
  • IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.
You should also have a good firewall. Here are 3 free ones available for personal use:
It is critical to have only ONE firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit
monthly.

To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?

LT
  • 0

#9
MatrixEquilibrium
Posted 30 June 2008 - 10:01 AM

MatrixEquilibrium

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 329 posts
Hey LT,

Thanks for everything, I really appreciate it.

Great prevention speech :)

And this problem is now resolved, thanks. :)

Suli
  • 0

#10
Ltangelic
Posted 01 July 2008 - 03:44 AM

Ltangelic

    Angel Annihilator of Malware

  • Retired Staff
  • 2,008 posts
Hey Matrix,

Your utmost welcome, glad I could be of help. :)

LT
  • 0

Advertisements

#11
RiP
Posted 01 July 2008 - 05:26 AM

RiP

    Malware Expert

  • Retired Staff
  • 8,430 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0

#12
RiP
Posted 06 July 2008 - 01:48 AM

RiP

    Malware Expert

  • Retired Staff
  • 8,430 posts
Topic Re-Opened at user's request.
  • 0

#13
MatrixEquilibrium
Posted 06 July 2008 - 11:02 AM

MatrixEquilibrium

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 329 posts
Thank you for re-opening.
-------------------------------

LT,

The two "Trojans" detected earlier are apparently still residing in the system32 area. There aren't any visible problems, I've checked all the running processes, and they aren't active, yet Avira scanned and detected two files it considers trojans.

C:\_OTMoveIt\MovedFiles\06292008_160707\WINDOWS\system32\UoO6pai0.dll
[DETECTION] Is the Trojan horse TR/BHO.eme

C:\WINDOWS\system32\ebkp.dll
[DETECTION] Is the Trojan horse TR/BHO.Gen

And one warning: "C:\pagefile.sys
[WARNING] The file could not be opened!



I deleted the first two.

Matrix

Edited by MatrixEquilibrium, 06 July 2008 - 11:02 AM.

  • 0

#14
Ltangelic
Posted 08 July 2008 - 01:21 AM

Ltangelic

    Angel Annihilator of Malware

  • Retired Staff
  • 2,008 posts
Hey Suli,

Pagefile.sys is a valid system file. :)

Don't worry, let's try running another DSS scan to see if there is anything we can find.

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.
Next reply (please include):

DSS scan log
  • 0

#15
MatrixEquilibrium
Posted 08 July 2008 - 03:48 PM

MatrixEquilibrium

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 329 posts
Deckard's System Scanner v20071014.68
Run by Administrator on 2008-07-08 17:15:58
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 510 MiB (512 MiB recommended).


-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:16:09 PM, on 7/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\ADMINI~1.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 222.190.118.27:8080
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 3594 bytes

-- Files created between 2008-06-08 and 2008-07-08 -----------------------------

2008-07-06 17:58:22 23 --a------ C:\Documents and Settings\Administrator\jagex_runescape_preferences.dat
2008-07-05 14:31:36 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-07-02 19:48:40 0 d-------- C:\Documents and Settings\Administrator\Application Data\gtk-2.0
2008-07-02 19:48:21 0 d-------- C:\Documents and Settings\Administrator\.thumbnails
2008-07-02 19:39:50 0 d-------- C:\Documents and Settings\Administrator\.gimp-2.4
2008-07-02 19:39:00 0 d-------- C:\Program Files\GIMP-2.0
2008-07-02 14:06:43 0 d-------- C:\Documents and Settings\Administrator\Application Data\Move Networks
2008-06-29 16:09:53 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-29 16:09:43 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-06-29 16:09:42 0 d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-06-28 20:02:26 0 d-------- C:\Program Files\KeyNote
2008-06-28 17:39:31 0 d-------- C:\Program Files\DivX
2008-06-28 15:21:18 0 d-------- C:\Program Files\Avira
2008-06-28 15:21:18 0 d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-06-26 12:05:34 0 d-------- C:\Program Files\Pawsoft
2008-06-25 21:20:03 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Macromedia
2008-06-25 19:59:36 0 d-------- C:\Documents and Settings\Islam\Application Data\Macromedia
2008-06-25 19:58:05 0 d-------- C:\Documents and Settings\Islam\Application Data\Adobe
2008-06-25 03:03:17 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Adobe
2008-06-25 03:00:12 0 dr------- C:\Documents and Settings\NetworkService\Favorites
2008-06-20 21:04:35 0 d-------- C:\Program Files\PowerISO
2008-06-12 01:28:49 56108 --a------ C:\WINDOWS\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>
2008-06-11 23:03:40 0 d-------- C:\Program Files\Counter Strike Condition Zero
2008-06-11 23:02:03 6 --a------ C:\Documents and Settings\Administrator\MK3NAME.DAT
2008-06-11 23:02:03 2 --a------ C:\Documents and Settings\Administrator\MK3.DAT
2008-06-10 20:45:38 0 d-------- C:\Documents and Settings\Islam\Application Data\Identities
2008-06-10 20:45:27 0 d-------- C:\Documents and Settings\Islam\Start Menu
2008-06-10 20:45:27 0 d--h----- C:\Documents and Settings\Islam\SendTo
2008-06-10 20:45:27 0 dr-h----- C:\Documents and Settings\Islam\Recent
2008-06-10 20:45:27 0 d--h----- C:\Documents and Settings\Islam\PrintHood
2008-06-10 20:45:27 0 d--h----- C:\Documents and Settings\Islam\NetHood
2008-06-10 20:45:27 0 dr------- C:\Documents and Settings\Islam\My Documents
2008-06-10 20:45:27 0 d--h----- C:\Documents and Settings\Islam\Local Settings
2008-06-10 20:45:27 0 d-------- C:\Documents and Settings\Islam\Islam
2008-06-10 20:45:27 0 dr------- C:\Documents and Settings\Islam\Favorites
2008-06-10 20:45:27 0 d-------- C:\Documents and Settings\Islam\Desktop
2008-06-10 20:45:27 0 d--hs---- C:\Documents and Settings\Islam\Cookies
2008-06-10 20:45:27 0 d--h----- C:\Documents and Settings\Islam\Application Data
2008-06-10 20:45:27 0 d---s---- C:\Documents and Settings\Islam\Application Data\Microsoft
2008-06-10 20:45:26 0 d--h----- C:\Documents and Settings\Islam\Templates
2008-06-10 20:45:26 786432 --ah----- C:\Documents and Settings\Islam\ntuser.dat


-- Find3M Report ---------------------------------------------------------------

2008-07-05 13:45:41 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2008-06-30 21:00:49 0 d-------- C:\Program Files\Common Files\Adobe
2008-06-30 16:21:53 0 d-------- C:\Program Files\Common Files
2008-06-29 17:14:35 0 d-------- C:\Program Files\Spytector
2008-06-29 16:22:25 0 d-------- C:\Program Files\QuickTime
2008-06-29 16:09:25 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-28 15:36:42 0 d-------- C:\Program Files\Java
2008-06-23 16:26:36 0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2008-06-18 23:57:38 0 d-------- C:\Program Files\Messenger
2008-06-18 23:48:12 0 d-------- C:\Program Files\Windows Live
2008-06-15 02:31:06 0 d-------- C:\Program Files\Nokia
2008-06-15 02:31:06 0 d-------- C:\Program Files\Common Files\Nokia


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [09/20/2005 09:32 AM]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [02/12/2008 10:06 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [03/25/2008 04:28 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/03/2004 05:56 PM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [04/12/2007 01:43 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Nokia.PCSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [05/13/2008 10:13 AM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1140464654\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
"C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
"C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"usnjsvc"=3 (0x3)




-- End of Deckard's System Scanner: finished at 2008-07-08 17:16:33 ------------
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP