Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

HijackThis log... [RESOLVED]


  • This topic is locked This topic is locked

#16
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
now we are getting somewhere. in this post i want to remove one item of malware i can see, fix that startpage and scan 3 suspicious looking files.


====STEP 1====
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nextpimp.com/?rtp

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.




====STEP 2====
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\AHjknnpo.ini

Suspect::
C:\WINDOWS\system32\1FAE532A1C.sys
C:\WINDOWS\system32\ceaaeefdfa1_g.dll
C:\WINDOWS\system32\eaedbaccbb0_r.dll


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.
====STEP 3====
Jotti File Submission:

Please go to Jotti's malware scan
Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
C:\WINDOWS\system32\1FAE532A1C.sys

Click on the submit button

Please also do the same with the following three files:
C:\WINDOWS\system32\ceaaeefdfa1_g.dll
C:\WINDOWS\system32\eaedbaccbb0_r.dll
C:\WINDOWS\system32\winlogon.exe


Please post the results of the scan in your next reply.

If Jotti is busy, try the same atVirustotal



In your next reply could i see:
1. the combofix log
2. a new hijackthis log
3. the 4 jotti logs

The text from these files may exceed the maximum post length for this forum. Hence, you may need to post the information over 2 or more posts.

andrewuk

Edited by andrewuk, 27 July 2008 - 03:30 PM.

  • 0

Advertisements


#17
blind_stone

blind_stone

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
After running combofix, Im supposed to tell you I submitted a file to bleeping computer... This is what I sent though I don't think that helps you?: C:\Documents and Settings\Justin\Desktop.\[4][email protected]

-----------------------------------------------------------------------------



ComboFix 08-07-27.2 - Justin 2008-07-27 17:05:04.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2566 [GMT -5:00]
Running from: C:\Documents and Settings\Justin\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Justin\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\AHjknnpo.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\AHjknnpo.ini

.
((((((((((((((((((((((((( Files Created from 2008-06-27 to 2008-07-27 )))))))))))))))))))))))))))))))
.

2008-07-27 15:26 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-07-27 15:25 . 2008-07-27 15:26 <DIR> d-------- C:\Program Files\Java
2008-07-27 15:25 . 2008-07-27 15:25 <DIR> d-------- C:\Program Files\Common Files\Java
2008-07-27 00:42 . 2008-07-27 00:42 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-07-27 00:42 . 2008-07-27 00:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-07-26 20:09 . 2008-07-26 20:09 250 --a------ C:\WINDOWS\gmer.ini
2008-07-26 17:03 . 2008-07-26 17:03 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-07-26 17:03 . 2008-07-26 17:03 <DIR> d-------- C:\Documents and Settings\Justin\Application Data\SUPERAntiSpyware.com
2008-07-26 17:03 . 2008-07-26 17:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-26 01:08 . 2008-07-26 01:08 <DIR> d-------- C:\Deckard
2008-07-26 00:50 . 2008-07-26 00:50 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-26 00:50 . 2008-07-26 00:50 <DIR> d-------- C:\Documents and Settings\Justin\Application Data\Malwarebytes
2008-07-26 00:50 . 2008-07-26 00:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-26 00:50 . 2008-07-23 20:09 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-26 00:50 . 2008-07-23 20:09 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-26 00:15 . 2008-07-26 00:15 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-07-25 23:57 . 2008-07-25 23:57 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2008-07-25 23:49 . 2008-07-27 00:01 <DIR> d-------- C:\VundoFix Backups
2008-07-25 23:38 . 2008-07-25 23:38 <DIR> d-------- C:\_OTMoveIt
2008-07-24 21:25 . 2008-07-24 21:25 <DIR> d-------- C:\Documents and Settings\Justin\Application Data\MailFrontier
2008-07-24 21:21 . 2008-07-24 21:21 <DIR> d-------- C:\Program Files\ZoneAlarmSB
2008-07-24 21:21 . 2008-07-25 23:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-07-24 21:21 . 2008-07-09 09:05 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-07-24 21:20 . 2008-07-24 21:20 <DIR> d-------- C:\Program Files\Zone Labs
2008-07-24 21:18 . 2008-07-24 21:18 <DIR> d-------- C:\Documents and Settings\Justin\Application Data\Media Player Classic
2008-07-24 19:01 . 2008-07-26 19:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-07-24 18:21 . 2008-07-24 18:21 <DIR> d-------- C:\Documents and Settings\Justin\DoctorWeb
2008-07-24 17:49 . 2008-04-28 12:29 805,400 -ra------ C:\WINDOWS\system32\tmpB.tmp
2008-07-24 17:47 . 2008-04-28 12:29 805,400 -ra------ C:\WINDOWS\system32\tmp5.tmp
2008-07-24 17:47 . 2008-04-28 12:29 805,400 -ra------ C:\WINDOWS\system32\tmp4.tmp
2008-07-24 17:44 . 2008-07-24 17:44 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-23 21:41 . 2008-07-23 21:41 <DIR> d-------- C:\Program Files\Alwil Software
2008-07-03 17:45 . 2008-07-03 17:45 <DIR> d-------- C:\Documents and Settings\Justin\Application Data\Ubisoft
2008-07-02 07:46 . 2008-07-02 07:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ubisoft
2008-07-01 23:11 . 2008-07-01 23:11 <DIR> d-------- C:\Program Files\Ubisoft
2008-06-29 12:23 . 2008-06-29 13:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NexonUS
2008-06-28 22:05 . 2008-07-20 22:36 <DIR> d-------- C:\Program Files\AviSynth 2.5
2008-06-28 22:05 . 2008-07-20 22:41 <DIR> d-------- C:\Program Files\Avi2Dvd

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-27 20:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-07-27 20:41 65,060 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-07-27 20:41 5,811,488 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-07-27 15:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-07-26 22:03 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-26 15:03 --------- d-----w C:\Program Files\EVGA Precision
2008-07-26 05:33 1,397,760 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2008-07-25 01:49 --------- d-----w C:\Documents and Settings\Justin\Application Data\AVG7
2008-07-24 22:45 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-24 22:34 --------- d-----w C:\Documents and Settings\Justin\Application Data\AdobeUM
2008-07-23 22:34 --------- d-----w C:\Documents and Settings\Justin\Application Data\U3
2008-07-22 03:39 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-09 14:05 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2008-07-08 03:53 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2008-07-06 03:29 --------- d-----w C:\Program Files\Steam
2008-06-21 01:45 --------- d-----w C:\Documents and Settings\Justin\Application Data\Bioshock
2008-06-20 04:52 --------- d--h--w C:\Program Files\eMule
2008-06-20 03:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Codemasters
2008-06-13 03:04 --------- d-----w C:\Program Files\LucasArts
2008-06-10 03:40 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-06-10 03:38 444,952 ----a-w C:\WINDOWS\system32\wrap_oal.dll
2008-06-10 03:38 109,080 ----a-w C:\WINDOWS\system32\OpenAL32.dll
2008-06-10 03:38 --------- d-----w C:\Program Files\OpenAL
2008-06-02 22:30 --------- d-----w C:\Program Files\Electronic Arts
2008-06-02 22:30 --------- d-----w C:\Program Files\AGEIA Technologies
2008-05-21 23:59 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-04-28 17:29 805,400 ----a-r C:\WINDOWS\system32\tmp5F.tmp
2008-03-23 22:08 22,328 ----a-w C:\Documents and Settings\Justin\Application Data\PnkBstrK.sys
2007-04-24 05:49 2,027,029 ----a-w C:\WINDOWS\inf\Rar.exe
2005-09-03 21:50 56 --sha-r C:\WINDOWS\system32\1FAE532A1C.sys
2007-06-21 05:10 5 --sha-w C:\WINDOWS\system32\ceaaeefdfa1_g.dll
2007-06-21 05:18 23 --sha-w C:\WINDOWS\system32\eaedbaccbb0_r.dll
2005-09-03 21:50 2,516 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-05-11 05:25 49,440 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
.

------- Sigcheck -------

2007-04-07 10:04 503808 a65c0f33bfb77e85f16a171f41e9165a C:\WINDOWS\system32\winlogon.exe
2004-08-04 05:00 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\system32\dllcache\winlogon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-04-25 08:50 139264]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 20:12 221184]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-29 02:44 579072]
"CTSysVol"="C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 10:43 57344]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 02:41 8523776]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-29 02:44 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk.disabled [2007-01-07 18:38:46 1808]
HP Image Zone Fast Start.lnk.disabled [2007-01-07 18:40:21 798]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)
"NoSMHelp"= 01000000
"NoLogoff"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2007-12-14 01:10 229376 C:\Program Files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-01-08 01:38 1266936 c:\Program Files\Steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PnkBstrA"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"<NO NAME>"=
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" /startup
"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
"DMXLauncher"=C:\Program Files\Dell\Media Experience\DMXLauncher.exe
"NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
"UpdReg"=C:\WINDOWS\UpdReg.EXE
"mm_server"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_server.exe"
"nwiz"=nwiz.exe /install
"ISUSPM Startup"=C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
"PhilipsRemote"="C:\Program Files\Musicmatch\Musicmatch Jukebox\PhilipsRemote.exe"
"MimBoot"=C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
"HP Software Update"=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
"HPHUPD08"=C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
"MSConfig"=C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
"avast!"=C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
"UserFaultCheck"=%systemroot%\system32\dumprep 0 -u
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
"NvMediaCenter"=RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
"NeroFilterCheck"=C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\DAP\\DAP.exe"=
"C:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\eMule\\em.exe"=
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XI\\RpcSandraSrv.exe"=
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XI\\Win32\\RpcDataSrv.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"=
"C:\\Program Files\\Electronic Arts\\Medal of Honor Airborne\\UnrealEngine3\\Binaries\\MOHA.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"C:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx9.exe"=
"C:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx10.exe"=
"C:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Launcher.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"13360:TCP"= 13360:TCP:BitComet 13360 TCP
"13360:UDP"= 13360:UDP:BitComet 13360 UDP
"13038:TCP"= 13038:TCP:BitComet 13038 TCP
"13038:UDP"= 13038:UDP:BitComet 13038 UDP

R2 PStrip;PStrip;C:\WINDOWS\system32\drivers\pstrip.sys [2006-09-30 04:35]
S3 ggflt;SEMC USB Flash Driver Filter;C:\WINDOWS\system32\DRIVERS\ggflt.sys [2008-03-30 01:00]
.
Contents of the 'Scheduled Tasks' folder
2008-07-27 C:\WINDOWS\Tasks\User_Feed_Synchronization-{743C1170-7DBC-43BA-A4D3-84FD6221DAC9}.job - C:\Program Files\Internet Explorer??Justin?"Updates out-of-date system feeds.??? []
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-27 17:07:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-27 17:08:15
ComboFix-quarantined-files.txt 2008-07-27 22:08:05
ComboFix2.txt 2008-07-27 20:46:36

Pre-Run: 23,752,515,584 bytes free
Post-Run: 23,742,693,376 bytes free

209

------------------------------------------------------

Jotti's malware scan


File: 1FAE532A1C.sys
Status: OK
MD5: 880dc3c74c049398f81c8bcddee7c57a
Packers detected: -

Scanner results
Scan taken on 27 Jul 2008 22:26:24 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

---------------------------------------



File: ceaaeefdfa1_g.dll
Status: OK
MD5: 1c8232546340e88c88936ad8428a2f7c
Packers detected: -

Scanner results
Scan taken on 27 Jul 2008 22:28:11 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing
-----------------------------------------------

File: eaedbaccbb0_r.dll
Status: OK(Note: file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 44d8dc0ccffb46d832c08ea991a03132
Packers detected: -

Scanner results
Scan taken on 27 Jul 2008 22:29:47 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

------------------------------------------------------------

File: winlogon.exe
Status: POSSIBLY INFECTED/MALWARE (Note: this file was only classified as malware by scanners known to generate more false positives than the average scanner. Do not consider these results definately accurate. Also, because of this, results of this scan will not be recorded in the database.)
MD5: a65c0f33bfb77e85f16a171f41e9165a
Packers detected: -

Scanner results
Scan taken on 27 Jul 2008 22:33:34 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found Trojan.Win32.Patched.g
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing
-----------------------------------------------
  • 0

#18
blind_stone

blind_stone

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:38:34 PM, on 7/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Electronic Arts\Medal of Honor Airborne\UnrealEngine3\MOHAGame\pb\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk.disabled
O4 - Global Startup: HP Image Zone Fast Start.lnk.disabled
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {38F5F92F-BD40-40DF-A569-6C1FCB638190} (InSPECS3_0 Control) - http://www.powerleap.../InSPECS3_0.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemreq.../sysreqlab2.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.mac...ash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PunkBuster (PnkBstrA) - Unknown owner - C:\Program Files\Electronic Arts\Medal of Honor Airborne\UnrealEngine3\MOHAGame\pb\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI\RpcSandraSrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7620 bytes
  • 0

#19
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts

After running combofix, Im supposed to tell you I submitted a file to bleeping computer... This is what I sent though I don't think that helps you?: C:\Documents and Settings\Justin\Desktop.\[4][email protected]

no problem, it was those suspicious files we gathered.

looks like the C:\WINDOWS\system32\winlogon.exe may have a patched infection on it. so in this post we will run another scan and then pull down a full DSS log to see where we stand, which, hopefully, will be almost at the end of this fix.


====STEP 1====
Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
====STEP 2====
Please run dss.exe again, but use these instructions:

Click Start>Select 'Run' - then copy/paste the following text into the run box & click OK

"%userprofile%\desktop\dss.exe" /config
  • Click 'Run'
  • In the ensuing dialog box, uncheck 'Backing up Registry Hives'
  • Click Scan!
When finished, it shall produce main.txt and extra.txt for you.



In your next reply could i see:
1. the DRCureIT log
2. the 2 DSS logs

The text from these files may exceed the maximum post length for this forum. Hence, you may need to post the information over 2 or more posts.

andrewuk
  • 0

#20
blind_stone

blind_stone

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
DRcureIT log:

RegUBP2b-Justin.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots;Trojan.StartPage.1505;Deleted.;
ComboFix.exe\327882R2FWJFW\psexec.cfexe;C:\Documents and Settings\Justin\Desktop\ComboFix.exe;Program.PsExec.171;;
ComboFix.exe;C:\Documents and Settings\Justin\Desktop;Archive contains infected objects;Moved.;
A0301057.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1182;Tool.Reboot;;
A0301659.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1185;Tool.ShowPass;;
A0313400.EXE;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1196;Program.PsExec.170;;
A0313541.reg;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1197;Trojan.StartPage.1505;Deleted.;
A0313542.exe\327882R2FWJFW\psexec.cfexe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1197\A0313542.exe;Program.PsExec.171;;
A0313542.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1197;Archive contains infected objects;Moved.;
data019\data044;I:\Antivirus Stuffs\72508\avinstall.exe\data019;Probably SCRIPT.BATCH.IRC.WORM.Virus;;
data019\data132;I:\Antivirus Stuffs\72508\avinstall.exe\data019;Probably SCRIPT.BATCH.Virus;;
data019;I:\Antivirus Stuffs\72508\avinstall.exe;Archive contains infected objects;;
avinstall.exe;I:\Antivirus Stuffs\72508;Archive contains infected objects;Moved.;
data041\data044;I:\Antivirus Stuffs\72508\tfinstall.exe\data041;Probably SCRIPT.BATCH.IRC.WORM.Virus;;
data041\data132;I:\Antivirus Stuffs\72508\tfinstall.exe\data041;Probably SCRIPT.BATCH.Virus;;
data041;I:\Antivirus Stuffs\72508\tfinstall.exe;Archive contains infected objects;;
tfinstall.exe;I:\Antivirus Stuffs\72508;Archive contains infected objects;Moved.;

**note the I: drive was my thumb drive apparently, didn't know I had it selected. I went ahead and deleted everything on it.

Deckard's System Scanner v20071014.68
Run by Justin on 2008-07-27 21:04:50
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Justin.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:04:58 PM, on 7/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Electronic Arts\Medal of Honor Airborne\UnrealEngine3\MOHAGame\pb\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\Documents and Settings\Justin\desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Justin.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk.disabled
O4 - Global Startup: HP Image Zone Fast Start.lnk.disabled
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {38F5F92F-BD40-40DF-A569-6C1FCB638190} (InSPECS3_0 Control) - http://www.powerleap.../InSPECS3_0.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemreq.../sysreqlab2.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.mac...ash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PunkBuster (PnkBstrA) - Unknown owner - C:\Program Files\Electronic Arts\Medal of Honor Airborne\UnrealEngine3\MOHAGame\pb\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI\RpcSandraSrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7359 bytes

-- Files created between 2008-06-27 and 2008-07-27 -----------------------------

2008-07-27 15:36:10 0 d-------- C:\cmdcons
2008-07-27 15:35:01 68096 --a------ C:\WINDOWS\zip.exe
2008-07-27 15:35:01 49152 --a------ C:\WINDOWS\VFind.exe
2008-07-27 15:35:01 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-07-27 15:35:01 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-07-27 15:35:01 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-07-27 15:35:01 98816 --a------ C:\WINDOWS\sed.exe
2008-07-27 15:35:01 80412 --a------ C:\WINDOWS\grep.exe
2008-07-27 15:35:01 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-07-27 15:25:35 0 d-------- C:\Program Files\Java
2008-07-27 15:25:32 0 d-------- C:\Program Files\Common Files\Java
2008-07-27 00:42:40 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-07-27 00:42:39 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-07-26 19:43:41 0 d-------- C:\Documents and Settings\Justin\Application Data\Mozilla
2008-07-26 17:03:35 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-26 17:03:25 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-07-26 17:03:25 0 d-------- C:\Documents and Settings\Justin\Application Data\SUPERAntiSpyware.com
2008-07-26 00:50:10 0 d-------- C:\Documents and Settings\Justin\Application Data\Malwarebytes
2008-07-26 00:50:03 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-26 00:50:03 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-26 00:15:52 0 d-------- C:\Program Files\Common Files\Download Manager
2008-07-25 23:57:54 24576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe <Not Verified; Atribune.org; Vundofix Service>
2008-07-25 23:49:27 0 d-------- C:\VundoFix Backups
2008-07-25 19:31:41 0 d-------- C:\Documents and Settings\LocalService\Desktop
2008-07-24 21:25:39 0 d-------- C:\Documents and Settings\Justin\Application Data\MailFrontier
2008-07-24 21:21:54 0 d-------- C:\Program Files\ZoneAlarmSB
2008-07-24 21:21:13 0 d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-07-24 21:18:07 0 d-------- C:\Documents and Settings\Justin\Application Data\Media Player Classic
2008-07-24 19:01:25 0 d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-07-24 18:21:14 0 d-------- C:\Documents and Settings\Justin\DoctorWeb
2008-07-24 17:44:05 0 d-------- C:\Program Files\Trend Micro
2008-07-23 21:41:45 0 d-------- C:\Program Files\Alwil Software
2008-07-03 17:45:02 0 d-------- C:\Documents and Settings\Justin\Application Data\Ubisoft
2008-07-02 07:46:23 0 d-------- C:\Documents and Settings\All Users\Application Data\Ubisoft
2008-07-01 23:11:43 0 d-------- C:\Program Files\Ubisoft
2008-06-29 12:23:51 0 d-------- C:\Documents and Settings\All Users\Application Data\NexonUS
2008-06-28 22:05:57 0 d-------- C:\Program Files\AviSynth 2.5
2008-06-28 22:05:28 0 d-------- C:\Program Files\Avi2Dvd


-- Find3M Report ---------------------------------------------------------------

2008-07-27 17:06:12 0 d-------- C:\Program Files\Common Files
2008-07-26 17:03:10 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-26 10:03:20 0 d-------- C:\Program Files\EVGA Precision
2008-07-24 21:30:18 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-07-24 20:49:54 0 d-------- C:\Documents and Settings\Justin\Application Data\AVG7
2008-07-24 17:45:10 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-07-24 17:34:59 0 d-------- C:\Documents and Settings\Justin\Application Data\AdobeUM
2008-07-23 17:34:00 0 d-------- C:\Documents and Settings\Justin\Application Data\U3
2008-07-23 00:54:37 0 d-------- C:\Documents and Settings\Justin\Application Data\Adobe
2008-07-07 22:53:26 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2008-07-05 22:29:20 0 d-------- C:\Program Files\Steam
2008-06-20 20:45:20 0 d-------- C:\Documents and Settings\Justin\Application Data\Bioshock
2008-06-19 23:52:05 0 d--h----- C:\Program Files\eMule
2008-06-12 22:04:03 0 d-------- C:\Program Files\LucasArts
2008-06-09 22:38:05 0 d-------- C:\Program Files\OpenAL
2008-06-02 17:30:42 0 d-------- C:\Program Files\Electronic Arts
2008-06-02 17:30:04 0 d-------- C:\Program Files\AGEIA Technologies


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [07/24/2008 09:21 PM 262144]

[-HKEY_CLASSES_ROOT\CLSID\{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [04/25/2005 08:50 AM]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [09/03/2003 08:12 PM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [01/29/2008 02:44 AM]
"CTSysVol"="C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [09/17/2003 10:43 AM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [12/05/2007 02:41 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 05:00 AM]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [05/28/2008 10:33 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk.disabled [1/7/2007 6:38:46 PM]
HP Image Zone Fast Start.lnk.disabled [1/7/2007 6:40:21 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"=0 (0x0)
"NoSMHelp"=01000000
"NoLogoff"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [05/13/2008 10:13 AM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll 12/14/2007 01:10 AM 229376 C:\Program Files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"c:\program files\steam\steam.exe" -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PnkBstrA"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"<NO NAME>"=
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" /startup
"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
"DMXLauncher"=C:\Program Files\Dell\Media Experience\DMXLauncher.exe
"NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
"UpdReg"=C:\WINDOWS\UpdReg.EXE
"mm_server"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_server.exe"
"nwiz"=nwiz.exe /install
"ISUSPM Startup"=C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
"PhilipsRemote"="C:\Program Files\Musicmatch\Musicmatch Jukebox\PhilipsRemote.exe"
"MimBoot"=C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
"HP Software Update"=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
"HPHUPD08"=C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
"MSConfig"=C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
"avast!"=C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
"UserFaultCheck"=%systemroot%\system32\dumprep 0 -u
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
"NvMediaCenter"=RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
"NeroFilterCheck"=C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe




-- End of Deckard's System Scanner: finished at 2008-07-27 21:05:23 ------------
  • 0

#21
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
hmm.....something did not go quite right with the DSS scan, looks too short. also, i suspect we will have to replace your winlogon.exe file with a clean copy from your dll cache (the DrCureIT did not seem to fix the infected winlogon.exe file), so we will scan them both again to see if the dll cache one is clean:

====STEP 1====
Jotti File Submission:

Please go to Jotti's malware scan
Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
C:\WINDOWS\system32\winlogon.exe

Click on the submit button

Please also do the same with the following two files:
C:\WINDOWS\system32\dllcache\winlogon.exe

Please post the results of the scan in your next reply.

If Jotti is busy, try the same atVirustotal



====STEP 2====
click on Start, click on Run
copy and paste the following in bold in the open window and then click OK

"%userprofile%\desktop\dss.exe" /config

This will open up DSS configuration
click on Check All
click Scan
DSS will now run again when finished
Please post back both logs that open in notepad
Main txt and extra txt


Could i see:
1. the 2 jotti logs
2. the 2 DSS logs
3. also, let me know how your machine is running now.



andrewuk

Edited by andrewuk, 27 July 2008 - 09:08 PM.

  • 0

#22
blind_stone

blind_stone

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
My PC seems to be running fine, no hangups or popups, ie and firefox seem to be working just fine. Even played a game or 2 the other day and I didn't notice any performance problems. I will post logs when I get home from work, It seems we are on oposite ends of the time spectrum! Also just a quick question if I might ask, since im here at work I can download things a little faster, what antivirus programs should I be looking for to keep my computer protected??

Thanks again! :)
blind_stone
  • 0

#23
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts

My PC seems to be running fine, no hangups or popups, ie and firefox seem to be working just fine. Even played a game or 2 the other day and I didn't notice any performance problems.

good to hear, though i suspect we will need to copy a clean copy of the winlogon.exe file over from your dllcache.....but we will see what the jotti scan says.

I will post logs when I get home from work, It seems we are on opposite ends of the time spectrum!

in general, that works best......we just got knocked off course by the extent of your infection.

Also just a quick question if I might ask, since im here at work I can download things a little faster, what antivirus programs should I be looking for to keep my computer protected??

seems you have AVG which is just fine....the full DSS log will show me if it is up-to-date etc......the free version is here.....if there is a problem then we can go for the free version or alternatively avira or !avast.....but dont do anything yet, we will cross that bridge if we need to. installing more than 1 antivirus on your machine can cause your machine to slow down and provide less, not more, protection.

andrewuk
  • 0

#24
blind_stone

blind_stone

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Jotti's malware scan

File: winlogon.exe
Status: POSSIBLY INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database) (Note: this file was only classified as malware by scanners known to generate more false positives than the average scanner. Do not consider these results definately accurate. Also, because of this, results of this scan will not be recorded in the database.)
MD5: a65c0f33bfb77e85f16a171f41e9165a
Packers detected: -

Scanner results
Scan taken on 29 Jul 2008 03:24:11 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found Trojan.Win32.Patched.g
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing
----------
**this second scan is the winlogon from the dllcache i scanned 2x to be sure
File: winlogon.exe
Status: OK(Note: file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 01c3346c241652f43aed8e2149881bfe
Packers detected: -

Scanner results
Scan taken on 29 Jul 2008 03:28:02 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing
-------------------------

Main.txt

Deckard's System Scanner v20071014.68
Run by Justin on 2008-07-28 22:38:33
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
103: 2008-07-29 03:38:37 UTC - RP1200 - Deckard's System Scanner Restore Point
102: 2008-07-29 02:58:50 UTC - RP1199 - System Checkpoint
101: 2008-07-28 02:13:05 UTC - RP1198 - Installed BioShock
100: 2008-07-27 22:04:37 UTC - RP1197 - ComboFix created restore point
99: 2008-07-27 20:35:28 UTC - RP1196 - ComboFix created restore point


-- First Restore Point --
1: 2008-04-30 06:11:01 UTC - RP1098 - System Checkpoint


Performed disk cleanup.



-- HijackThis (run as Justin.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:38:49 PM, on 7/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Electronic Arts\Medal of Honor Airborne\UnrealEngine3\MOHAGame\pb\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Justin\desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Justin.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk.disabled
O4 - Global Startup: HP Image Zone Fast Start.lnk.disabled
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {38F5F92F-BD40-40DF-A569-6C1FCB638190} (InSPECS3_0 Control) - http://www.powerleap.../InSPECS3_0.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemreq.../sysreqlab2.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.mac...ash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PunkBuster (PnkBstrA) - Unknown owner - C:\Program Files\Electronic Arts\Medal of Honor Airborne\UnrealEngine3\MOHAGame\pb\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI\RpcSandraSrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7410 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080727-170155-196 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nextpimp.com/?rtp

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 sfdrv01 (StarForce Protection Environment Driver (version 1.x)) - c:\windows\system32\drivers\sfdrv01.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfhlp02 (StarForce Protection Helper Driver (version 2.x)) - c:\windows\system32\drivers\sfhlp02.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfsync02 (StarForce Protection Synchronization Driver (version 2.x)) - c:\windows\system32\drivers\sfsync02.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfvfs02 (StarForce Protection VFS Driver (version 2.x)) - c:\windows\system32\drivers\sfvfs02.sys <Not Verified; Protection Technology; StarForce Protection System>
R1 BANTExt (Belarc SMBios Access) - c:\windows\system32\drivers\bantext.sys
R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>

S3 EagleNT - c:\windows\system32\drivers\eaglent.sys (file missing)
S3 ENTECH - c:\windows\system32\drivers\entech.sys <Not Verified; EnTech Taiwan; PowerStrip>
S3 NVR0Dev - c:\windows\nvoclock.sys (file missing)
S3 SYMIDSCO - c:\progra~1\common~1\symant~1\symcdata\ids-di~1\20040813.178\symidsco.sys (file missing)
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S3 NBService - c:\program files\nero\nero 7\nero backitup\nbservice.exe
S3 rpcapd (Remote Packet Capture Protocol v.0 (experimental)) - "c:\program files\winpcap\rpcapd.exe" -d -f "c:\program files\winpcap\rpcapd.ini" <Not Verified; NetGroup - Politecnico di Torino; Remote Packet Capture Daemon>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Intel® PRO/100 VE Network Connection
Device ID: PCI\VEN_8086&DEV_27DC&SUBSYS_01A71028&REV_01\4&5855BE9&0&40F0
Manufacturer: Intel
Name: Intel® PRO/100 VE Network Connection
PNP Device ID: PCI\VEN_8086&DEV_27DC&SUBSYS_01A71028&REV_01\4&5855BE9&0&40F0
Service: E100B


-- Process Modules -------------------------------------------------------------

C:\WINDOWS\system32\winlogon.exe (pid 600)
2007-04-19 13:41:36 294912 --a------ C:\Program Files\SUPERAntiSpyware\SASWINLO.dll <Not Verified; SUPERAntiSpyware.com; SUPERAntiSpyware WinLogon Processor>
2007-12-14 01:10:11 229376 --a------ C:\Program Files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll <Not Verified; Stardock Corporation; Stardock WindowBlinds 6>
2007-09-27 13:40:14 488523 --a------ C:\Program Files\Stardock\Object Desktop\WindowBlinds\wblind.dll <Not Verified; Stardock Corporation; WindowBlinds>
2007-07-11 16:06:58 28740 --a------ C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbhelp.dll <Not Verified; Stardock.Net, Inc; WindowBlinds 4 for Win32 x86 machines>

C:\WINDOWS\system32\svchost.exe (pid 972)
2007-09-27 13:40:14 488523 --a------ C:\Program Files\Stardock\Object Desktop\WindowBlinds\wblind.dll <Not Verified; Stardock Corporation; WindowBlinds>
2007-07-11 16:06:58 28740 --a------ C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbhelp.dll <Not Verified; Stardock.Net, Inc; WindowBlinds 4 for Win32 x86 machines>

C:\WINDOWS\explorer.exe (pid 1492)
2007-09-27 13:40:14 488523 --a------ C:\Program Files\Stardock\Object Desktop\WindowBlinds\wblind.dll <Not Verified; Stardock Corporation; WindowBlinds>
2007-07-11 16:06:58 28740 --a------ C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbhelp.dll <Not Verified; Stardock.Net, Inc; WindowBlinds 4 for Win32 x86 machines>
2004-11-14 06:27:48 212992 --a------ C:\WINDOWS\system32\sql.dll <Not Verified; WeOnlyDo! COM; wodShellMenu Component>
2005-11-15 12:07:16 1802240 --a------ C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll <Not Verified; Nero AG; Nero Digital Tools>
2007-12-05 02:41:00 466944 --a------ C:\WINDOWS\system32\nvshell.dll
2008-05-13 10:13:36 77824 --a------ C:\Program Files\SUPERAntiSpyware\SASSEH.DLL <Not Verified; SuperAdBlocker.com; SuperAntiSpyware>
2006-09-12 21:56:02 73728 --a------ C:\Program Files\Nero\Nero 7\Nero BackItUp\NBShell.dll <Not Verified; Nero AG; Nero BackItUp>
2004-12-17 09:00:00 5120 --a------ C:\Program Files\WinZip\WZSHLSTB.DLL <Not Verified; WinZip Computing, Inc.; WinZip>
2003-05-15 14:43:24 119808 --a------ C:\Program Files\WinRAR\RarExt.dll


-- Scheduled Tasks -------------------------------------------------------------

2008-07-28 13:51:11 424 --ah----- C:\WINDOWS\Tasks\User_Feed_Synchronization-{743C1170-7DBC-43BA-A4D3-84FD6221DAC9}.job


-- Files created between 2008-06-28 and 2008-07-28 -----------------------------

2008-07-27 15:36:10 0 d-------- C:\cmdcons
2008-07-27 15:35:01 68096 --a------ C:\WINDOWS\zip.exe
2008-07-27 15:35:01 49152 --a------ C:\WINDOWS\VFind.exe
2008-07-27 15:35:01 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-07-27 15:35:01 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-07-27 15:35:01 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-07-27 15:35:01 98816 --a------ C:\WINDOWS\sed.exe
2008-07-27 15:35:01 80412 --a------ C:\WINDOWS\grep.exe
2008-07-27 15:35:01 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-07-27 15:25:35 0 d-------- C:\Program Files\Java
2008-07-27 15:25:32 0 d-------- C:\Program Files\Common Files\Java
2008-07-27 00:42:40 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-07-27 00:42:39 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-07-26 19:43:41 0 d-------- C:\Documents and Settings\Justin\Application Data\Mozilla
2008-07-26 17:03:35 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-26 17:03:25 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-07-26 17:03:25 0 d-------- C:\Documents and Settings\Justin\Application Data\SUPERAntiSpyware.com
2008-07-26 00:50:10 0 d-------- C:\Documents and Settings\Justin\Application Data\Malwarebytes
2008-07-26 00:50:03 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-26 00:50:03 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-26 00:15:52 0 d-------- C:\Program Files\Common Files\Download Manager
2008-07-25 23:57:54 24576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe <Not Verified; Atribune.org; Vundofix Service>
2008-07-25 23:49:27 0 d-------- C:\VundoFix Backups
2008-07-25 19:31:41 0 d-------- C:\Documents and Settings\LocalService\Desktop
2008-07-24 21:25:39 0 d-------- C:\Documents and Settings\Justin\Application Data\MailFrontier
2008-07-24 21:21:54 0 d-------- C:\Program Files\ZoneAlarmSB
2008-07-24 21:21:13 0 d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-07-24 21:18:07 0 d-------- C:\Documents and Settings\Justin\Application Data\Media Player Classic
2008-07-24 19:01:25 0 d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-07-24 18:21:14 0 d-------- C:\Documents and Settings\Justin\DoctorWeb
2008-07-24 17:44:05 0 d-------- C:\Program Files\Trend Micro
2008-07-23 21:41:45 0 d-------- C:\Program Files\Alwil Software
2008-07-03 17:45:02 0 d-------- C:\Documents and Settings\Justin\Application Data\Ubisoft
2008-07-02 07:46:23 0 d-------- C:\Documents and Settings\All Users\Application Data\Ubisoft
2008-07-01 23:11:43 0 d-------- C:\Program Files\Ubisoft
2008-06-29 12:23:51 0 d-------- C:\Documents and Settings\All Users\Application Data\NexonUS
2008-06-28 22:05:57 0 d-------- C:\Program Files\AviSynth 2.5
2008-06-28 22:05:28 0 d-------- C:\Program Files\Avi2Dvd


-- Find3M Report ---------------------------------------------------------------

2008-07-28 07:46:06 0 d-------- C:\Documents and Settings\Justin\Application Data\AVG7
2008-07-27 17:06:12 0 d-------- C:\Program Files\Common Files
2008-07-26 17:03:10 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-26 10:03:20 0 d-------- C:\Program Files\EVGA Precision
2008-07-24 21:30:18 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-07-24 17:45:10 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-07-24 17:34:59 0 d-------- C:\Documents and Settings\Justin\Application Data\AdobeUM
2008-07-23 17:34:00 0 d-------- C:\Documents and Settings\Justin\Application Data\U3
2008-07-23 00:54:37 0 d-------- C:\Documents and Settings\Justin\Application Data\Adobe
2008-07-07 22:53:26 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2008-07-05 22:29:20 0 d-------- C:\Program Files\Steam
2008-06-20 20:45:20 0 d-------- C:\Documents and Settings\Justin\Application Data\Bioshock
2008-06-19 23:52:05 0 d--h----- C:\Program Files\eMule
2008-06-12 22:04:03 0 d-------- C:\Program Files\LucasArts
2008-06-09 22:38:05 0 d-------- C:\Program Files\OpenAL
2008-06-02 17:30:42 0 d-------- C:\Program Files\Electronic Arts
2008-06-02 17:30:04 0 d-------- C:\Program Files\AGEIA Technologies


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [07/24/2008 09:21 PM 262144]

[-HKEY_CLASSES_ROOT\CLSID\{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [04/25/2005 08:50 AM]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [09/03/2003 08:12 PM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [01/29/2008 02:44 AM]
"CTSysVol"="C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [09/17/2003 10:43 AM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [12/05/2007 02:41 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 05:00 AM]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [05/28/2008 10:33 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk.disabled [1/7/2007 6:38:46 PM]
HP Image Zone Fast Start.lnk.disabled [1/7/2007 6:40:21 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"=0 (0x0)
"NoSMHelp"=01000000
"NoLogoff"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [05/13/2008 10:13 AM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll 12/14/2007 01:10 AM 229376 C:\Program Files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"c:\program files\steam\steam.exe" -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PnkBstrA"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"<NO NAME>"=
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" /startup
"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
"DMXLauncher"=C:\Program Files\Dell\Media Experience\DMXLauncher.exe
"NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
"UpdReg"=C:\WINDOWS\UpdReg.EXE
"mm_server"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_server.exe"
"nwiz"=nwiz.exe /install
"ISUSPM Startup"=C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
"PhilipsRemote"="C:\Program Files\Musicmatch\Musicmatch Jukebox\PhilipsRemote.exe"
"MimBoot"=C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
"HP Software Update"=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
"HPHUPD08"=C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
"MSConfig"=C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
"avast!"=C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
"UserFaultCheck"=%systemroot%\system32\dumprep 0 -u
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
"NvMediaCenter"=RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
"NeroFilterCheck"=C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe




-- End of Deckard's System Scanner: finished at 2008-07-28 22:40:02 ------------

Edited by blind_stone, 28 July 2008 - 09:45 PM.

  • 0

#25
blind_stone

blind_stone

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® D CPU 3.20GHz
CPU 1: Intel® Pentium® D CPU 3.20GHz
Percentage of Memory in Use: 15%
Physical Memory (total/avail): 3070.09 MiB / 2582.43 MiB
Pagefile Memory (total/avail): 5979.05 MiB / 5636.55 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1906.87 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 145.49 GiB total, 23.14 GiB free.
D: is CDROM (No Media)
E: is CDROM (UDF)
F: is Removable (No Media)
G: is CDROM (No Media)
H: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - Maxtor 6L160M0 - 149.01 GiB - 3 partitions
\PARTITION0 - Unknown - 39.19 MiB
\PARTITION1 (bootable) - Installable File System - 145.49 GiB - C:
\PARTITION2 - Unknown - 3.48 GiB

\\.\PHYSICALDRIVE1 - HP Photosmart 8000 USB Device



-- Security Center -------------------------------------------------------------

AUOptions is disabled.
AUState says computer is ready and waiting.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

FW: ZoneAlarm Security Suite Firewall v7.0.483.000 (Check Point, LTD.) Disabled
FW: COMODO Firewall Pro v2.3.035 (COMODO) Disabled
AV: ZoneAlarm Security Suite Antivirus v7.0.483.000 (Check Point, LTD.) Disabled
AV: AVG 7.5.516 v7.5.516 (Grisoft)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Nexon\\Combat Arms\\CombatArms.exe"="C:\\Nexon\\Combat Arms\\CombatArms.exe:*Enabled:CombatArms.exe"
"C:\\Nexon\\Combat Arms\\Engine.exe"="C:\\Nexon\\Combat Arms\\Engine.exe:*Enabled:Engine.exe"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\DAP\\DAP.exe"="C:\\Program Files\\DAP\\DAP.exe:*:Disabled:Download Accelerator Plus (DAP)"
"C:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"="C:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe:*:Disabled:LaunchPad"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\eMule\\em.exe"="C:\\Program Files\\eMule\\em.exe:*:Enabled:eMule"
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XI\\RpcSandraSrv.exe"="C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XI\\RpcSandraSrv.exe:*:Enabled:SiSoftware Sandra Agent Service"
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XI\\Win32\\RpcDataSrv.exe"="C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XI\\Win32\\RpcDataSrv.exe:*:Enabled:SiSoftware Database Agent Service"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\WINDOWS\\system32\\PnkBstrA.exe"="C:\\WINDOWS\\system32\\PnkBstrA.exe:*:Enabled:PnkBstrA"
"C:\\WINDOWS\\system32\\PnkBstrB.exe"="C:\\WINDOWS\\system32\\PnkBstrB.exe:*:Enabled:PnkBstrB"
"C:\\Program Files\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"="C:\\Program Files\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe:*:Enabled:Sins of a Solar Empire"
"C:\\Program Files\\Electronic Arts\\Medal of Honor Airborne\\UnrealEngine3\\Binaries\\MOHA.exe"="C:\\Program Files\\Electronic Arts\\Medal of Honor Airborne\\UnrealEngine3\\Binaries\\MOHA.exe:*:Enabled:Medal of Honor Airborne"
"C:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"="C:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe:*:Enabled:Nexon Game Manager"
"C:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx9.exe"="C:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx9.exe:*:Enabled:Assassin's Creed Dx9"
"C:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx10.exe"="C:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx10.exe:*:Enabled:Assassin's Creed Dx10"
"C:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Launcher.exe"="C:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Launcher.exe:*:Enabled:Assassin's Creed Update"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Justin\Application Data
BitRock=1
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=D8FDM481
ComSpec=C:\WINDOWS\system32\cmd.exe
DEFAULT_CA_NR=CA18
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Justin
LOGONSERVER=\\D8FDM481
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\Intel\DMIX;;C:\Program Files\Common Files\Teleca Shared
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 6 Stepping 2, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0602
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Justin\LOCALS~1\Temp
TMP=C:\DOCUME~1\Justin\LOCALS~1\Temp
tvdumpflags=8
USERDOMAIN=D8FDM481
USERNAME=Justin
USERPROFILE=C:\Documents and Settings\Justin
windir=C:\WINDOWS
__COMPAT_LAYER=EnableNXShowUI


-- User Profiles ---------------------------------------------------------------

Justin (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> "C:\Program Files\Creative\Sound Blaster Live! 24-bit\Program\Ctzapxx.EXE" /X /U /S
--> C:\Program Files\Nero\Nero 7\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> C:\WINDOWS\uninst.exe -fC:\Maxis\SimFarm\DeIsL1.isu
--> C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL
--> C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
--> C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
--> C:\WINDOWS\UNRecode.exe /UNINSTALL
--> MsiExec /X{65F1CF63-31E0-450B-96F3-4A88BE7361A6}
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{435E969D-867E-4364-8E74-3DC8A69C5BDB}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{435E969D-867E-4364-8E74-3DC8A69C5BDB}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{44DC86A0-248D-11D6-9BAF-0090271AF8A4}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{44DC86A0-248D-11D6-9BAF-0090271AF8A4}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5210ED6D-52A9-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5210ED6D-52A9-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5CDDF96A-BC34-4D72-9ABA-E1FFF0C39977}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{67AEFC4C-69E4-11D7-85F4-00E018013273}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{67AEFC4C-69E4-11D7-85F4-00E018013273}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7201B853-5833-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7201B853-5833-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7A900EAB-DA37-4554-AF19-9C337476D05D}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7A900EAB-DA37-4554-AF19-9C337476D05D}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A1185190-514F-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A1185190-514F-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AC157741-3285-4D6A-B934-9174587A3493}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AC157741-3285-4D6A-B934-9174587A3493}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C6866B7D-ACFD-4C49-B77B-3B2F8CF54B96}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C6866B7D-ACFD-4C49-B77B-3B2F8CF54B96}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DEBD7BF3-5856-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DEBD7BF3-5856-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F865C2FE-25E7-11D6-9BAF-0090271AF8A4}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F865C2FE-25E7-11D6-9BAF-0090271AF8A4}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB2292C6-1F0A-11D7-AB2D-0090271A23A2}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB2292C6-1F0A-11D7-AB2D-0090271A23A2}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FC0DD8AE-3DC0-11D7-AB2D-0090271A23A2}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FC0DD8AE-3DC0-11D7-AB2D-0090271A23A2}\setup.exe" -l0x9 /remove
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
3DMark06 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F3AD00A-1819-4B15-BB7D-08B3586336D7}\setup.exe" -l0x9 -removeonly
Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Photoshop CS --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EFB21DE7-8C19-4A88-BB28-A766E16493BC}\setup.exe" -l0x9
Adobe Reader 7.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70000000000}
AGEIA PhysX v7.07.09 --> MsiExec.exe /X{65F1CF63-31E0-450B-96F3-4A88BE7361A6}
AnyDVD --> "C:\Program Files\SlySoft\AnyDVD\AnyDVD-uninst.exe" /D="C:\Program Files\SlySoft\AnyDVD"
AOLIcon --> MsiExec.exe /I{62BD0AE0-4EB1-4BBB-8F43-B6400C8FEB2C}
Assassin's Creed --> C:\Program Files\InstallShield Installation Information\{8CFA9151-6404-409A-AF22-4632D04582FD}\setup.exe -runfromtemp -l0x0009 -removeonly
AusLogics Disk Defrag --> "C:\Program Files\Auslogics\AusLogics Disk Defrag\unins000.exe"
AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
Belarc Advisor 7.2 --> C:\PROGRA~1\Belarc\Advisor\Uninstall.exe C:\PROGRA~1\Belarc\Advisor\INSTALL.LOG
BSShutDownPC 1.0 --> C:\Program Files\BSShutDownPC\uninst.exe
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
Compatibility Pack for the 2007 Office system --> MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
Creative MediaSource --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{56F3E1FF-54FE-4384-A153-6CCABA097814}\setup.exe" -l0x9 /remove
DAEMON Tools --> MsiExec.exe /I{3DED3A72-61A8-4B87-98A5-EF0BC8038AA0}
Dell Driver Reset Tool --> MsiExec.exe /I{5905F42D-3F5F-4916-ADA6-94A3646AEE76}
Dell Media Experience --> MsiExec.exe /I{AC0EE5B0-A8FB-4D0A-AF03-2EDC518F841B}
Dell Support 3.1 --> MsiExec.exe /X{548EEA8E-8299-497F-8057-811D2D7097DC}
Download Accelerator Plus (DAP) --> C:\PROGRA~1\DAP\DAPREMOVE.EXE
DVD Decrypter (Remove Only) --> "C:\Program Files\DVD Decrypter\uninstall.exe"
DVD Shrink 3.2 --> "C:\Program Files\DVD Shrink\unins000.exe"
EAX4 Unified Redist --> MsiExec.exe /X{89661B04-C646-4412-B6D3-5E19F02F1F37}
Fraps (remove only) --> "C:\Fraps\uninstall.exe"
Guitar Pro 5.0 --> "C:\Program Files\Guitar Pro 5\unins000.exe"
Half-Life 2 --> "C:\Program Files\Steam\steam.exe" steam://uninstall/220
Half-Life 2: Episode One --> "C:\Program Files\Steam\steam.exe" steam://uninstall/380
Half-Life 2: Episode Two --> "C:\Program Files\Steam\steam.exe" steam://uninstall/420
High Definition Audio Driver Package - KB835221 --> C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HP Image Zone 5.3 --> C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
HP Imaging Device Functions 5.3 --> C:\Program Files\HP\Digital Imaging\DigitalImagingMonitor\hpzscr01.exe -datfile hpqbud01.dat
HP Photosmart 330,380,420,470,7800,8000,8200 Series --> C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\setup\hpzscr01.exe -d MsiRollbackUninstaller -datfile hphscr08.dat
HP Software Update --> MsiExec.exe /X{15EE79F4-4ED1-4267-9B0F-351009325D7D}
HP Solution Center & Imaging Support Tools 5.3 --> C:\Program Files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat
Intel Matrix Storage Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}\setup.exe" -l0409 -INTELUNINST
Intel® 537EP V9x DF PCI Modem --> rundll32 IntelCci.dll,iSMUninstallation "Intel® 537EP V9x DF PCI Modem"
Intel® PRO Network Connections Software v9.2.4.11 --> C:\Program Files\Intel\DMIX\uninst\DxSetup.exe /x /qr /le C:\DOCUME~1\Owner\LOCALS~1\Temp\PROSetDX\DMIX\\DxUninst.log
Intel® PROSafe for Wired Connections --> MsiExec.exe /I{36BD0774-6CD6-4FF9-A148-83CA09AC123E}
Intel® PROSafe for Wired Connections --> MsiExec.exe /I{403EF592-953B-4794-BCEF-ECAB835C2095}
Internet Explorer Default Page --> MsiExec.exe /I{35BDEFF1-A610-4956-A00D-15453C116395}
Java™ 6 Update 7 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
K-Lite Mega Codec Pack 3.7.5 --> "C:\Program Files\K-Lite Codec Pack\unins000.exe"
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
Learn2 Player (Uninstall Only) --> C:\Program Files\Learn2.com\StRunner\stuninst.exe
Lernout & Hauspie TruVoice American English TTS Engine --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\tv_enua.inf, Uninstall
LimeWire PRO 4.13.0 --> "C:\Program Files\LimeWire\uninstall.exe"
Macromedia Flash Player --> MsiExec.exe /X{0456ebd7-5f67-4ab6-852e-63781e3f389c}
Magic ISO Maker v5.4 (build 0256) --> C:\PROGRA~1\MagicISO\UNWISE.EXE C:\PROGRA~1\MagicISO\INSTALL.LOG
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Medal of Honor Airborne --> MsiExec.exe /X{25F28E39-FDBB-11DB-8314-0800200C9A66}
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5 --> "C:\WINDOWS\$NtUninstallWdf01005$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Plus! Digital Media Edition Installer --> MsiExec.exe /X{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}
Microsoft Plus! Photo Story 2 LE --> MsiExec.exe /X{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
MKPP v3.02 --> MsiExec.exe /I{DF1E7FB5-4833-4D6C-931E-532433FC8A7F}
Modem Event Monitor --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7A0EFAFB-AC4B-4B88-8C6B-6731BE88DB68}\setup.exe" -l0x9
Moyea FLV Player version 1.0.0.36 --> "C:\Program Files\Moyea\FLV Player\unins000.exe"
Mozilla Firefox (3.0.1) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Nero 7 Ultra Edition --> MsiExec.exe /I{40261D0A-A385-4C1A-A7DE-5F270D9B1033}
NVIDIA Drivers --> C:\WINDOWS\system32\nvuninst.exe UninstallGUI
OpenAL --> "C:\Program Files\OpenAL\OalinstGridRelease.exe" /U
Photo Click --> MsiExec.exe /I{6E179C77-7335-458D-9537-4F4EAC0181ED}
Portal --> "C:\Program Files\Steam\steam.exe" steam://uninstall/400
PowerStrip 3 (remove only) --> C:\Program Files\PowerStrip\uninstal.exe
Project64 1.6 --> MsiExec.exe /X{9559F7CA-5E34-4237-A2D9-D856464AD727}
PunkBuster Services --> C:\WINDOWS\system32\pbsvc.exe -u
RipIt4Me --> C:\Program Files\RipIt4Me\Uninstal.exe
Security Task Manager 1.7 --> C:\Program Files\Security Task Manager\Uninstal.exe "C:\Documents and Settings\All Users\Start Menu\Programs\Security Task Manager"
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Sibelius Scorch Plugin --> "C:\Program Files\Musicnotes\uninstsc.exe"
Sins of a Solar Empire --> "C:\Documents and Settings\All Users\Application Data\{0E8E33D8-193A-414A-A909-0F101A142D26}\setup.exe" REMOVE=TRUE MODIFY=FALSE
Sins of a Solar Empire --> C:\Documents and Settings\All Users\Application Data\{0E8E33D8-193A-414A-A909-0F101A142D26}\setup.exe
SiSoftware Sandra Lite XI (Win64/32/CE) --> "C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI\unins000.exe"
Sound Blaster Live! 24-bit --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CEB481CC-F57C-4397-81A0-DADD22257047}\setup.exe" -l0x9
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Star Wars® Knights of the Old Republic® II: The Sith Lords™ --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{629F65FB-7F3C-4D66-A1C0-20722744B7B6}\setup.exe" -l0x9 -removeonly
Steam --> MsiExec.exe /X{048298C9-A4D3-490B-9FF9-AB023A9238F3}
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
System Requirements Lab --> C:\Program Files\SystemRequirementsLab\Uninstall.exe
Team Fortress 2 --> "C:\Program Files\Steam\steam.exe" steam://uninstall/440
The Sims 2 --> C:\Program Files\EA GAMES\The Sims 2\EAUninstall.exe
The Sims 2 Open For Business --> C:\Program Files\EA GAMES\The Sims 2 Open For Business\EAUninstall.exe
The Sims 2 Pets --> C:\Program Files\EA GAMES\The Sims 2 Pets\EAUninstall.exe
The Sims 2 University --> C:\Program Files\EA GAMES\The Sims 2 University\EAUninstall.exe
The Sims™ 2 Seasons --> C:\Program Files\EA GAMES\The Sims 2 Seasons\EAUninstall.exe
Tweak UI --> "C:\WINDOWS\system32\mshta.exe" "res://C:\WINDOWS\system32\TweakUI.exe/uninstall.hta"
TweakNow RegCleaner Standard --> "C:\Program Files\TweakNow RegCleaner Std\unins000.exe"
WebCyberCoach 3.2 Dell --> "C:\Program Files\WebCyberCoach\b_Dell\WCC_Wipe.exe" "WebCyberCoach ext\wtrb" /inf "engine.inf,RealUninstallSection,,4" /infcfg "enginecf.inf,RealUninstallSection,,4"
Winamp --> "C:\Program Files\Winamp\UninstWA.exe"
WindowBlinds --> C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\UNWISE.EXE C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\INSTALL.LOG
Windows Installer Clean Up --> MsiExec.exe /X{121634B0-2F4B-11D3-ADA3-00C04F52DD52}
WinPcap 3.1 beta4 --> "C:\Program Files\WinPcap\Uninstall.exe" "C:\Program Files\WinPcap\install.log"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
ZoneAlarm --> C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe
ZoneAlarm Spy Blocker --> rundll32 C:\PROGRA~1\ZONEAL~1\bar\1.bin\SpyBlock.dll,O


-- Application Event Log -------------------------------------------------------

Event Record #/Type14028 / Error
Event Submitted/Written: 07/27/2008 06:06:08 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application drwtsn32.exe, version 5.1.2600.0, faulting module dbghelp.dll, version 5.1.2600.2180, fault address 0x0001295d.
Processing media-specific event for [drwtsn32.exe!ws!]

Event Record #/Type14027 / Error
Event Submitted/Written: 07/27/2008 06:05:37 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application setup.exe, version 0.0.0.0, faulting module comctl32.dll, version 6.0.2900.2982, fault address 0x000347e8.
Processing media-specific event for [setup.exe!ws!]

Event Record #/Type14020 / Error
Event Submitted/Written: 07/27/2008 06:02:53 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application setup.exe, version 0.0.0.0, faulting module comctl32.dll, version 6.0.2900.2982, fault address 0x000347e8.
Processing media-specific event for [setup.exe!ws!]

Event Record #/Type14019 / Error
Event Submitted/Written: 07/27/2008 06:02:30 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application setup.exe, version 0.0.0.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type14018 / Error
Event Submitted/Written: 07/27/2008 06:02:28 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application setup.exe, version 0.0.0.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type23273 / Warning
Event Submitted/Written: 07/27/2008 04:41:35 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type23206 / Error
Event Submitted/Written: 07/27/2008 03:21:00 PM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The Application Management service terminated with the following error:
%%2

Event Record #/Type23203 / Error
Event Submitted/Written: 07/27/2008 03:21:00 PM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The Application Management service terminated with the following error:
%%2

Event Record #/Type23200 / Error
Event Submitted/Written: 07/27/2008 03:21:00 PM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The Application Management service terminated with the following error:
%%2

Event Record #/Type23197 / Error
Event Submitted/Written: 07/27/2008 03:21:00 PM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The Application Management service terminated with the following error:
%%2



-- End of Deckard's System Scanner: finished at 2008-07-28 22:40:02 ------------
  • 0

Advertisements


#26
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
ok, lets copy the clean copy of the file over the infected file and do a few house keeping points:

====STEP 1====
housekeeping:

you seem to have a few security programs on your machine

FW: ZoneAlarm Security Suite Firewall v7.0.483.000 (Check Point, LTD.) Disabled
FW: COMODO Firewall Pro v2.3.035 (COMODO) Disabled
AV: ZoneAlarm Security Suite Antivirus v7.0.483.000 (Check Point, LTD.) Disabled
AV: AVG 7.5.516 v7.5.516 (Grisoft)

as we stand right now, you just have to activate one of the firewalls (do this after the combofix routine below). but dont activate the ZoneAlarm Security Suite Antivirus (you should only have one antivirus program active on your machine, any more and they conflict) and make sure you only activate one firewall. in summary, only have one antivirus program running and one firewall running.

looking through your programs (which can be removed via Start > Control Panel > Add/Remove Programs)

Spybot - Search & Destroy 1.4 is out of date, so could you uninstall it. we will install an uptodate version after this post.

Download Accelerator Plus can add malware or is bundled with malware, so you should uninstall it.

Internet Explorer Default Page can add malware or is bundled with malware, so you should uninstall it. this is not the windows Internet Explorer, which anyway is listed in the "add/remove Windows components" section.



====STEP 2====
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]

FCOPY::
C:\WINDOWS\system32\dllcache\winlogon.exe | C:\WINDOWS\system32\winlogon.exe


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.
andrewuk

Edited by andrewuk, 29 July 2008 - 12:33 PM.

  • 0

#27
blind_stone

blind_stone

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Uninstalled DAP, search and destroy, and internet default page

ComboFix 08-07-29.1 - Justin 2008-07-29 23:33:13.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2575 [GMT -5:00]
Running from: C:\Documents and Settings\Justin\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Justin\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Justin\Application Data\macromedia\Flash Player\#SharedObjects\5LC2WA6U\interclick.com
C:\Documents and Settings\Justin\Application Data\macromedia\Flash Player\#SharedObjects\5LC2WA6U\interclick.com\ud.sol
C:\Documents and Settings\Justin\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Justin\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol

.
--------------- FCopy ---------------

C:\WINDOWS\system32\dllcache\winlogon.exe --> C:\WINDOWS\system32\winlogon.exe
.
((((((((((((((((((((((((( Files Created from 2008-06-28 to 2008-07-30 )))))))))))))))))))))))))))))))
.

2008-07-29 22:27 . 2008-07-29 22:27 <DIR> d-------- C:\Program Files\AssaultCube
2008-07-29 18:37 . 2008-07-29 18:37 <DIR> d-------- C:\Program Files\eRightSoft
2008-07-29 00:46 . 2008-07-29 00:46 <DIR> d-------- C:\Program Files\Handbrake
2008-07-27 15:26 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-07-27 15:25 . 2008-07-27 15:26 <DIR> d-------- C:\Program Files\Java
2008-07-27 15:25 . 2008-07-27 15:25 <DIR> d-------- C:\Program Files\Common Files\Java
2008-07-27 00:42 . 2008-07-27 00:42 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-07-27 00:42 . 2008-07-27 00:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-07-26 20:09 . 2008-07-26 20:09 250 --a------ C:\WINDOWS\gmer.ini
2008-07-26 17:03 . 2008-07-26 17:03 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-07-26 17:03 . 2008-07-26 17:03 <DIR> d-------- C:\Documents and Settings\Justin\Application Data\SUPERAntiSpyware.com
2008-07-26 17:03 . 2008-07-26 17:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-26 01:08 . 2008-07-26 01:08 <DIR> d-------- C:\Deckard
2008-07-26 00:50 . 2008-07-26 00:50 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-26 00:50 . 2008-07-26 00:50 <DIR> d-------- C:\Documents and Settings\Justin\Application Data\Malwarebytes
2008-07-26 00:50 . 2008-07-26 00:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-26 00:50 . 2008-07-23 20:09 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-26 00:50 . 2008-07-23 20:09 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-26 00:15 . 2008-07-26 00:15 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-07-25 23:57 . 2008-07-25 23:57 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2008-07-25 23:49 . 2008-07-27 00:01 <DIR> d-------- C:\VundoFix Backups
2008-07-25 23:38 . 2008-07-25 23:38 <DIR> d-------- C:\_OTMoveIt
2008-07-24 21:25 . 2008-07-24 21:25 <DIR> d-------- C:\Documents and Settings\Justin\Application Data\MailFrontier
2008-07-24 21:21 . 2008-07-24 21:21 <DIR> d-------- C:\Program Files\ZoneAlarmSB
2008-07-24 21:21 . 2008-07-25 23:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-07-24 21:21 . 2008-07-09 09:05 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-07-24 21:20 . 2008-07-24 21:20 <DIR> d-------- C:\Program Files\Zone Labs
2008-07-24 21:18 . 2008-07-24 21:18 <DIR> d-------- C:\Documents and Settings\Justin\Application Data\Media Player Classic
2008-07-24 19:01 . 2008-07-26 19:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-07-24 18:21 . 2008-07-27 18:21 <DIR> d-------- C:\Documents and Settings\Justin\DoctorWeb
2008-07-24 17:49 . 2008-04-28 12:29 805,400 -ra------ C:\WINDOWS\system32\tmpB.tmp
2008-07-24 17:47 . 2008-04-28 12:29 805,400 -ra------ C:\WINDOWS\system32\tmp5.tmp
2008-07-24 17:47 . 2008-04-28 12:29 805,400 -ra------ C:\WINDOWS\system32\tmp4.tmp
2008-07-24 17:44 . 2008-07-24 17:44 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-23 21:41 . 2008-07-23 21:41 <DIR> d-------- C:\Program Files\Alwil Software
2008-07-03 17:45 . 2008-07-03 17:45 <DIR> d-------- C:\Documents and Settings\Justin\Application Data\Ubisoft
2008-07-02 07:46 . 2008-07-02 07:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ubisoft
2008-07-01 23:11 . 2008-07-01 23:11 <DIR> d-------- C:\Program Files\Ubisoft
2008-06-29 12:23 . 2008-06-29 13:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NexonUS
2008-06-28 22:05 . 2008-07-29 00:08 <DIR> d-------- C:\Program Files\AviSynth 2.5
2008-06-28 22:05 . 2008-07-29 00:08 <DIR> d-------- C:\Program Files\Avi2Dvd
2008-06-12 22:50 . 2008-07-07 22:53 43,520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2008-06-12 22:04 . 2008-06-12 22:04 <DIR> d-------- C:\Program Files\LucasArts
2008-06-09 22:40 . 2008-06-19 22:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Codemasters
2008-06-09 22:38 . 2008-06-09 22:38 <DIR> d-------- C:\Program Files\OpenAL
2008-06-02 17:30 . 2008-06-02 17:30 <DIR> d-------- C:\Program Files\Electronic Arts
2008-06-02 17:29 . 2008-06-02 17:29 <DIR> d-------- C:\WINDOWS\system32\AGEIA
2008-06-02 17:29 . 2008-07-26 17:03 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-02 17:29 . 2008-06-02 17:30 <DIR> d-------- C:\Program Files\AGEIA Technologies

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-30 04:30 --------- d-----w C:\Documents and Settings\Justin\Application Data\AVG7
2008-07-30 03:58 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-07-30 03:53 --------- d-----w C:\Program Files\DAP
2008-07-30 03:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-29 20:14 70,460 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-07-29 20:14 5,811,488 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-07-27 20:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-07-27 15:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-07-26 15:03 --------- d-----w C:\Program Files\EVGA Precision
2008-07-26 05:33 1,397,760 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2008-07-24 22:45 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-24 22:34 --------- d-----w C:\Documents and Settings\Justin\Application Data\AdobeUM
2008-07-23 22:34 --------- d-----w C:\Documents and Settings\Justin\Application Data\U3
2008-07-22 03:39 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-09 14:05 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2008-07-06 03:29 --------- d-----w C:\Program Files\Steam
2008-06-21 01:45 --------- d-----w C:\Documents and Settings\Justin\Application Data\Bioshock
2008-06-20 04:52 --------- d--h--w C:\Program Files\eMule
2008-06-10 03:40 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-06-10 03:38 444,952 ----a-w C:\WINDOWS\system32\wrap_oal.dll
2008-06-10 03:38 109,080 ----a-w C:\WINDOWS\system32\OpenAL32.dll
2008-05-21 23:59 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-04-28 17:29 805,400 ----a-r C:\WINDOWS\system32\tmp5F.tmp
2008-03-23 22:08 22,328 ----a-w C:\Documents and Settings\Justin\Application Data\PnkBstrK.sys
2007-04-24 05:49 2,027,029 ----a-w C:\WINDOWS\inf\Rar.exe
2005-09-03 21:50 56 --sha-r C:\WINDOWS\system32\1FAE532A1C.sys
2007-06-21 05:10 5 --sha-w C:\WINDOWS\system32\ceaaeefdfa1_g.dll
2007-06-21 05:18 23 --sha-w C:\WINDOWS\system32\eaedbaccbb0_r.dll
2006-05-03 09:06 163,328 --sh--r C:\WINDOWS\system32\flvDX.dll
2005-09-03 21:50 2,516 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-02-21 10:47 31,232 --sh--r C:\WINDOWS\system32\msfDX.dll
2008-03-16 12:30 216,064 --sh--r C:\WINDOWS\system32\nbDX.dll
2007-05-11 05:25 49,440 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
.

((((((((((((((((((((((((((((( [email protected]_15.45.57.81 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-04-12 14:47:22 217,073 ----a-w C:\WINDOWS\meta4.exe
+ 2006-04-05 13:09:16 66,560 ----a-w C:\WINDOWS\MOTA113.exe
+ 2007-05-17 15:30:48 318,976 ----a-w C:\WINDOWS\system32\avisynth.dll
+ 2005-07-14 17:31:20 27,648 ----a-w C:\WINDOWS\system32\AVSredirect.dll
+ 2004-02-22 08:11:08 719,872 ----a-w C:\WINDOWS\system32\devil.dll
+ 2004-01-25 05:00:00 70,656 ----a-w C:\WINDOWS\system32\i420vfw.dll
+ 2005-02-28 18:16:22 240,128 ----a-w C:\WINDOWS\system32\x.264.exe
- 2004-01-25 23:18:44 217,088 ----a-w C:\WINDOWS\system32\yv12vfw.dll
+ 2004-01-25 05:00:00 70,656 ----a-w C:\WINDOWS\system32\yv12vfw.dll
+ 2006-10-07 22:43:42 502,784 ----a-w C:\WINDOWS\x2.64.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-04-25 08:50 139264]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 20:12 221184]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-29 02:44 579072]
"CTSysVol"="C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 10:43 57344]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 02:41 8523776]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-29 02:44 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk.disabled [2007-01-07 18:38:46 1808]
HP Image Zone Fast Start.lnk.disabled [2007-01-07 18:40:21 798]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)
"NoSMHelp"= 01000000
"NoLogoff"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2007-12-14 01:10 229376 C:\Program Files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll
"VIDC.YV12"= yv12vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-01-08 01:38 1266936 c:\Program Files\Steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PnkBstrA"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"<NO NAME>"=
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" /startup
"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
"DMXLauncher"=C:\Program Files\Dell\Media Experience\DMXLauncher.exe
"NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
"UpdReg"=C:\WINDOWS\UpdReg.EXE
"mm_server"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_server.exe"
"nwiz"=nwiz.exe /install
"ISUSPM Startup"=C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
"PhilipsRemote"="C:\Program Files\Musicmatch\Musicmatch Jukebox\PhilipsRemote.exe"
"MimBoot"=C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
"HP Software Update"=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
"HPHUPD08"=C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
"MSConfig"=C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
"avast!"=C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
"UserFaultCheck"=%systemroot%\system32\dumprep 0 -u
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
"NvMediaCenter"=RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
"NeroFilterCheck"=C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\eMule\\em.exe"=
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XI\\RpcSandraSrv.exe"=
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XI\\Win32\\RpcDataSrv.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"=
"C:\\Program Files\\Electronic Arts\\Medal of Honor Airborne\\UnrealEngine3\\Binaries\\MOHA.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"C:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx9.exe"=
"C:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx10.exe"=
"C:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Launcher.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"13360:TCP"= 13360:TCP:BitComet 13360 TCP
"13360:UDP"= 13360:UDP:BitComet 13360 UDP
"13038:TCP"= 13038:TCP:BitComet 13038 TCP
"13038:UDP"= 13038:UDP:BitComet 13038 UDP

R2 PStrip;PStrip;C:\WINDOWS\system32\drivers\pstrip.sys [2006-09-30 04:35]
S3 ggflt;SEMC USB Flash Driver Filter;C:\WINDOWS\system32\DRIVERS\ggflt.sys [2008-03-30 01:00]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder

2008-07-29 C:\WINDOWS\Tasks\User_Feed_Synchronization-{743C1170-7DBC-43BA-A4D3-84FD6221DAC9}.job
- C:\WINDOWS\system32\msfeedssync.exe [2006-10-17 11:58]
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-29 23:36:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-29 23:37:19
ComboFix-quarantined-files.txt 2008-07-30 04:37:14
ComboFix2.txt 2008-07-27 22:08:16
ComboFix3.txt 2008-07-27 20:46:36

Pre-Run: 24,489,930,752 bytes free
Post-Run: 24,527,433,728 bytes free

231
  • 0

#28
blind_stone

blind_stone

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:39:18 PM, on 7/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Electronic Arts\Medal of Honor Airborne\UnrealEngine3\MOHAGame\pb\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk.disabled
O4 - Global Startup: HP Image Zone Fast Start.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {38F5F92F-BD40-40DF-A569-6C1FCB638190} (InSPECS3_0 Control) - http://www.powerleap.../InSPECS3_0.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemreq.../sysreqlab2.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.mac...ash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PunkBuster (PnkBstrA) - Unknown owner - C:\Program Files\Electronic Arts\Medal of Honor Airborne\UnrealEngine3\MOHAGame\pb\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI\RpcSandraSrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6937 bytes
  • 0

#29
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
before we wrap up, i just want to check these files:

Jotti File Submission:

Please go to Jotti's malware scan
Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
C:\WINDOWS\system32\avisynth.dll

Click on the submit button

Please also do the same with the following three files:
C:\WINDOWS\x2.64.exe
C:\WINDOWS\system32\x.264.exe
C:\WINDOWS\system32\devil.dll


Please post the results of the scan in your next reply.

If Jotti is busy, try the same atVirustotal
  • 0

#30
blind_stone

blind_stone

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
File: devil.dll
Status: OK(Note: file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: d27959321703b70120025a9356e89a7d
Packers detected: -

Scanner results
Scan taken on 30 Jul 2008 22:39:46 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP