Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

infected badly - really need your help please!


  • Please log in to reply

#1
ccie

ccie

    New Member

  • Member
  • Pip
  • 6 posts
Hi forum,

I got infected really bad by some unknown malware.

when i boot up my laptop and log in to XP, the desktop shows up briefly and then quickly all disappears leaving me a blank wallpaper, at the same time popping up an error message:

userinit.exe application error:
The instruction at "0x77dd778e" reference memory at "0x77dd778e". The memory could not be "written".
Click on OK to terminate the program, or Cancel to debug.

here are the things I have done and tried so far:

I tried to boot up in the Safe Mode, but only a black background appears with Safe Mode on four corners and no desktop at all.

I then booted into the Safe Mode with DOS prompt, I ran AVG 7 virus scan, AVG spy-ware scan, Symantec anti-virus scan, Microsoft Malicious Software Removal tool, and still didn't catch anything major or fixed the problem.

Then I followed the steps in the Malware forum before I post the HijackThis log:
1. I ran the ATF temp file cleaner successfully.
2. when i tried to run mbam-setup.exe in the Dos window under Safe mode, it did not respond or proceed.
3. when I ran SUPERAntiSpyware.exe, I got the error:
windows installer: the system administrator has set the policies to prevent this installation
4. under the Dos safe mode, I don't get the network connectivity, so i couldn't get to run the Online - Panda Activescan as the guide suggests.
5. I wanted to generate a hijackthis log, and tried to run HJTInstall.exe to install in the Dos window under Safe mode, again it did not respond or proceed. so I can't even post a hijackthis log to start with.

what should I do now to find the malware and cure the problem?

thank you very much!
  • 0

Advertisements


#2
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello ccie

Welcome to G2Go.
=====================
ARe you able to run the Task Manager?
Try to do this in normal mode.
Tap ctrl-Alt-delete keys on your keyboard all at once and it should bring up the Task manager.
If it does then you can go to the top where it says File then New task Run then type in this > iexplore then hit ok.
This will start your Internet Explorer.
Then do the following:
Please RIGHT-CLICK HERE and Save As (in IE it's "Save Target As", in FF it's "Save Link As") to download Silent Runners.
  • Save it to the C:\drive.
  • Run Silent Runner's by doubleclicking the "Silent Runners" icon in your C:\drive.
  • You will receive a prompt:
    • Do you want to skip supplementary searches?
      click NO
  • If you receive an error just click OK and double-click it to run it again - sometimes it won't run as it's supposed to the first time but will in subsequent runs.
  • You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)
  • Once you receive the prompt All Done!, open the text file on the desktop, copy that entire log, and paste it here.
*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.
  • 0

#3
ccie

ccie

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
here you go:


"Silent Runners.vbs", revision 58, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"H/PC Connection Agent" = ""C:\Program Files\Microsoft ActiveSync\wcescomm.exe"" [MS]
"SUPERAntiSpyware" = "C:\apps\SUPERAntiSpyware\SUPERAntiSpyware.exe" ["SUPERAntiSpyware.com"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"vmware-tray" = "C:\apps\VMware\VMware Workstation\vmware-tray.exe" ["VMware, Inc."]
"KernelFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -k"
"AVG8_TRAY" = "C:\PROGRA~1\AVG\AVG8\avgtray.exe" ["AVG Technologies CZ, s.r.o."]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"vptray" = "C:\PROGRA~1\SYMANT~1\VPTray.exe" ["Symantec Corporation"]
"TrojanScanner" = "C:\Program Files\Trojan Remover\Trjscan.exe" ["Simply Super Software"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{2FF811E6-8925-4084-A649-C159955E67E8}\(Default) = (no title provided)
-> {HKLM...CLSID} = "WinGold"
\InProcServer32\(Default) = "C:\WINDOWS\system32\asc94.dll" [empty string]
{39F7E362-828A-4B5A-BCAF-5B79BFDFEA60}\(Default) = "BitComet ClickCapture"
-> {HKLM...CLSID} = "BitComet Helper"
\InProcServer32\(Default) = "C:\Apps\BitComet\tools\BitCometBHO_1.1.9.24.dll" ["BitComet"]
{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}\(Default) = "WormRadar.com IESiteBlocker.NavFilter"
-> {HKLM...CLSID} = "AVG Safe Search"
\InProcServer32\(Default) = "C:\Program Files\AVG\AVG8\avgssie.dll" ["AVG Technologies CZ, s.r.o."]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Spybot-S&D IE Protection"
\InProcServer32\(Default) = "C:\apps\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"]
{5CA3D70E-1895-11CF-8E15-001234567890}\(Default) = (no title provided)
-> {HKLM...CLSID} = "DriveLetterAccess"
\InProcServer32\(Default) = "C:\WINDOWS\System32\DLA\DLASHX_W.DLL" ["Sonic Solutions"]
{6D0386B3-FD72-488E-9740-90355AE21735}\(Default) = (no title provided)
-> {HKLM...CLSID} = "scriptproxy"
\InProcServer32\(Default) = "C:\WINDOWS\system32\sla32.dll" [null data]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll" ["Sun Microsystems, Inc."]
{A057A204-BACC-4D26-9990-79A187E2698E}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AVG Security Toolbar"
\InProcServer32\(Default) = "C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL" ["AVG, Technologies CZ, s.r.o "]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{5CA3D70E-1895-11CF-8E15-001234567890}" = "DriveLetterAccess"
-> {HKLM...CLSID} = "DriveLetterAccess"
\InProcServer32\(Default) = "C:\WINDOWS\System32\DLA\DLASHX_W.DLL" ["Sonic Solutions"]
"{1CE8B2C9-EAEF-43fc-8218-F092E4F94A47}" = "Notepad++ Shell Extension"
-> {HKLM...CLSID} = "Notepad++ Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Notepad++\nppshellext.dll" ["Notepad++ team"]
"{692E33B0-AF9D-11D0-B976-00A0C9190447}" = "Remote Storage Properties"
-> {HKLM...CLSID} = "Remote Storage Properties"
\InProcServer32\(Default) = "C:\WINDOWS\system32\rsshell.dll" [MS]
"{0873D142-79EF-49fa-81B5-211AAC0B0A7F}" = "Target Finder Shell Extension"
-> {HKLM...CLSID} = "TargetFinderShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\Roxio\Easy Media Creator 7\Creator Classic\TargetFinder.dll" [empty string]
"{49BF5420-FA7F-11cf-8011-00A0C90A8F78}" = "Mobile Device"
-> {HKLM...CLSID} = "Mobile Device"
\InProcServer32\(Default) = "C:\PROGRA~1\MI3AA1~1\Wcesview.dll" [MS]
"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"
-> {HKLM...CLSID} = "Microsoft Office Metadata Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"
-> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\apps\WinRAR\rarext.dll" [null data]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{d5b3b5f0-5876-41c5-9e75-e7a207e4def0}" = "j2 Messenger - Shell Extension"
-> {HKLM...CLSID} = "HotShellExtj2"
\InProcServer32\(Default) = "C:\Program Files\j2 Messenger 4.2\J2GShell.dll" ["j2 Global Communications, Inc."]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG8 Shell Extension"
-> {HKLM...CLSID} = "AVG8 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\AVG\AVG8\avgse.dll" ["AVG Technologies CZ, s.r.o."]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\msohevi.dll" [MS]
"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"
-> {HKLM...CLSID} = "My Sharing Folders"
\InProcServer32\(Default) = "C:\Program Files\Windows Live\Messenger\fsshext.8.5.1302.1018.dll" [MS]
"{6872d785-fe43-44cb-9b2a-2df4c5eb13b2}" = "eFax Messenger - Shell Extension"
-> {HKLM...CLSID} = "HotShellExt"
\InProcServer32\(Default) = "C:\Program Files\eFax Messenger 4.3\J2GShell.dll" ["j2 Global Communications, Inc."]
"{D1900995-7175-4EF2-A010-101FC4728FFD}" = "hotComm HCC Image Extension"
-> {HKLM...CLSID} = "HCCExtractor Class"
\InProcServer32\(Default) = "C:\Program Files\1stWORKS\hotCommCL\BIN\HCCse.DLL" [empty string]
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}" = "LDVP Shell Extensions"
-> {HKLM...CLSID} = "VpshellEx Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
"{52B87208-9CCF-42C9-B88E-069281105805}" = "Trojan Remover Shell Extension"
-> {HKLM...CLSID} = "Trojan Remover Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1\Trshlex.dll" ["Simply Super Software"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}" = (no title provided)
-> {HKLM...CLSID} = "SABShellExecuteHook Class"
\InProcServer32\(Default) = "C:\apps\SUPERAntiSpyware\SASSEH.DLL" ["SuperAdBlocker.com"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\
<<!>> "BootExecute" = "autocheck autochk *"|"lsdelete" [null data]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> !SASWinLogon\DLLName = "C:\apps\SUPERAntiSpyware\SASWINLO.dll" ["SUPERAntiSpyware.com"]
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
<<!>> NavLogon\DLLName = "C:\WINDOWS\system32\NavLogon.dll" ["Symantec Corporation"]
<<!>> tpfnf2\DLLName = "notifyf2.dll" [null data]
<<!>> tphotkey\DLLName = "tphklock.dll" [null data]

HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807563E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = "Microsoft Office InfoPath XML Mime Filter"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL" [MS]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
AVG8 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG8 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\AVG\AVG8\avgse.dll" ["AVG Technologies CZ, s.r.o."]
HotShellExtj2_40\(Default) = "{D5B3B5F0-5876-41c5-9E75-E7A207E4DEF0}"
-> {HKLM...CLSID} = "HotShellExtj2"
\InProcServer32\(Default) = "C:\Program Files\j2 Messenger 4.2\J2GShell.dll" ["j2 Global Communications, Inc."]
HotShellExt_40\(Default) = "{6872D785-FE43-44cb-9B2A-2DF4C5EB13B2}"
-> {HKLM...CLSID} = "HotShellExt"
\InProcServer32\(Default) = "C:\Program Files\eFax Messenger 4.3\J2GShell.dll" ["j2 Global Communications, Inc."]
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
-> {HKLM...CLSID} = "VpshellEx Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
NppShellExt\(Default) = "{1CE8B2C9-EAEF-43fc-8218-F092E4F94A47}"
-> {HKLM...CLSID} = "Notepad++ Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Notepad++\nppshellext.dll" ["Notepad++ team"]
Trojan Remover\(Default) = "{52B87208-9CCF-42C9-B88E-069281105805}"
-> {HKLM...CLSID} = "Trojan Remover Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1\Trshlex.dll" ["Simply Super Software"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\apps\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
NppShellExt\(Default) = "{1CE8B2C9-EAEF-43fc-8218-F092E4F94A47}"
-> {HKLM...CLSID} = "Notepad++ Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Notepad++\nppshellext.dll" ["Notepad++ team"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\apps\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
AVG8 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG8 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\AVG\AVG8\avgse.dll" ["AVG Technologies CZ, s.r.o."]
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
-> {HKLM...CLSID} = "VpshellEx Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
Trojan Remover\(Default) = "{52B87208-9CCF-42C9-B88E-069281105805}"
-> {HKLM...CLSID} = "Trojan Remover Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1\Trshlex.dll" ["Simply Super Software"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\apps\WinRAR\rarext.dll" [null data]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoCDBurning" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"DisableRegistryTools" = (REG_DWORD) dword:0x00000000
{User Configuration|Administrative Templates|System|
Prevent access to registry editing tools}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}

"consentpromptbehavioradmin" = (REG_DWORD) dword:0x00000000
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Behavior Of The Elevation Prompt For Administrators In Admin Approval Mode}

"consentpromptbehavioruser" = (REG_DWORD) dword:0x00000000
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Behavior Of The Elevation Prompt For Standard Users}

"enableinstallerdetection" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Detect Application Installations And Prompt For Elevation}

"filteradministratortoken" = (REG_DWORD) dword:0x00000000
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Admin Approval Mode for the Built-in Administrator Account}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "\Windows\PC10x7-blue.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\apps\WALLPA~1.NET\Canada_1.scr" [null data]


Windows Portable Device AutoPlay Handlers
-----------------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

DVDDecrypterPlayDVDMovieOnArrival\
"Provider" = "DVD Decrypter"
"InvokeProgID" = "DVDDecrypter"
"InvokeVerb" = "PlayDVDMovieOnArrival_Decrypt"
HKLM\SOFTWARE\Classes\DVDDecrypter\shell\PlayDVDMovieOnArrival_Decrypt\Command\(Default) = ""C:\Apps\DVD Decrypter\DVDDecrypter.exe" /MODE READ /SOURCE "%1"" ["LIGHTNING UK!"]

IviDVDEventHandler\
"Provider" = "InterVideo WinDVD"
"InvokeProgID" = "Ivi.MediaFile"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\Ivi.MediaFile\shell\play\command\(Default) = ""C:\Program Files\InterVideo\WinDVD\WinDVD.exe" %1" ["InterVideo Inc."]

IviVideoCDHandler\
"Provider" = "InterVideo WinDVD"
"InvokeProgID" = "Ivi.MediaFile"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\Ivi.MediaFile\shell\play\command\(Default) = ""C:\Program Files\InterVideo\WinDVD\WinDVD.exe" %1" ["InterVideo Inc."]

MSWMEncVCArrival\
"Provider" = "Windows Media Encoder 9 Series"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = "C:\Program Files\Windows Media Components\Encoder\WMEnc.exe"
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
-> {HKLM...CLSID} = "ShellExecute HW Event Handler"
\LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

MSWPDShellNamespaceHandler\
"Provider" = "@%SystemRoot%\System32\WPDShextRes.dll,-501"
"CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}"
"InitCmdLine" = " "
-> {HKLM...CLSID} = "WPDShextAutoplay"
\LocalServer32\(Default) = "C:\WINDOWS\system32\WPDShextAutoplay.exe" [MS]

NeroAutoPlayEmptyCD\
"Provider" = "Nero StartSmart"
"InvokeProgID" = "Nero.AutoPlay"
"InvokeVerb" = "EmptyCD"
HKLM\SOFTWARE\Classes\Nero.AutoPlay\shell\EmptyCD\command\(Default) = ""C:\apps\Ahead\nero startsmart\nerostartsmart.exe" /Drive:%L" ["Ahead Software AG"]

RoxioCAPVideoCamera\
"Provider" = "Roxio Capture"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = "C:\Program Files\Roxio\Easy Media Creator 7\Capture\RoxioCapture7.exe"
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
-> {HKLM...CLSID} = "ShellExecute HW Event Handler"
\LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

RoxioCreatorPlayCDAudioOnArrival\
"Provider" = "Roxio Creator Classic"
"InvokeProgID" = "Creator7"
"InvokeVerb" = "open"
HKLM\SOFTWARE\Classes\Creator7\shell\open\Command\(Default) = "C:\Program Files\Roxio\Easy Media Creator 7\Creator Classic\creator7.exe" ["Roxio"]

RoxioDiscCopierPlayCDAudioOnArrival\
"Provider" = "Roxio Disc Copier"
"InvokeProgID" = "disccopier"
"InvokeVerb" = "open"
HKLM\SOFTWARE\Classes\disccopier\shell\open\Command\(Default) = "C:\Program Files\Roxio\Easy Media Creator 7\Disc Copier\DiscCopier7.exe" ["Roxio"]

RoxioEMCAudioCD\
"Provider" = "Roxio Easy Media Creator 7"
"InvokeProgID" = "RoxioEMCHome"
"InvokeVerb" = "Get"
HKLM\SOFTWARE\Classes\RoxioEMCHome\shell\Get\Command\(Default) = "C:\Program Files\Roxio\Easy Media Creator 7\Home Page\HomePageApp.exe" ["Roxio, Inc."]

RoxioEMCBurning\
"Provider" = "Roxio Easy Media Creator 7"
"InvokeProgID" = "RoxioEMCHome"
"InvokeVerb" = "Get"
HKLM\SOFTWARE\Classes\RoxioEMCHome\shell\Get\Command\(Default) = "C:\Program Files\Roxio\Easy Media Creator 7\Home Page\HomePageApp.exe" ["Roxio, Inc."]

RoxioEMCDVD\
"Provider" = "Roxio Easy Media Creator 7"
"InvokeProgID" = "RoxioEMCHome"
"InvokeVerb" = "Get"
HKLM\SOFTWARE\Classes\RoxioEMCHome\shell\Get\Command\(Default) = "C:\Program Files\Roxio\Easy Media Creator 7\Home Page\HomePageApp.exe" ["Roxio, Inc."]

RoxioEMCMixedContent\
"Provider" = "Roxio Easy Media Creator 7"
"InvokeProgID" = "RoxioEMCHome"
"InvokeVerb" = "Get"
HKLM\SOFTWARE\Classes\RoxioEMCHome\shell\Get\Command\(Default) = "C:\Program Files\Roxio\Easy Media Creator 7\Home Page\HomePageApp.exe" ["Roxio, Inc."]

RoxioEMCMusic\
"Provider" = "Roxio Easy Media Creator 7"
"InvokeProgID" = "RoxioEMCHome"
"InvokeVerb" = "Get"
HKLM\SOFTWARE\Classes\RoxioEMCHome\shell\Get\Command\(Default) = "C:\Program Files\Roxio\Easy Media Creator 7\Home Page\HomePageApp.exe" ["Roxio, Inc."]

RoxioEMCPictures\
"Provider" = "Roxio Easy Media Creator 7"
"InvokeProgID" = "RoxioEMCHome"
"InvokeVerb" = "Get"
HKLM\SOFTWARE\Classes\RoxioEMCHome\shell\Get\Command\(Default) = "C:\Program Files\Roxio\Easy Media Creator 7\Home Page\HomePageApp.exe" ["Roxio, Inc."]

RoxioEMCVideos\
"Provider" = "Roxio Easy Media Creator 7"
"InvokeProgID" = "RoxioEMCHome"
"InvokeVerb" = "Get"
HKLM\SOFTWARE\Classes\RoxioEMCHome\shell\Get\Command\(Default) = "C:\Program Files\Roxio\Easy Media Creator 7\Home Page\HomePageApp.exe" ["Roxio, Inc."]

RPCDBurningOnArrival\
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.CDBurn.6"
"InvokeVerb" = "open"
HKLM\SOFTWARE\Classes\RealPlayer.CDBurn.6\shell\open\command\(Default) = ""C:\Program Files\Real\RealPlayer\RealPlay.exe" /burn "%1"" ["RealNetworks, Inc."]

RPDeviceOnArrival\
"Provider" = "RealPlayer"
"ProgID" = "RealPlayer.HWEventHandler"
HKLM\SOFTWARE\Classes\RealPlayer.HWEventHandler\CLSID\(Default) = "{67E76F1D-BDE2-4052-913C-2752366192D2}"
-> {HKLM...CLSID} = "RealNetworks Scheduler"
\LocalServer32\(Default) = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -autoplay" ["RealNetworks, Inc."]

RPPlayCDAudioOnArrival\
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.AudioCD.6"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\RealPlayer.AudioCD.6\shell\play\command\(Default) = ""C:\Program Files\Real\RealPlayer\RealPlay.exe" /play %1 " ["RealNetworks, Inc."]

RPPlayDVDMovieOnArrival\
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.DVD.6"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\RealPlayer.DVD.6\shell\play\command\(Default) = ""C:\Program Files\Real\RealPlayer\RealPlay.exe" /dvd %1 " ["RealNetworks, Inc."]

RPPlayMediaOnArrival\
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.AutoPlay.6"
"InvokeVerb" = "open"
HKLM\SOFTWARE\Classes\RealPlayer.AutoPlay.6\shell\open\command\(Default) = ""C:\Program Files\Real\RealPlayer\RealPlay.exe" /autoplay "%1"" ["RealNetworks, Inc."]

SonicSCAudioCDTask\
"Provider" = "RecordNow Audio"
"InvokeProgID" = "Sonic.SonicCentral"
"InvokeVerb" = "AudioCDTask"
HKLM\SOFTWARE\Classes\Sonic.SonicCentral\shell\AudioCDTask\Command\(Default) = ""c:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe" /Launch {EBD22732-1CC3-4CD7-9A45-B8D98DA0E784}" [null data]

SonicSCCopyCD\
"Provider" = "RecordNow Copy"
"InvokeProgID" = "Sonic.SonicCentral"
"InvokeVerb" = "ExactCopyJob"
HKLM\SOFTWARE\Classes\Sonic.SonicCentral\shell\ExactCopyJob\Command\(Default) = ""c:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe" /Launch {49B235A3-1C3E-4802-9B5C-BAFBE69A3C85}" [null data]

SonicSCCopyDisc\
"Provider" = "RecordNow Copy"
"InvokeProgID" = "Sonic.SonicCentral"
"InvokeVerb" = "ExactCopyJob"
HKLM\SOFTWARE\Classes\Sonic.SonicCentral\shell\ExactCopyJob\Command\(Default) = ""c:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe" /Launch {49B235A3-1C3E-4802-9B5C-BAFBE69A3C85}" [null data]

SonicSCDataProject\
"Provider" = "RecordNow Data"
"InvokeProgID" = "Sonic.SonicCentral"
"InvokeVerb" = "DataGuide"
HKLM\SOFTWARE\Classes\Sonic.SonicCentral\shell\DataGuide\Command\(Default) = ""c:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe" /Launch Data" [null data]

SonicSCDataTask\
"Provider" = "RecordNow Data"
"InvokeProgID" = "Sonic.SonicCentral"
"InvokeVerb" = "DataTask"
HKLM\SOFTWARE\Classes\Sonic.SonicCentral\shell\DataTask\Command\(Default) = ""c:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe" /Launch {0BAC5C34-DF45-4C0F-8D64-8E92DCCF007D}" [null data]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 04, 07 - 35
%SystemRoot%\system32\rsvpsp.dll [MS], 05 - 06


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{A057A204-BACC-4D26-9990-79A187E2698E}"
-> {HKLM...CLSID} = "AVG Security Toolbar"
\InProcServer32\(Default) = "C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL" ["AVG, Technologies CZ, s.r.o "]

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
"{A057A204-BACC-4D26-9990-79A187E2698E}" = (no title provided)
-> {HKLM...CLSID} = "AVG Security Toolbar"
\InProcServer32\(Default) = "C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL" ["AVG, Technologies CZ, s.r.o "]

Explorer Bars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\

HKLM\SOFTWARE\Classes\CLSID\{E7A829CC-671F-4C3D-B590-8C0AEA72E6B2}\(Default) = "BitComet Button"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\Apps\BitComet\tools\BitCometBHO_1.1.9.24.dll" ["BitComet"]

HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"

{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F}\
"ButtonText" = "Create Mobile Favorite"
"CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}"
-> {HKLM...CLSID} = "Create Mobile Favorite"
\InProcServer32\(Default) = "C:\PROGRA~1\MI3AA1~1\INetRepl.dll" [MS]

{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F}\
"MenuText" = "Create Mobile Favorite..."
"CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}"
-> {HKLM...CLSID} = "Create Mobile Favorite"
\InProcServer32\(Default) = "C:\PROGRA~1\MI3AA1~1\INetRepl.dll" [MS]

{461CC20B-FB6E-4F16-8FE8-C29359DB100E}\
"ButtonText" = "BitComet 资源搜索"

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}\
"MenuText" = "Spybot - Search && Destroy Configuration"
"CLSIDExtension" = "{53707962-6F74-2D53-2644-206D7942484F}"
-> {HKLM...CLSID} = "Spybot-S&D IE Protection"
\InProcServer32\(Default) = "C:\apps\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\MSMSGS.EXE" [MS]


HOSTS file
----------

C:\WINDOWS\System32\drivers\etc\HOSTS

maps: 6 domain names to IP addresses,
5 of the IP addresses are *not* localhost!


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AVG8 E-mail Scanner, avg8emc, "C:\PROGRA~1\AVG\AVG8\avgemc.exe" ["AVG Technologies CZ, s.r.o."]
AVG8 WatchDog, avg8wd, "C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe" ["AVG Technologies CZ, s.r.o."]
Intel® PROSet/Wireless Registry Service, RegSrvc, "C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe" ["Intel Corporation"]
Norton Ghost, Norton Ghost, "C:\Program Files\Norton Ghost\Agent\VProSvc.exe" ["Symantec Corporation"]
SAVRoam, SavRoam, ""C:\Program Files\Symantec AntiVirus\SavRoam.exe"" ["symantec"]
Symantec AntiVirus, Symantec AntiVirus, ""C:\Program Files\Symantec AntiVirus\Rtvscan.exe"" ["Symantec Corporation"]
Symantec AntiVirus Definition Watcher, DefWatch, ""C:\Program Files\Symantec AntiVirus\DefWatch.exe"" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
Symantec SPBBCSvc, SPBBCSvc, ""C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe"" ["Symantec Corporation"]
SymSnapService, SymSnapService, ""C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe"" ["Symantec"]
VMware Authorization Service, VMAuthdService, ""C:\apps\VMware\VMware Workstation\vmware-authd.exe"" ["VMware, Inc."]
VMware DHCP Service, VMnetDHCP, "C:\WINDOWS\system32\vmnetdhcp.exe" ["VMware, Inc."]
VMware NAT Service, VMware NAT Service, "C:\WINDOWS\system32\vmnat.exe" ["VMware, Inc."]
VMware Virtual Mount Manager Extended, vmount2, ""C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe"" ["VMware, Inc."]


Keyboard Driver Filters:
------------------------

HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\
"UpperFilters" = <<!>> "vmkbd" ["VMware, Inc."]


Print Monitors:
---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
HP CLJ2600n LM\Driver = "ZLHP2600.DLL" ["Zenographics, Inc."]
HP Standard TCP/IP Port\Driver = "hptcpmon.dll" ["Hewlett Packard"]
LPR Port\Driver = "lprmon.dll" [MS]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]
Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]


---------- (launch time: 2008-07-08 18:43:44)
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 76 seconds.
---------- (total run time: 146 seconds)
  • 0

#4
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
If you no longer use Norton please do uninstall it as having 2 antivirus programs can cause some major probems for your system.
Uninstall it before proceeding.
======================
THis tool is required to run in Safe Mode.
If you still do not have a desktop in Safe Mode then do this.
Tap ctrl-Alt-delete keys on your keyboard all at once and it should bring up the Task manager.
If it does then you can go to the top where it says File then New task Run then type in this > explorer then hit ok.
Then proceed with the rest of the instructions.
================================
Download SDFix and save it to your Desktop.

Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  • Finally copy and paste the contents of the results file Report.txt back onto the forum with a HijackThis log (If it will run)

  • 0

#5
ccie

ccie

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
here are the SDfix report.txt and HJT hijackthis.log:



SDFix: Version 1.204
Run by pc03962 on 07/11/2008 Fri at 03:49 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\TEMP\3\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\DOCUME~1\PC0396~1.PCL\LOCALS~1\Temp\lprn32.exe.bat - Deleted
C:\DOCUME~1\PC0396~1.PCL\LOCALS~1\Temp\media.php.bat - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-11 04:06:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\apps\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:47,36,ff,91,87,c6,ff,7d,30,5f,f4,79,cb,11,de,0e,7b,7c,7c,1f,7f,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,11,ca,f7,7e,9e,af,cb,01,31,04,7a,52,8f,5d,f1,e4,b7,..
"khjeh"=hex:af,d5,ef,9c,05,7f,63,40,37,2e,6e,d4,74,ba,6e,46,92,0b,3a,10,81,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:36,99,22,a7,0a,e5,97,6e,74,88,52,72,2e,95,94,7a,d9,8b,03,cc,75,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:36,3e,75,7a,b4,f4,6d,71,d3,d6,53,a2,5d,b7,3f,50,58,b2,09,4c,a1,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42]
"khjeh"=hex:c9,07,0e,32,f0,be,d1,36,6d,e6,c0,60,bd,89,d3,87,e2,68,9c,30,c8,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43]
"khjeh"=hex:a7,70,6e,a1,47,43,21,26,5e,61,e9,df,2c,5f,e6,27,69,96,a9,c3,8e,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\apps\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:47,36,ff,91,87,c6,ff,7d,30,5f,f4,79,cb,11,de,0e,7b,7c,7c,1f,7f,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,11,ca,f7,7e,9e,af,cb,01,31,04,7a,52,8f,5d,f1,e4,b7,..
"khjeh"=hex:af,d5,ef,9c,05,7f,63,40,37,2e,6e,d4,74,ba,6e,46,92,0b,3a,10,81,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:80,cb,e0,06,bf,8f,97,35,c3,02,f1,38,c8,9d,57,8e,74,65,1b,6f,22,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:bd,af,ad,fb,0b,0f,d7,73,63,c6,54,33,64,ec,f1,62,8f,d6,69,64,c0,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42]
"khjeh"=hex:c9,07,0e,32,f0,be,d1,36,6d,e6,c0,60,bd,89,d3,87,e2,68,9c,30,c8,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43]
"khjeh"=hex:a7,70,6e,a1,47,43,21,26,5e,61,e9,df,2c,5f,e6,27,69,96,a9,c3,8e,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\apps\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:47,36,ff,91,87,c6,ff,7d,30,5f,f4,79,cb,11,de,0e,7b,7c,7c,1f,7f,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,11,ca,f7,7e,9e,af,cb,01,31,04,7a,52,8f,5d,f1,e4,b7,..
"khjeh"=hex:af,d5,ef,9c,05,7f,63,40,37,2e,6e,d4,74,ba,6e,46,92,0b,3a,10,81,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:36,99,22,a7,0a,e5,97,6e,74,88,52,72,2e,95,94,7a,d9,8b,03,cc,75,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:36,3e,75,7a,b4,f4,6d,71,d3,d6,53,a2,5d,b7,3f,50,58,b2,09,4c,a1,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42]
"khjeh"=hex:c9,07,0e,32,f0,be,d1,36,6d,e6,c0,60,bd,89,d3,87,e2,68,9c,30,c8,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43]
"khjeh"=hex:a7,70,6e,a1,47,43,21,26,5e,61,e9,df,2c,5f,e6,27,69,96,a9,c3,8e,..

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SUPER ]
"DisplayName"="SUPER ?Version 2008.bld.25 (Feb 5, 2008)"
"UninstallString"="C:\apps\ERIGHT~1\SUPER\Setup.exe /remove /q0"
"InstallDate"="2008-02-20 18:51:22"
"InstallLocation"="C:\apps\eRightSoft\SUPER"
"InstallSource"="C:\TEMP"
"DisplayIcon"="C:\apps\eRightSoft\SUPER\SUPER.exe"
"DisplayVersion"="Version 2008.bld.25 (Feb 5, 2008)"
"VersionMajor"=dword:00000000
"VersionMinor"=dword:00000000
"Publisher"="eRightSoft"
"HelpLink"="http://www.eRightSoft.com"
"URLInfoAbout"="http://www.eRightSoft.com"
"URLUpdateInfo"="http://www.eRightSoft.com"
"Contact"="[email protected]"

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Messenger"
"C:\\Team17\\Worms2\\Frontend.exe"="C:\\Team17\\Worms2\\Frontend.exe:*:Disabled:Worms 2 Frontend"
"C:\\Program Files\\Nortel Networks\\Extranet.exe"="C:\\Program Files\\Nortel Networks\\Extranet.exe:*:Enabled:Contivity VPN Client"
"C:\\Program Files\\Raize\\CS2\\Bin\\CSDispatcher.exe"="C:\\Program Files\\Raize\\CS2\\Bin\\CSDispatcher.exe:*:Enabled:CodeSite Dispatcher"
"C:\\Program Files\\Hummingbird\\Connectivity\\7.10\\Exceed\\exceed.exe"="C:\\Program Files\\Hummingbird\\Connectivity\\7.10\\Exceed\\exceed.exe:*:Enabled:X server for Win32"
"C:\\Program Files\\VERITAS\\NetBackup\\bin\\NBConsole.EXE"="C:\\Program Files\\VERITAS\\NetBackup\\bin\\NBConsole.EXE:*:Enabled:NBConsole"
"C:\\Program Files\\CommonTime\\mNotes\\Cadenza.exe"="C:\\Program Files\\CommonTime\\mNotes\\Cadenza.exe:*:Enabled:mNotes Server"
"C:\\hp_clj2600n_Printing_System\\SETUP.EXE"="C:\\hp_clj2600n_Printing_System\\SETUP.EXE:*:Enabled:Setup"
"C:\\Program Files\\websm\\_jvm\\bin\\java.exe"="C:\\Program Files\\websm\\_jvm\\bin\\java.exe:*:Enabled:Java launcher"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\WINDOWS\\system32\\ftp.exe"="C:\\WINDOWS\\system32\\ftp.exe:*:Enabled:File Transfer Program"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"
"C:\\Program Files\\VoipStunt.com\\VoipStunt\\VoipStunt.exe"="C:\\Program Files\\VoipStunt.com\\VoipStunt\\VoipStunt.exe:*:Enabled:VoipStunt"
"C:\\Apps\\Gizmo5\\mDNSResponder.exe"="C:\\Apps\\Gizmo5\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Apps\\Gizmo5\\Gizmo5.exe"="C:\\Apps\\Gizmo5\\Gizmo5.exe:*:Enabled:Gizmo5"
"C:\\Apps\\TurboTax\\Premier 2007\\32bit\\ttax.exe"="C:\\Apps\\TurboTax\\Premier 2007\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\\Apps\\TurboTax\\Premier 2007\\32bit\\updatemgr.exe"="C:\\Apps\\TurboTax\\Premier 2007\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"C:\\Apps\\TurboTax\\Business 2007\\32bit\\ttax.exe"="C:\\Apps\\TurboTax\\Business 2007\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\\Apps\\TurboTax\\Business 2007\\32bit\\updatemgr.exe"="C:\\Apps\\TurboTax\\Business 2007\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"C:\\apps\\uusee\\UUSeePlayer.exe"="C:\\Apps\\uusee\\UUSeePlayer.exe:*:Enabled:UUPlayer"
"C:\\Program Files\\1stWORKS\\hotCommCL\\BIN\\HotComm.exe"="C:\\Program Files\\1stWORKS\\hotCommCL\\BIN\\HotComm.exe:*:Enabled:hotComm CL"
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"="C:\\Program Files\\AVG\\AVG8\\avgnsx.exe:*:Enabled:avgnsx.exe"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"="C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe:*:Enabled:Remote Assistance - Windows Messenger and Voice"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"
"C:\\Program Files\\VoipStunt.com\\VoipStunt\\VoipStunt.exe"="C:\\Program Files\\VoipStunt.com\\VoipStunt\\VoipStunt.exe:*:Enabled:VoipStunt"
"C:\\Program Files\\1E\\SMSWakeUp50\\SMSWUagent.exe"="C:\\Program Files\\1E\\SMSWakeUp50\\SMSWUagent.exe:*:Enabled:SMSWakeUp Agent"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:bittorrent"
"C:\\WINDOWS\\system32\\ftp.exe"="C:\\WINDOWS\\system32\\ftp.exe:*:Enabled:File Transfer Program"
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"
"C:\\Program Files\\1stWORKS\\hotCommCL\\BIN\\HotComm.exe"="C:\\Program Files\\1stWORKS\\hotCommCL\\BIN\\HotComm.exe:*:Enabled:hotComm CL"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\WINDOWS\\system32\\spoolsv.exe"="C:\\WINDOWS\\system32\\spoolsv.exe:*:Enabled:HP Networked Printer Installer"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

Remaining Files :


File Backups: - C:\TEMP\3\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sat 9 Feb 2008 43,616 ...H. --- "C:\j2 Messenger 4.2\J2GPlus.exe-BarState"
Thu 9 Aug 2007 24 ..SH. --- "C:\WINDOWS\S6EED9CA6.tmp"
Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Apps\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Apps\Spybot - Search & Destroy\SpybotSD.exe"
Tue 1 Jul 2008 43,650 ...H. --- "C:\Program Files\j2 Messenger 4.2\J2GPlus.exe-BarState"
Wed 3 May 2006 163,328 A.SH. --- "C:\WINDOWS\system32\flvDX.dll"
Wed 21 Feb 2007 31,232 A.SH. --- "C:\WINDOWS\system32\msfDX.dll"
Mon 17 Dec 2007 27,648 A.SH. --- "C:\WINDOWS\system32\Smab0.dll"
Mon 4 Feb 2008 151,040 A.SH. --- "C:\WINDOWS\system32\VistaUltm.dll"
Sun 26 Jun 2005 616,448 ..SHR --- "C:\Apps\eRightSoft\SUPER\cygwin1.dll"
Tue 21 Jun 2005 45,568 ..SHR --- "C:\Apps\eRightSoft\SUPER\cygz.dll"
Wed 20 Feb 2008 72,704 ..SHR --- "C:\Apps\eRightSoft\SUPER\Setup.exe"
Tue 5 Jun 2007 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 16 Oct 2006 14,848 ...H. --- "C:\Program Files\Brocade\SAN Health Professional\Interop.WODCRYPTCOMLib.dll"
Wed 8 Aug 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Sat 28 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\0c909c63b4fa217757574b9dcdd658c3\BIT5.tmp"
Sat 28 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\7779524ce1b472c62f1b0f1a192676ad\BIT6.tmp"
Sat 28 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\9664ff6405d9e0e32778ca8618d4be26\BIT4.tmp"
Sat 28 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\97de84be36b27af6e66a0586433cda52\BIT2.tmp"
Sat 28 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\9ec3943a72ea4aa7fb7b808e2b7554c8\BIT3.tmp"
Sat 28 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b04031f0b83ee952189dd8beb4ee929a\BIT1.tmp"
Wed 9 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b5ceb6274f4d7fd206d6adab3df8e834\BIT4.tmp"
Sat 28 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\cb1cc7c8ed3868a5a32ffb677fe0fde8\BIT7.tmp"
Fri 27 Jun 2008 2,013 A.SH. --- "C:\Documents and Settings\pc03962.PRINCESSCRUISES\Application Data\Roxio\Dragon\DiscInfoCache\HL-DT-ST_RW_DVD_GCC-4246N_0X05_300_DICV016_DRGV200A2.TMP"

Finished!




================================================================================
=========




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:42:47 AM, on 7/11/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\mmc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\apps\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\ntvdm.exe

O1 - Hosts: 172.29.5.89 phmc1.princesscruises.poprincess.com phmc1
O1 - Hosts: 172.29.52.115 drhmc1.princesscruises.poprincess.com drhmc1
O1 - Hosts: 172.29.52.109 drbrocade1
O1 - Hosts: 172.29.52.110 drbrocade2
O1 - Hosts: 172.29.52.111 drbrocade3
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [vmware-tray] C:\apps\VMware\VMware Workstation\vmware-tray.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [SDFix] C:\TEMP\3\SDFix\RunThis.bat /second
O4 - HKLM\..\RunOnce: [SDFix] C:\TEMP\3\SDFix\RunThis.bat /second
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKUS\S-1-5-18\..\RunOnce: [configmsi] cmd /c "rmdir /q C:\config.msi" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [supportdir] cmd /c "rmdir /q /s "C:\WINDOWS\TEMP\{48227AEB-DC8E-4A90-A274-0B4A39D699B1}"" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [configmsi] cmd /c "rmdir /q C:\config.msi" (User 'Default user')
O4 - Startup: PowerWord 2002.lnk = %SystemDrive%\apps\Kingsoft\XDict\xdict.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Apps\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Apps\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Apps\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: 使用UUSee下载 - C:\apps\uusee\geturltodown.htm
O8 - Extra context menu item: 使用UUSee加速播放 - C:\apps\uusee\geturltoplay.htm
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - ESC Trusted Zone: http://*.update.microsoft.com (HKLM)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://ca.com/us/sec...nfo/webscan.cab
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} -
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...334/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = princesscruises.poprincess.com
O17 - HKLM\Software\..\Telephony: DomainName = princesscruises.poprincess.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = princesscruises.poprincess.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = princesscruises.poprincess.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = princesscruises.poprincess.com
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\apps\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\apps\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\apps\Gizmo5\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FreeSSHDService - Unknown owner - C:\apps\freeSSHd\FreeSSHDService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SymSnapService - Symantec - C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe
O23 - Service: VMware Converter Service (ufad-p2v) - VMware, Inc. - C:\APPs\VMware\VMware Converter\vmware-ufad.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\apps\VMware\VMware Workstation\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\apps\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

--
End of file - 8185 bytes
  • 0

#6
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Please download ATF Cleaner by Atribune.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
==============================================
Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

  • 0

#7
ccie

ccie

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, July 12, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, July 12, 2008 19:40:49
Records in database: 945956

Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
C:\
D:\
E:\
F:\

Scan statistics
Files scanned 231463
Threat name 7
Infected objects 74
Suspicious objects 2
Duration of the scan 06:15:53

File name Threat name Threats count


C:\Apps\UBCD4Win\plugin\Network\ultravnc\files\winvnc.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c 1

C:\Apps\UBCD4Win\plugin\Network\VNCServer\vncconfig.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c 1

C:\Apps\UBCD4Win\plugin\Network\VNCServer\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1

C:\Apps\UBCD4Win\plugin\Network\VNCServer\winvnc4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1

C:\Apps\UBCD4Win\plugin\Network\VNCServer\wm_hooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1

C:\Apps\UBCD4Win\plugin\Password\passwordspro\files\PasswordsPro.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1

C:\minint\SYSTEM32\WM_HOOKS.DLL Infected: not-a-virus:PSWTool.Win32.PasswordsPro.k 1

C:\programs\PassPro\PasswordsPro.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1

C:\programs\ultravnc\vnchooks.dll Infected: not-a-virus:PSWTool.Win32.PasswordsPro.k 1

C:\programs\ultravnc\winvnc.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c 1

C:\programs\vncserver\vncconfig.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c 1

C:\programs\vncserver\winvnc4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1

C:\RECYCLER\S-1-5-21-1757981266-764733703-839522115-500\Dc4\1.r2.gz Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1

C:\TEMP\1\plugin\Network\ultravnc\files\vnchooks.dll Suspicious: Exploit.HTML.Iframe.FileDownload 2

C:\TEMP\1\plugin\Network\ultravnc\files\winvnc.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c 1

C:\TEMP\1\plugin\Network\VNCServer\vncconfig.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c 1

C:\TEMP\1\plugin\Network\VNCServer\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1

C:\TEMP\1\plugin\Network\VNCServer\winvnc4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1

C:\TEMP\1\plugin\Network\VNCServer\wm_hooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1

C:\TEMP\1\plugin\Password\passwordspro\files\PasswordsPro.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1

C:\TEMP\2\plugin\Network\ultravnc\files\vnchooks.dll Infected: not-a-virus:PSWTool.Win32.PasswordsPro.k 1

C:\TEMP\2\plugin\Network\ultravnc\files\winvnc.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c 1

C:\TEMP\2\plugin\Network\VNCServer\vncconfig.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c 1

C:\TEMP\2\plugin\Network\VNCServer\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1

C:\TEMP\2\plugin\Network\VNCServer\winvnc4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1

C:\TEMP\2\plugin\Network\VNCServer\wm_hooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1

C:\TEMP\2\plugin\Password\passwordspro\files\PasswordsPro.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1

C:\TEMP\mbam-setup.exe Infected: not-a-virus:PSWTool.Win32.PasswordsPro.k 1

C:\TEMP\Screensavers\airviews-of-earth-1.zip Infected: not-a-virus:FraudTool.Win32.SpyNoMore.g 1

C:\TEMP\Screensavers\airviews-of-earth-2.zip Infected: Trojan.BAT.StartPage.ab 1

C:\TEMP\Screensavers\australia-1.zip Infected: Trojan.BAT.StartPage.ab 1

C:\TEMP\Screensavers\australia-2.zip Infected: Trojan.BAT.StartPage.ab 1

C:\TEMP\Screensavers\california-1.zip Infected: Trojan.BAT.StartPage.ab 1

C:\TEMP\Screensavers\california-2.zip Infected: Trojan.BAT.StartPage.ab 1

C:\TEMP\Screensavers\canada-1\setup.exe Infected: Trojan.BAT.StartPage.ab 1

C:\TEMP\Screensavers\canada-1.zip Infected: Trojan.BAT.StartPage.ab 1

C:\TEMP\Screensavers\canada-2.zip Infected: Trojan.BAT.StartPage.ab 1

C:\TEMP\Screensavers\caribbean.zip Infected: Trojan.BAT.StartPage.ab 1

C:\TEMP\Screensavers\city-night-scenes-1.zip Infected: Trojan.BAT.StartPage.ab 1

C:\TEMP\Screensavers\city-night-scenes-2.zip Infected: Trojan.BAT.StartPage.ab 1

C:\TEMP\Screensavers\england-1.zip Infected: Trojan.BAT.StartPage.ab 1

C:\TEMP\Screensavers\england-2.zip Infected: Trojan.BAT.StartPage.ab 1

C:\TEMP\Screensavers\england-3.zip Infected: Trojan.BAT.StartPage.ab 1

C:\TEMP\Screensavers\italy-1.zip Infected: Trojan.BAT.StartPage.ab 1

C:\TEMP\Screensavers\italy-2.zip Infected: Trojan.BAT.StartPage.ab 1

C:\TEMP\Screensavers\italy-3.zip Infected: Trojan.BAT.StartPage.ab 1

C:\TEMP\Screensavers\japan-1\setup.exe Infected: Trojan.BAT.StartPage.ab 1

C:\TEMP\Screensavers\japan-1.zip Infected: Trojan.BAT.StartPage.ab 1

C:\TEMP\Screensavers\japan-2\setup.exe Infected: Trojan.BAT.StartPage.ab 1

C:\TEMP\Screensavers\japan-2.zip Infected: Trojan.BAT.StartPage.ab 1

C:\TEMP\Screensavers\lakes-1.zip Infected: Trojan.BAT.StartPage.ab 1

C:\TEMP\Screensavers\lakes-2.zip Infected: Trojan.BAT.StartPage.ab 1

C:\TEMP\Screensavers\lakes-3.zip Infected: Trojan.BAT.StartPage.ab 1

C:\TEMP\Screensavers\majestic-nature.zip Infected: Trojan.BAT.StartPage.ab 1

C:\TEMP\Screensavers\mexico\setup.exe Infected: Trojan.BAT.StartPage.ab 1

C:\TEMP\Screensavers\mexico.zip Infected: Trojan.BAT.StartPage.ab 1

C:\TEMP\Screensavers\new-york-1.zip Infected: Trojan.BAT.StartPage.ab 1

C:\TEMP\Screensavers\new-york-2.zip Infected: Trojan.BAT.StartPage.ab 1

C:\TEMP\Screensavers\ocean-waves.zip Infected: Trojan.BAT.StartPage.ab 1

C:\TEMP\Screensavers\rainbows.zip Infected: Trojan.BAT.StartPage.ab 1

C:\TEMP\Screensavers\rocks.zip Infected: Trojan.BAT.StartPage.ab 1

C:\TEMP\Screensavers\space-1\setup.exe Infected: Trojan.BAT.StartPage.ab 1

C:\TEMP\Screensavers\space-1.zip Infected: Trojan.BAT.StartPage.ab 1

C:\TEMP\Screensavers\space-2.zip Infected: Trojan.BAT.StartPage.ab 1

C:\TEMP\Screensavers\spain-1.zip Infected: Trojan.BAT.StartPage.ab 1

C:\TEMP\Screensavers\sunrises-1.zip Infected: Trojan.BAT.StartPage.ab 1

C:\TEMP\Screensavers\sunrises-2.zip Infected: Trojan.BAT.StartPage.ab 1

C:\TEMP\Screensavers\trees-1.zip Infected: Trojan.BAT.StartPage.ab 1

C:\TEMP\Screensavers\trees-2.zip Infected: Trojan.BAT.StartPage.ab 1

C:\TEMP\Screensavers\world-travel-1.zip Infected: Trojan.BAT.StartPage.ab 1

C:\TEMP\Screensavers\world-travel-2.zip Infected: Trojan.BAT.StartPage.ab 1

C:\TEMP\Screensavers\world-travel-3.zip Infected: Trojan.BAT.StartPage.ab 1

C:\TEMP\Screensavers\yellowstone.zip Infected: Trojan.BAT.StartPage.ab 1

The selected area was scanned. Infected: Trojan.BAT.StartPage.ab 1
  • 0

#8
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
DO you use Win VNC?
Also are you familiar with the program passwordspro?

PLease delete these files\folders:
C:\TEMP\mbam-setup.exe
C:\TEMP\Screensavers
========================
PLease post a new Hijackthis log.
  • 0

#9
ccie

ccie

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
yes, I do use WinVNC for remote desktop tasks.
the passwordspro program is just part of the ultimate boot cd utilities on the c: drive.

here's a new hjt log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:28:40 AM, on 7/13/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\APPs\VMware\VMware Converter\vmware-ufad.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\apps\VMware\VMware Workstation\vmware-authd.exe
C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe
C:\Apps\VMware\VMware Workstation\vmware-tray.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\apps\Kingsoft\XDict\xdict.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Apps\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\mmc.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\conime.exe
C:\apps\FlashGet\FlashGet.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Apps\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\DfrgNtfs.exe
C:\Apps\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\apps\FlashGet\jccatch.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Apps\BitComet\tools\BitCometBHO_1.2.2.28.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\apps\FlashGet\getflash.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [vmware-tray] C:\Apps\VMware\VMware Workstation\vmware-tray.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKUS\S-1-5-18\..\RunOnce: [configmsi] cmd /c "rmdir /q C:\config.msi" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [supportdir] cmd /c "rmdir /q /s "C:\WINDOWS\TEMP\{48227AEB-DC8E-4A90-A274-0B4A39D699B1}"" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [configmsi] cmd /c "rmdir /q C:\config.msi" (User 'Default user')
O4 - Startup: PowerWord 2002.lnk = %SystemDrive%\apps\Kingsoft\XDict\xdict.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Apps\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Apps\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Apps\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Download All with FlashGet - C:\apps\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\apps\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: 使用UUSee下载 - C:\apps\uusee\geturltodown.htm
O8 - Extra context menu item: 使用UUSee加速播放 - C:\apps\uusee\geturltoplay.htm
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Apps\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: ?́3μ - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\apps\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: ?́3μ(FlashGet) - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\apps\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - ESC Trusted Zone: http://*.update.microsoft.com (HKLM)
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} -
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...334/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = princesscruises.poprincess.com
O17 - HKLM\Software\..\Telephony: DomainName = princesscruises.poprincess.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = princesscruises.poprincess.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = princesscruises.poprincess.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = princesscruises.poprincess.com
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\apps\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\apps\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\apps\Gizmo5\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FreeSSHDService - Unknown owner - C:\apps\freeSSHd\FreeSSHDService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SymSnapService - Symantec - C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe
O23 - Service: VMware Converter Service (ufad-p2v) - VMware, Inc. - C:\APPs\VMware\VMware Converter\vmware-ufad.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\apps\VMware\VMware Workstation\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\apps\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

--
End of file - 9384 bytes
  • 0

#10
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Go ahead and uninstall any Norton product that you see unless it is ghost but uninstall the Anti-Virus by Norton.
If it is not listed then go here > http://service1.syma...005033108162039 to download\run their uninstaller.
This may remove Ghost I am not sure but read the documentation before proceeding.
==================
After that please re-open Hijackthis and click on "Do a system scan only"
Then place a check mark next to these entries below:

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)


Now click on Fix Checked and then close Hijackthis.
====================================
Please delete anything we have used including C:\SDFix folder.

System Restore
Then I will need you to reset your System Restore points.
The link below shows how to create a clean restore point.
How to Turn On and Turn Off System Restore in Windows XP
http://support.micro...kb/310405/en-us
=====================================
After that your log is clean. :)

The following is a list of tools and utilities that I like to suggest to people.
You do not have to have all or any of them they are only suggestions.
This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

Spybot Search & Destroy-Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.

Spyware Blaster - Great prevention tool to keep nasties from installing on your system.

Spywareguard-Works as a Spyware "Shield" to protect your computer from getting malware in the first place.

IE-SPYAD- puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Tony Klein article To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP