Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Computer reacts slow [RESOLVED]

Started by linkendink , Jan 19 2008 04:29 AM

This topic is locked

#1
linkendink

Posted 19 January 2008 - 04:29 AM

Member

Member
11 posts

I recently cleaned out my computer, or I think I did, using the self-help guides. Even after doing so, my computer moves at a slow pace and my applications occasionally freeze up. I would appreciate any help. Thanks in advance

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:23:11 AM, on 1/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: {1c7c22b2-5d16-2c28-a0b4-78b5d90aa014} - {410aa09d-5b87-4b0a-82c2-61d52b22c7c1} - C:\WINDOWS\system32\jjplsdxe.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {848BCA29-D466-4EB2-89A5-78A5987B2E8A} - C:\WINDOWS\system32\awtsr.dll (file missing)
O2 - BHO: BndVeano4 BHO Class - {8E4881AC-49E2-4761-9542-7E40C73CFB96} - C:\Program Files\QdrDrive\QdrDrive9.dll (file missing)
O2 - BHO: (no name) - {CA4F0D8D-5F2B-4F16-838A-8D52249EAB21} - C:\WINDOWS\system32\nnnoooo.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu11.exe 61A847B5BBF72813338B2B27128065E9C084320161C4661227A755E9C2933154389A
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ifuo] C:\PROGRA~1\COMMON~1\ifuo\ifuom.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload....Plugin11USA.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1199836050531
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,26/mcgdmgr.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload....GPlugin9USA.cab
O20 - Winlogon Notify: nnnoooo - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 6280 bytes

#2
Stamper19

Posted 19 January 2008 - 08:57 AM

Expert

Expert
1,992 posts

Hi linkenlink,

Welcome to Geeks to Go!

My name is Stamper19 and I will be helping you with your Malware problem. During the course of our interactions please be sure to follow all instructions carefully, and ask questions if you are unsure of how to proceed at any point.

----------------------------------------------------------------

Please download Deckard's System Scanner (DSS) to your Desktop.

Close all applications and windows.
Double-click on DSS.exe to run it, and follow the prompts.
The scan may take a minute. When the scan is complete, two text files will open - Main.txt and Extra.txt

Extra Note: When running DSS, some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so. Also, it may happen that your Antivirus flags DSS as suspicious. Please allow the Deckard's System Scanner to run and don't let your Antivirus delete it. (In this case, it may be better to temporary disable your Antivirus)

Post the main.txt and extra.txt from the C:\Deckard\System Scanner folder into your next reply.

----------------------------------------------------------------

Information to include in your next post:

main.txt and extra.txt from DSS

#3
linkendink

Posted 19 January 2008 - 02:41 PM

Member

Topic Starter
Member
11 posts

Thanks for your time

Here are the scans, main and extra

Deckard's System Scanner v20071014.68
Run by Henry on 2008-01-19 12:36:09
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
9: 2008-01-19 20:36:14 UTC - RP220 - Deckard's System Scanner Restore Point
8: 2008-01-19 10:20:40 UTC - RP219 - Removed Steam
7: 2008-01-19 09:45:15 UTC - RP218 - Removed Bonjour
6: 2008-01-18 06:55:23 UTC - RP217 - Installed Java™ 6 Update 3
5: 2008-01-18 06:50:49 UTC - RP216 - Removed Java™ 6 Update 3

-- First Restore Point --
1: 2008-01-08 23:41:37 UTC - RP212 - GTG

Backed up registry hives.
Performed disk cleanup.

-- HijackThis (run as Henry.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:37:03 PM, on 1/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Henry\Desktop\downloads\dss.exe
C:\WINDOWS\system32\notepad.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Henry.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: {1c7c22b2-5d16-2c28-a0b4-78b5d90aa014} - {410aa09d-5b87-4b0a-82c2-61d52b22c7c1} - C:\WINDOWS\system32\jjplsdxe.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {848BCA29-D466-4EB2-89A5-78A5987B2E8A} - C:\WINDOWS\system32\awtsr.dll (file missing)
O2 - BHO: BndVeano4 BHO Class - {8E4881AC-49E2-4761-9542-7E40C73CFB96} - C:\Program Files\QdrDrive\QdrDrive9.dll (file missing)
O2 - BHO: (no name) - {CA4F0D8D-5F2B-4F16-838A-8D52249EAB21} - C:\WINDOWS\system32\nnnoooo.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu11.exe 61A847B5BBF72813338B2B27128065E9C084320161C4661227A755E9C2933154389A
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ifuo] C:\PROGRA~1\COMMON~1\ifuo\ifuom.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload....Plugin11USA.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1199836050531
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,26/mcgdmgr.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload....GPlugin9USA.cab
O20 - Winlogon Notify: nnnoooo - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 6523 bytes

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 Vax347b - c:\windows\system32\drivers\vax347b.sys
R0 Vax347s - c:\windows\system32\drivers\vax347s.sys
R2 npkcrypt - c:\program files\wizet\maplestory\npkcrypt.sys <Not Verified; INCA Internet Co., Ltd.; nProtect KeyCrypt Driver>

S3 hamachi (Hamachi Network Interface) - c:\windows\system32\drivers\hamachi.sys <Not Verified; Applied Networking Inc.; Hamachi Virtual Network Interface Driver>
S3 XTrapD12 - c:\windows\system32\xtrapd12.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>

-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Hamachi Network Interface
Device ID: ROOT\NET\0000
Manufacturer: Applied Networking Inc.
Name: Hamachi Network Interface
PNP Device ID: ROOT\NET\0000
Service: hamachi

-- Files created between 2007-12-19 and 2008-01-19 -----------------------------

2008-01-19 01:49:53 0 d-------- C:\WINDOWS\system32\ActiveScan
2008-01-17 22:55:50 0 d-------- C:\Program Files\Common Files\Java
2008-01-17 20:09:44 0 d-------- C:\Program Files\iPod
2008-01-17 20:09:35 0 d-------- C:\Program Files\iTunes
2008-01-17 20:07:18 0 d-------- C:\Program Files\QuickTime
2008-01-17 20:06:58 0 d-------- C:\Program Files\Apple Software Update
2008-01-17 20:06:47 0 d------c- C:\WINDOWS\system32\DRVSTORE
2008-01-17 20:06:30 0 d-------- C:\Program Files\Common Files\Apple
2008-01-17 20:06:29 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-01-08 21:39:38 0 d-------- C:\Program Files\Java
2008-01-08 16:10:54 0 d-------- C:\Documents and Settings\Henry\Application Data\acccore
2008-01-08 16:08:57 0 d-------- C:\Program Files\AIM6
2008-01-08 15:48:44 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2008-01-08 15:37:56 0 d-------- C:\VundoFix Backups
2008-01-08 15:27:38 0 d-------- C:\Program Files\Trend Micro
2007-12-30 21:23:30 0 d-------- C:\Program Files\Temporary
2007-12-30 21:09:01 91492 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-12-30 21:09:01 85860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-12-30 21:04:49 0 d-------- C:\Program Files\Kaspersky Lab
2007-12-30 21:04:49 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-30 21:04:32 66592 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-12-30 21:04:32 2686240 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-30 21:01:20 0 d-------- C:\KAV
2007-12-30 16:46:01 0 d-------- C:\Program Files\Common Files\ifuo
2007-12-30 16:46:00 127578 --a------ C:\WINDOWS\system32\tsuninst.exe
2007-12-29 22:20:31 0 d-------- C:\Nexon
2007-12-29 15:37:15 687592 --a------ C:\WINDOWS\system32\atmtd.dll
2007-12-29 15:37:08 0 d-------- C:\Documents and Settings\LocalService\Application Data\NetMon
2007-12-29 15:37:02 1989 --a------ C:\WINDOWS\uninstall_nmon.vbs
2007-12-29 15:37:01 0 d--hs---- C:\WINDOWS\SGVucnkgUGhhbQ
2007-12-29 15:26:39 0 d-------- C:\WINDOWS\s?mbols
2007-12-29 02:32:52 2 --a------ C:\WINDOWS\system32\wapiicomsv32.exe
2007-12-29 02:32:44 0 d-------- C:\WINDOWS\W?nSxS

-- Find3M Report ---------------------------------------------------------------

2008-01-19 12:35:28 0 d-------- C:\Documents and Settings\Henry\Application Data\SiteAdvisor
2008-01-17 22:55:50 0 d-------- C:\Program Files\Common Files
2008-01-08 21:40:53 5505 --a----c- C:\WINDOWS\mozver.dat
2008-01-08 16:17:44 0 d-------- C:\Program Files\World Of Warcraft
2008-01-08 16:09:17 0 d-------- C:\Program Files\Common Files\AOL
2008-01-02 12:45:05 65536 --a------ C:\WINDOWS\IFinst27.exe
2007-12-30 21:20:30 0 d-------- C:\Program Files\Messenger
2007-12-28 16:54:47 0 d-------- C:\Program Files\DivX
2007-12-24 13:49:46 0 d-------- C:\Documents and Settings\Henry\Application Data\Skype

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{410aa09d-5b87-4b0a-82c2-61d52b22c7c1}]
C:\WINDOWS\system32\jjplsdxe.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{848BCA29-D466-4EB2-89A5-78A5987B2E8A}]
C:\WINDOWS\system32\awtsr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8E4881AC-49E2-4761-9542-7E40C73CFB96}]
C:\Program Files\QdrDrive\QdrDrive9.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CA4F0D8D-5F2B-4F16-838A-8D52249EAB21}]
C:\WINDOWS\system32\nnnoooo.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [08/03/2006 04:12 AM C:\WINDOWS\soundman.exe]
"runner1"="C:\WINDOWS\mrofinu11.exe" []
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [06/28/2007 12:51 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [01/10/2008 03:27 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [01/15/2008 03:22 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 01:11 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" []
"@"="" []
"ifuo"="C:\PROGRA~1\COMMON~1\ifuo\ifuom.exe" []
"Aim6"="C:\Program Files\AIM6\aim6.exe" [12/18/2007 11:04 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{CA4F0D8D-5F2B-4F16-838A-8D52249EAB21}"= C:\WINDOWS\system32\nnnoooo.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnoooo]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\awtsr

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
"C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
C:\Program Files\Steam\Steam.exe -silent

-- End of Deckard's System Scanner: finished at 2008-01-19 12:38:18 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Athlon™ 64 Processor 3000+
Percentage of Memory in Use: 39%
Physical Memory (total/avail): 1023.23 MiB / 623.49 MiB
Pagefile Memory (total/avail): 2460.22 MiB / 2147.9 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1938.98 MiB

C: is Fixed (NTFS) - 76.68 GiB total, 41.94 GiB free.
D: is CDROM (UDF)
E: is CDROM (CDFS)
F: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - HDS728080PLAT20 - 76.69 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 76.68 GiB - C:

-- Security Center -------------------------------------------------------------

AUOptions is disabled.
Windows Internal Firewall is disabled.

AV: Kaspersky Anti-Virus v7.0.0.125 (Kaspersky Lab)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Common Files\\AOL\\1132975840\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1132975840\\ee\\aolsoftware.exe:*:Enabled:AOL Services"
"C:\\Program Files\\Common Files\\AOL\\1132975840\\ee\\aim6.exe"="C:\\Program Files\\Common Files\\AOL\\1132975840\\ee\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"="C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe:*:Enabled:Battlefield 2"
"C:\\Program Files\\Softnyx\\Rakion\\Bin\\Rakion.bin"="C:\\Program Files\\Softnyx\\Rakion\\Bin\\Rakion.bin:*:Enabled:Rakion"
"C:\\Program Files\\Steam\\SteamApps\\linkendink\\counter-strike\\hl.exe"="C:\\Program Files\\Steam\\SteamApps\\linkendink\\counter-strike\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Program Files\\Wizet\\MapleStory\\Patcher.exe"="C:\\Program Files\\Wizet\\MapleStory\\Patcher.exe:*:Enabled:Patcher MFC ?? ????"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Starcraft\\StarCraft.exe"="C:\\Program Files\\Starcraft\\StarCraft.exe:*:Enabled:Starcraft"
"C:\\Program Files\\Wizet\\MapleStorysea\\Patcher.exe"="C:\\Program Files\\Wizet\\MapleStorysea\\Patcher.exe:*:Enabled:Patcher MFC ?? ????"
"C:\\Program Files\\Warcraft III\\Frozen Throne.exe"="C:\\Program Files\\Warcraft III\\Frozen Throne.exe:*:Enabled:Warcraft III - The Frozen Throne"
"C:\\Program Files\\Warcraft III\\Warcraft III.exe"="C:\\Program Files\\Warcraft III\\Warcraft III.exe:*:Enabled:Warcraft III"
"C:\\Program Files\\Steam\\SteamApps\\hughuy\\condition zero\\hl.exe"="C:\\Program Files\\Steam\\SteamApps\\hughuy\\condition zero\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Program Files\\MAIET\\Gunz\\GunzLauncher.exe"="C:\\Program Files\\MAIET\\Gunz\\GunzLauncher.exe:*:Enabled:GunzLauncher"
"C:\\Program Files\\Softnyx\\GunboundWC\\GunBound.gme"="C:\\Program Files\\Softnyx\\GunboundWC\\GunBound.gme:*:Enabled:GunBound"
"C:\\Documents and Settings\\Henry\\Desktop\\Games\\downloads\\AhnQiraj_English-downloader.exe"="C:\\Documents and Settings\\Henry\\Desktop\\Games\\downloads\\AhnQiraj_English-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Documents and Settings\\Henry\\Desktop\\Games\\downloads\\Nefarian_EG-downloader.exe"="C:\\Documents and Settings\\Henry\\Desktop\\Games\\downloads\\Nefarian_EG-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Documents and Settings\\Henry\\Desktop\\Games\\downloads\\WOW_Rouge-downloader.exe"="C:\\Documents and Settings\\Henry\\Desktop\\Games\\downloads\\WOW_Rouge-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\MAIET\\Gunz\\Gunz.exe"="C:\\Program Files\\MAIET\\Gunz\\Gunz.exe:*:Enabled:Gunz"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
"C:\\Program Files\\mIRC\\mirc.exe"="C:\\Program Files\\mIRC\\mirc.exe:*:Enabled:mIRC"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"
"C:\\Program Files\\ENGLISH\\Gunbound Revolution\\GunBound.gme"="C:\\Program Files\\ENGLISH\\Gunbound Revolution\\GunBound.gme:*:Enabled:GunBound"
"C:\\Program Files\\Wizet\\MapleStory\\NewPatcher.exe"="C:\\Program Files\\Wizet\\MapleStory\\NewPatcher.exe:*:Enabled:Patcher MFC ?? ????"
"C:\\Program Files\\Xfire\\Xfire.exe"="C:\\Program Files\\Xfire\\Xfire.exe:*:Enabled:Xfire"
"C:\\Program Files\\Wizet\\MapleStory\\MapleStory.exe"="C:\\Program Files\\Wizet\\MapleStory\\MapleStory.exe:*:Enabled:MapleStory"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"="C:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe:*:Enabled:Battlefield 2"
"C:\\Program Files\\Common Files\\AOL\\1161469634\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1161469634\\ee\\aolsoftware.exe:*:Enabled:AOL Services"
"C:\\Program Files\\Common Files\\AOL\\1161469634\\ee\\aim6.exe"="C:\\Program Files\\Common Files\\AOL\\1161469634\\ee\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\World Of Warcraft\\WoW-1.12.0.5595-to-1.12.1.5875-enUS-downloader.exe"="C:\\Program Files\\World Of Warcraft\\WoW-1.12.0.5595-to-1.12.1.5875-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World Of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"="C:\\Program Files\\World Of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Henry\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=HENRY-3000
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Henry
LOGONSERVER=\\HENRY-3000
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Program Files\Mozilla Firefox\;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ATI Technologies\ATI.ACE\;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 47 Stepping 2, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=2f02
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Henry\LOCALS~1\Temp
TMP=C:\DOCUME~1\Henry\LOCALS~1\Temp
USERDOMAIN=HENRY-3000
USERNAME=Henry
USERPROFILE=C:\Documents and Settings\Henry
windir=C:\WINDOWS

-- User Profiles ---------------------------------------------------------------

Henry (admin)

-- Add/Remove Programs ---------------------------------------------------------

--> MsiExec.exe /X{E9F81423-211E-46B6-9AE0-38568BC5CF6F}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
(Main Game) Lightside - Legend Ragnarok Online --> "C:\Program Files\Lightside - Legend Ragnarok\uninstall.exe"
Ad-Aware 2007 --> MsiExec.exe /X{0E6AB9FC-76C2-431B-9C06-6C1CFFFEA8EB}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe® Photoshop® Album Mini 3.0 --> MsiExec.exe /I{4BDFD2CE-6329-42E4-9801-9B3D1F10D79B}
AIM 6 --> C:\Program Files\AIM6\uninst.exe
Apple Mobile Device Support --> MsiExec.exe /I{D8AB8F0C-CEEB-4A29-8EF5-219B064813F4}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
Athlon 64 Processor Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C151CE54-E7EA-4804-854B-F515368B0798}\setup.exe" -l0x9
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Catalyst Control Center --> MsiExec.exe /I{7989FC0E-85EC-4C8D-AD5C-3FD1398261A7}
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Azureus --> C:\Program Files\Azureus\Uninstall.exe
Battlefield 2™ --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{04858915-9F49-4B2A-AED4-DC49A7DE6A7B}\setup.exe" -l0x9 -removeonly
Battlefield 2: Special Forces --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{50D4CB89-AF34-4978-96DC-C3034062E901}\setup.exe" -l0x9 -removeonly
Battlefield 2142 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{ED50ECE9-EC54-4C05-B5ED-EE4741A9F2EC}\setup.exe" -l0x9 -removeonly
Command --> wscript "C:\WINDOWS\SGVucnkgUGhhbQ\m3pRwB40o311vk.vbs"
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
EA Download Manager --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{EF7E931D-DC84-471B-8DB6-A83358095474} /l1033
Fraps (remove only) --> "C:\Program Files\Fraps\uninstall.exe"
Google Earth --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly
Hamachi 0.9.9.9 --> C:\Program Files\Hamachi\uninstall.exe
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
ijji - Gunz --> C:\ijji\ENGLISH\Gunz\Uninstall.exe
iTunes --> MsiExec.exe /I{B85C4D19-6CEB-48CF-BD98-C887AC8C6F94}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Kaspersky Anti-Virus 7.0 --> MsiExec.exe /I{4B9BB601-13E9-4042-A3BC-E7955BF4A98F}
Kaspersky Anti-Virus 7.0 --> MsiExec.exe /I{4B9BB601-13E9-4042-A3BC-E7955BF4A98F}
Macromedia Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
MapleStory --> MsiExec.exe /I{B68AD370-00ED-43F1-813C-F903F761D06B}
MapleStory --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1E1A2759-42C4-4629-B535-11BDA56C190D}\Setup.exe"
MapleStory --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DEC511B1-59CB-4F15-AD75-0543034572A5}\Setup.exe"
Mozilla Firefox (2.0.0.11) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Network Monitor --> wscript "C:\WINDOWS\uninstall_nmon.vbs"
Panda ActiveScan --> C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan
QuickTime --> MsiExec.exe /I{6EC874C2-F950-4B7E-A5B7-B1066D6B74AA}
Ragnarok Online --> "C:\WINDOWS\IFinst27.exe" -UC:\Program Files\Gravity\RO\IFUF8.inf
Ragnarok Sakray --> "C:\WINDOWS\IFinst27.exe" -UC:\Program Files\Gravity\RO\IFU100.inf
Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" -l0x9 -removeonly
Skype 2.5 --> "C:\Program Files\Skype\Phone\unins000.exe"
Softnyx Launcher --> "C:\Program Files\Softnyx\Launcher\unins000.exe"
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Starcraft --> C:\WINDOWS\SCunin.exe C:\WINDOWS\SCunin.dat
Station LaunchPad --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D7447B32-518C-442F-A8E4-DCF12D8A6D75}\Setup.exe" -l0x9
ULi LAN Driver --> C:\WINDOWS\System32\UnLAN.EXE RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{143BE018-D8F8-4014-8CB6-AF63F5799D21}\Setup.exe" -uninst
Ventrilo Client --> MsiExec.exe /I{789289CA-F73A-4A16-A331-54D498CE069F}
VeohTV BETA --> C:\Program Files\InstallShield Installation Information\{C35BF80A-6284-485E-AE18-023AA8C43185}\setup.exe -runfromtemp -l0x0409
Warcraft III: All Products --> C:\WINDOWS\War3Unin.exe C:\WINDOWS\War3Unin.dat
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
World of Warcraft --> C:\Program Files\Common Files\Blizzard Entertainment\World of Warcraft\Uninstall.exe
XviD 1.1 final uninstall --> "C:\Program Files\XviD\unins000.exe"

-- Application Event Log -------------------------------------------------------

Event Record #/Type3443 / Error
Event Submitted/Written: 01/19/2008 02:19:41 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application set10ec.tmp, version 10.1.0.244, faulting module , version 0.0.0.0, fault address 0x00000000.
Processing media-specific event for [set10ec.tmp!ws!]

Event Record #/Type3334 / Error
Event Submitted/Written: 12/29/2007 03:40:51 PM
Event ID/Source: 1015 / Winlogon
Event Description:
A critical system process, C:\WINDOWS\system32\lsass.exe, failed with status code 00000000. The machine
must now be restarted.

Event Record #/Type3322 / Error
Event Submitted/Written: 12/29/2007 02:34:53 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application aim6.exe, version 1.4.9.1, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type3316 / Error
Event Submitted/Written: 12/28/2007 00:52:14 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application firefox.exe, version 1.8.20071.12718, faulting module npdivx32.dll, version 1.3.1.10, fault address 0x00062d78.
Processing media-specific event for [firefox.exe!ws!]

Event Record #/Type3315 / Error
Event Submitted/Written: 12/28/2007 00:51:31 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application firefox.exe, version 1.8.20071.12718, faulting module npdivx32.dll, version 1.3.1.10, fault address 0x00062d78.
Processing media-specific event for [firefox.exe!ws!]

-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.

-- System Event Log ------------------------------------------------------------

Event Record #/Type18390 / Warning
Event Submitted/Written: 01/18/2008 10:51:12 PM
Event ID/Source: 8021 / BROWSER
Event Description:
The browser was unable to retrieve a list of servers from the browser master \\T42-AUN5FX0M23I on the network \Device\NetBT_Tcpip_{5B8FD6CD-54D8-42DB-8BE6-71C1E4FCA374}.
The data is the error code.

Event Record #/Type18389 / Warning
Event Submitted/Written: 01/18/2008 09:13:29 PM
Event ID/Source: 8021 / BROWSER
Event Description:
The browser was unable to retrieve a list of servers from the browser master \\T42-AUN5FX0M23I on the network \Device\NetBT_Tcpip_{5B8FD6CD-54D8-42DB-8BE6-71C1E4FCA374}.
The data is the error code.

Event Record #/Type18274 / Warning
Event Submitted/Written: 01/08/2008 04:15:31 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type18257 / Error
Event Submitted/Written: 01/08/2008 04:03:29 PM
Event ID/Source: 15 / Cdrom
Event Description:
The device, \Device\CdRom2, is not ready for access yet.

Event Record #/Type18256 / Error
Event Submitted/Written: 01/08/2008 04:03:29 PM
Event ID/Source: 15 / Cdrom
Event Description:
The device, \Device\CdRom1, is not ready for access yet.

-- End of Deckard's System Scanner: finished at 2008-01-19 12:38:18 ------------

#4
Stamper19

Posted 19 January 2008 - 03:45 PM

Expert

Expert
1,992 posts

Hi linkenlink,

Happy to help out.

I see that you are running, or have previously installed, Azureus. Although this application is not malware itself, the files downloaded with it are often a major source of infection. Hence, I strongly advise that it be removed. If you choose to do so, go to the Add/Remove Programs option in the Control Panel, and Uninstall Azureus.

----------------------------------------------------------------

Download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

----------------------------------------------------------------

Information to include in your next post:

ComboFix Log

#5
linkendink

Posted 19 January 2008 - 04:27 PM

Member

Topic Starter
Member
11 posts

Here's the combofix log and hijackthis

ComboFix 08-01-20.1 - Henry 2008-01-19 14:02:12.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.261 [GMT -8:00]
Running from: C:\Documents and Settings\Henry\Desktop\downloads\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Program Files\Temporary
C:\WINDOWS\smbols~1
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\tsuninst.exe
C:\WINDOWS\system32\wapiicomsv32.exe
C:\WINDOWS\uninstall_nmon.vbs
C:\WINDOWS\wnsxs~1

----- Unknown downloads made by BITS: ----
http://80.93.48.74
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_NETWORK_MONITOR

((((((((((((((((((((((((( Files Created from 2007-12-20 to 2008-01-20 )))))))))))))))))))))))))))))))
.

2008-01-19 13:59 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-19 12:35 . 2008-01-19 12:35 <DIR> d-------- C:\Deckard
2008-01-19 01:50 . 2008-01-19 01:50 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-01-19 01:50 . 2008-01-19 01:50 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-01-19 01:50 . 2008-01-19 01:50 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-19 01:49 . 2008-01-19 02:03 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-01-17 23:03 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-17 22:55 . 2008-01-17 22:55 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-17 20:10 . 2008-01-20 14:14 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-17 20:10 . 2008-01-17 20:10 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-17 20:09 . 2008-01-19 02:04 <DIR> d-------- C:\Program Files\iTunes
2008-01-17 20:09 . 2008-01-17 20:09 <DIR> d-------- C:\Program Files\iPod
2008-01-17 20:07 . 2008-01-17 20:07 <DIR> d-------- C:\Program Files\QuickTime
2008-01-17 20:06 . 2008-01-17 20:06 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-01-17 20:06 . 2008-01-17 20:06 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-01-17 20:06 . 2008-01-17 20:06 <DIR> d-------- C:\Program Files\Apple Software Update
2008-01-17 20:06 . 2008-01-17 20:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-01-10 15:27 . 2008-01-10 15:27 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-01-10 15:27 . 2008-01-10 15:27 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-01-08 21:39 . 2008-01-17 23:03 <DIR> d-------- C:\Program Files\Java
2008-01-08 16:10 . 2008-01-08 16:10 <DIR> d-------- C:\Documents and Settings\Henry\Application Data\acccore
2008-01-08 16:08 . 2008-01-08 16:10 <DIR> d-------- C:\Program Files\AIM6
2008-01-08 15:48 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-01-08 15:48 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-01-08 15:48 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-01-08 15:48 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-01-08 15:37 . 2008-01-18 21:55 <DIR> d-------- C:\VundoFix Backups
2008-01-08 15:27 . 2008-01-08 15:27 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-30 21:09 . 2007-12-30 21:24 91,492 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-12-30 21:09 . 2007-12-30 21:24 85,860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-12-30 21:04 . 2007-12-30 21:04 <DIR> d-------- C:\Program Files\Kaspersky Lab
2007-12-30 21:04 . 2008-01-19 12:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-30 21:04 . 2008-01-20 14:12 2,784,800 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-30 21:04 . 2008-01-20 14:12 70,944 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-12-30 21:04 . 2008-01-20 14:12 38,324 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-12-30 21:04 . 2008-01-20 14:12 7,700 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2007-12-30 21:01 . 2007-12-30 21:01 <DIR> d-------- C:\KAV
2007-12-30 16:46 . 2007-12-30 19:34 <DIR> d-------- C:\Program Files\Common Files\ifuo
2007-12-29 22:20 . 2007-12-29 22:20 <DIR> d-------- C:\Nexon
2007-12-29 16:19 . 2007-12-29 16:19 7,168 --ahs---- C:\WINDOWS\Thumbs.db
2007-12-29 16:19 . 2008-01-08 15:34 5,120 --ahs---- C:\WINDOWS\system32\Thumbs.db
2007-12-29 15:37 . 2007-12-30 21:20 <DIR> d--hs---- C:\WINDOWS\SGVucnkgUGhhbQ

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-19 22:00 --------- d-----w C:\Documents and Settings\Henry\Application Data\SiteAdvisor
2008-01-19 21:56 --------- d-----w C:\Program Files\Azureus
2008-01-19 10:39 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-01-19 10:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-01-18 04:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-01-09 00:17 --------- d-----w C:\Program Files\World Of Warcraft
2008-01-09 00:09 --------- d-----w C:\Program Files\Common Files\AOL
2008-01-02 20:45 65,536 ----a-w C:\WINDOWS\IFinst27.exe
2007-12-30 22:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-12-29 00:54 --------- d-----w C:\Program Files\DivX
2007-12-24 21:49 --------- d-----w C:\Documents and Settings\Henry\Application Data\Skype
2007-12-15 05:56 4,346,084 ----a-w C:\Documents and Settings\Henry\WoW-2.3.0.7561-to-0.3.2.7627-enUS-patch.exe
2007-09-29 22:19 7,239,043 ----a-w C:\Documents and Settings\Henry\WoW-2.2.0.7272-to-0.2.2.7304-enUS-patch.exe
2006-12-23 05:35 0 ----a-w C:\Documents and Settings\Henry\WoW-2.0.1.6180-to-0.0.3.6244-enUS-patch.exe
2005-07-30 00:24 472 --sha-r C:\WINDOWS\SGVucnkgUGhhbQ\m3pRwB40o311vk.vbs
.

<pre>
----a-w			57,344 2007-12-31 05:20:41  C:\Program Files\Adobe\Photoshop Album Mini\3.0\Apps\apdproxy .exe
----a-w			90,112 2007-12-31 05:20:43  C:\Program Files\ATI Technologies\ATI.ACE\CLIStart .exe
----a-w			81,920 2007-12-31 05:20:41  C:\Program Files\Common Files\InstallShield\UpdateService\issch .exe
----a-w		   221,184 2007-12-31 05:20:41  C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w		 1,694,208 2007-12-31 05:20:48  C:\Program Files\Messenger\msmsgs .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{410aa09d-5b87-4b0a-82c2-61d52b22c7c1}]
C:\WINDOWS\system32\jjplsdxe.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{848BCA29-D466-4EB2-89A5-78A5987B2E8A}]
C:\WINDOWS\system32\awtsr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8E4881AC-49E2-4761-9542-7E40C73CFB96}]
C:\Program Files\QdrDrive\QdrDrive9.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [ ]
"ifuo"="C:\PROGRA~1\COMMON~1\ifuo\ifuom.exe" [ ]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-12-18 11:04 50528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-08-03 04:12 577536 C:\WINDOWS\soundman.exe]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2007-06-28 12:51 218376]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-10 15:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-03 23:56 53760 C:\WINDOWS\system32\narrator.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnoooo]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
--a------ 2006-01-02 16:41 45056 C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
C:\Program Files\Steam\Steam.exe

R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-04-04 14:58]
R3 ULI5261XP;ULi M526X Ethernet NT Driver;C:\WINDOWS\system32\DRIVERS\ULILAN51.SYS [2005-03-22 20:36]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-20 14:14:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-20 14:21:05 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-20 22:21:00

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:25:55 PM, on 1/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: {1c7c22b2-5d16-2c28-a0b4-78b5d90aa014} - {410aa09d-5b87-4b0a-82c2-61d52b22c7c1} - C:\WINDOWS\system32\jjplsdxe.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {848BCA29-D466-4EB2-89A5-78A5987B2E8A} - C:\WINDOWS\system32\awtsr.dll (file missing)
O2 - BHO: BndVeano4 BHO Class - {8E4881AC-49E2-4761-9542-7E40C73CFB96} - C:\Program Files\QdrDrive\QdrDrive9.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ifuo] C:\PROGRA~1\COMMON~1\ifuo\ifuom.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload....Plugin11USA.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1199836050531
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,26/mcgdmgr.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload....GPlugin9USA.cab
O20 - Winlogon Notify: nnnoooo - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 5813 bytes

#6
Stamper19

Posted 20 January 2008 - 07:13 AM

Expert

Expert
1,992 posts

Hi linkenlink,

You have a new and rather nasty variant of the virtumonde infection. Please do not restart your computer until I give you the green light to do so, as rebooting actually spreads the infections.

----------------------------------------------------------------

We are going to use ComboFix to delete some things.

Copy the entire contents of the Code Box below to Notepad.
Name the file as CFScript.txt
Change the Save as Type to All Files
and Save it on the desktop

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{410aa09d-5b87-4b0a-82c2-61d52b22c7c1}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{848BCA29-D466-4EB2-89A5-78A5987B2E8A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8E4881AC-49E2-4761-9542-7E40C73CFB96}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnoooo]

RenV::
<pre>
----a-w 57,344 2007-12-31 05:20:41 C:\Program Files\Adobe\Photoshop Album Mini\3.0\Apps\apdproxy .exe
----a-w 90,112 2007-12-31 05:20:43 C:\Program Files\ATI Technologies\ATI.ACE\CLIStart .exe
----a-w 81,920 2007-12-31 05:20:41 C:\Program Files\Common Files\InstallShield\UpdateService\issch .exe
----a-w 221,184 2007-12-31 05:20:41 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
----a-w 1,694,208 2007-12-31 05:20:48 C:\Program Files\Messenger\msmsgs .exe
</pre>

Once saved, refering to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report.

----------------------------------------------------------------

Information to include in your next post:

ComboFix Log
Fresh Hijack This Log

#7
linkendink

Posted 20 January 2008 - 01:34 PM

Member

Topic Starter
Member
11 posts

Here are the logs you requested

ComboFix 08-01-20.1 - Henry 2008-01-21 11:23:37.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.608 [GMT -8:00]
Running from: C:\Documents and Settings\Henry\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Henry\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2007-12-21 to 2008-01-21 )))))))))))))))))))))))))))))))
.

2008-01-19 13:59 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-19 12:35 . 2008-01-19 12:35 <DIR> d-------- C:\Deckard
2008-01-19 01:50 . 2008-01-19 01:50 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-01-19 01:50 . 2008-01-19 01:50 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-01-19 01:50 . 2008-01-19 01:50 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-19 01:49 . 2008-01-19 02:03 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-01-17 23:03 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-17 22:55 . 2008-01-17 22:55 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-17 20:10 . 2008-01-21 10:58 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-17 20:10 . 2008-01-17 20:10 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-17 20:09 . 2008-01-19 02:04 <DIR> d-------- C:\Program Files\iTunes
2008-01-17 20:09 . 2008-01-17 20:09 <DIR> d-------- C:\Program Files\iPod
2008-01-17 20:07 . 2008-01-17 20:07 <DIR> d-------- C:\Program Files\QuickTime
2008-01-17 20:06 . 2008-01-17 20:06 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-01-17 20:06 . 2008-01-17 20:06 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-01-17 20:06 . 2008-01-17 20:06 <DIR> d-------- C:\Program Files\Apple Software Update
2008-01-17 20:06 . 2008-01-17 20:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-01-10 15:27 . 2008-01-10 15:27 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-01-10 15:27 . 2008-01-10 15:27 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-01-08 21:39 . 2008-01-17 23:03 <DIR> d-------- C:\Program Files\Java
2008-01-08 16:10 . 2008-01-08 16:10 <DIR> d-------- C:\Documents and Settings\Henry\Application Data\acccore
2008-01-08 16:08 . 2008-01-08 16:10 <DIR> d-------- C:\Program Files\AIM6
2008-01-08 15:48 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-01-08 15:48 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-01-08 15:48 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-01-08 15:48 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-01-08 15:37 . 2008-01-18 21:55 <DIR> d-------- C:\VundoFix Backups
2008-01-08 15:27 . 2008-01-08 15:27 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-30 21:09 . 2007-12-30 21:24 91,492 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-12-30 21:09 . 2007-12-30 21:24 85,860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-12-30 21:04 . 2007-12-30 21:04 <DIR> d-------- C:\Program Files\Kaspersky Lab
2007-12-30 21:04 . 2008-01-21 10:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-30 21:04 . 2008-01-21 11:31 2,946,080 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-30 21:04 . 2008-01-21 11:31 76,320 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-12-30 21:04 . 2008-01-21 03:44 39,668 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-12-30 21:04 . 2008-01-21 03:44 8,012 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2007-12-30 21:01 . 2007-12-30 21:01 <DIR> d-------- C:\KAV
2007-12-30 16:46 . 2007-12-30 19:34 <DIR> d-------- C:\Program Files\Common Files\ifuo
2007-12-29 22:20 . 2007-12-29 22:20 <DIR> d-------- C:\Nexon
2007-12-29 16:19 . 2007-12-29 16:19 7,168 --ahs---- C:\WINDOWS\Thumbs.db
2007-12-29 16:19 . 2008-01-08 15:34 5,120 --ahs---- C:\WINDOWS\system32\Thumbs.db
2007-12-29 15:37 . 2007-12-30 21:20 <DIR> d--hs---- C:\WINDOWS\SGVucnkgUGhhbQ

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-21 09:27 --------- d-----w C:\Documents and Settings\Henry\Application Data\SiteAdvisor
2008-01-21 08:02 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-01-21 08:01 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-01-19 21:56 --------- d-----w C:\Program Files\Azureus
2008-01-19 10:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-01-18 04:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-01-09 00:17 --------- d-----w C:\Program Files\World Of Warcraft
2008-01-09 00:09 --------- d-----w C:\Program Files\Common Files\AOL
2008-01-02 20:45 65,536 ----a-w C:\WINDOWS\IFinst27.exe
2007-12-30 22:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-12-29 00:54 --------- d-----w C:\Program Files\DivX
2007-12-24 21:49 --------- d-----w C:\Documents and Settings\Henry\Application Data\Skype
2007-12-15 05:56 4,346,084 ----a-w C:\Documents and Settings\Henry\WoW-2.3.0.7561-to-0.3.2.7627-enUS-patch.exe
2007-11-29 22:30 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-11-29 22:30 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-11-04 02:27 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2007-09-29 22:19 7,239,043 ----a-w C:\Documents and Settings\Henry\WoW-2.2.0.7272-to-0.2.2.7304-enUS-patch.exe
2006-12-23 05:35 0 ----a-w C:\Documents and Settings\Henry\WoW-2.0.1.6180-to-0.0.3.6244-enUS-patch.exe
2005-07-30 00:24 472 --sha-r C:\WINDOWS\SGVucnkgUGhhbQ\m3pRwB40o311vk.vbs
.

((((((((((((((((((((((((((((( snapshot@2008-01-20_14.20.30.84 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-19 22:01:04 1,409,024 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-21 19:22:39 1,409,024 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-19 22:01:05 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-21 19:22:39 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-19 22:01:05 1,409,024 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-21 19:22:39 1,409,024 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-19 22:01:05 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-21 19:22:39 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-19 22:01:05 4,706,304 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-21 19:22:39 4,706,304 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\ntuser.dat
- 2008-01-19 22:01:05 172,032 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-21 19:22:39 172,032 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat
- 2008-01-19 20:35:53 58,800 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-01-21 19:01:28 58,800 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-01-19 20:35:54 392,626 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-01-21 19:01:28 392,626 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [ ]
"ifuo"="C:\PROGRA~1\COMMON~1\ifuo\ifuom.exe" [ ]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-12-18 11:04 50528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-08-03 04:12 577536 C:\WINDOWS\soundman.exe]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2007-06-28 12:51 218376]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-10 15:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-03 23:56 53760 C:\WINDOWS\system32\narrator.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
--a------ 2006-01-02 16:41 45056 C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
C:\Program Files\Steam\Steam.exe

R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-04-04 14:58]
R3 ULI5261XP;ULi M526X Ethernet NT Driver;C:\WINDOWS\system32\DRIVERS\ULILAN51.SYS [2005-03-22 20:36]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-21 11:31:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-21 11:32:51
ComboFix-quarantined-files.txt 2008-01-21 19:32:34
ComboFix2.txt 2008-01-20 22:21:05

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:33:42 AM, on 1/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\AIM6\aolsoftware.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ifuo] C:\PROGRA~1\COMMON~1\ifuo\ifuom.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload....Plugin11USA.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1199836050531
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,26/mcgdmgr.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload....GPlugin9USA.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 5422 bytes

#8
Stamper19

Posted 20 January 2008 - 03:11 PM

Expert

Expert
1,992 posts

Hi linkenlink,

Getting there

Lets see whats left.

----------------------------------------------------------------

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
- Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

----------------------------------------------------------------

Information to include in your next post:

Kapersky Scan Log
Fresh Hijack This Log

#9
linkendink

Posted 23 January 2008 - 12:48 AM

Member

Topic Starter
Member
11 posts

There wasn't a "save as text" option, but there was a "save report as" so I just stuck with that. The scan took a very long time. Here are the logs requested, not sure if I did the Kaspersky one correctly. I copied it from the "save report as" by copy and pasting it from the file.

C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\0188_File_Monitoring_eventlog.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\018a_Web_Monitoring_eventlog.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\018c_pdm_eventcritlog.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\018c_pdm_eventlog.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\018c_pdm_eventlog_reg.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\018f_Updater_eventcritlog.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\018f_Updater_eventlog.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\detected.idx Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\detected.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\eventlog.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\report.rpt Object is locked skipped
C:\Documents and Settings\Henry\Application Data\acccore\nss\cert8.db Object is locked skipped
C:\Documents and Settings\Henry\Application Data\acccore\nss\key3.db Object is locked skipped
C:\Documents and Settings\Henry\Application Data\Mozilla\Firefox\Profiles\tzz24cp4.default\cert8.db Object is locked skipped
C:\Documents and Settings\Henry\Application Data\Mozilla\Firefox\Profiles\tzz24cp4.default\history.dat Object is locked skipped
C:\Documents and Settings\Henry\Application Data\Mozilla\Firefox\Profiles\tzz24cp4.default\key3.db Object is locked skipped
C:\Documents and Settings\Henry\Application Data\Mozilla\Firefox\Profiles\tzz24cp4.default\parent.lock Object is locked skipped
C:\Documents and Settings\Henry\Application Data\Mozilla\Firefox\Profiles\tzz24cp4.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Henry\Application Data\Mozilla\Firefox\Profiles\tzz24cp4.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Henry\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Henry\Local Settings\Application Data\AOL OCP\AIM\Storage\All Users\localStorage\common.cls Object is locked skipped
C:\Documents and Settings\Henry\Local Settings\Application Data\AOL OCP\AIM\Storage\data\linkendink\localStorage\common.cls Object is locked skipped
C:\Documents and Settings\Henry\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Henry\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Henry\Local Settings\Application Data\Mozilla\Firefox\Profiles\tzz24cp4.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Henry\Local Settings\Application Data\Mozilla\Firefox\Profiles\tzz24cp4.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Henry\Local Settings\Application Data\Mozilla\Firefox\Profiles\tzz24cp4.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Henry\Local Settings\Application Data\Mozilla\Firefox\Profiles\tzz24cp4.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Henry\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Henry\Local Settings\History\History.IE5\MSHist012008012320080124\index.dat Object is locked skipped
C:\Documents and Settings\Henry\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Henry\ntuser.dat Object is locked skipped
C:\Documents and Settings\Henry\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\logs\starwind.2008-01-23.18-48-42.log Object is locked skipped
C:\Program Files\World Of Warcraft\Logs\gx.log Object is locked skipped
C:\Program Files\World Of Warcraft\Logs\SESound.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{604AB35D-A7FB-4C77-8E1D-F845A6A23281}\RP223\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.idx Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\TEMP\cch~64199876.htp Object is locked skipped
C:\WINDOWS\TEMP\cch~64199fbe.htp Object is locked skipped
C:\WINDOWS\TEMP\cch~646b824a.htp Object is locked skipped
C:\WINDOWS\TEMP\cch~646b867a.htp Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:48:17 PM, on 1/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ifuo] C:\PROGRA~1\COMMON~1\ifuo\ifuom.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload....Plugin11USA.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1199836050531
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,26/mcgdmgr.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload....GPlugin9USA.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 6105 bytes

#10
Stamper19

Posted 23 January 2008 - 06:39 AM

Expert

Expert
1,992 posts

Somehow the first part of the Kapersky log got cut off. Please try reposting it in its entirety.

#11
linkendink

Posted 25 January 2008 - 12:25 AM

Member

Topic Starter
Member
11 posts

When I saved the Kaspersky report, it did not come out in notepad-form, so I just pasted everything from the report.

Wednesday, January 23, 2008 10:43:51 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 23/01/2008
Kaspersky Anti-Virus database records: 527474
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
C:\
D:\
E:\
F:\
Scan Statistics
Total number of scanned objects 65667
Number of viruses found 0
Number of infected objects 0
Number of suspicious objects 0
Duration of the scan process 02:47:56

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\0188_File_Monitoring_eventlog.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\018a_Web_Monitoring_eventlog.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\018c_pdm_eventcritlog.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\018c_pdm_eventlog.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\018c_pdm_eventlog_reg.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\018f_Updater_eventcritlog.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\018f_Updater_eventlog.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\detected.idx Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\detected.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\eventlog.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\report.rpt Object is locked skipped
C:\Documents and Settings\Henry\Application Data\acccore\nss\cert8.db Object is locked skipped
C:\Documents and Settings\Henry\Application Data\acccore\nss\key3.db Object is locked skipped
C:\Documents and Settings\Henry\Application Data\Mozilla\Firefox\Profiles\tzz24cp4.default\cert8.db Object is locked skipped
C:\Documents and Settings\Henry\Application Data\Mozilla\Firefox\Profiles\tzz24cp4.default\history.dat Object is locked skipped
C:\Documents and Settings\Henry\Application Data\Mozilla\Firefox\Profiles\tzz24cp4.default\key3.db Object is locked skipped
C:\Documents and Settings\Henry\Application Data\Mozilla\Firefox\Profiles\tzz24cp4.default\parent.lock Object is locked skipped
C:\Documents and Settings\Henry\Application Data\Mozilla\Firefox\Profiles\tzz24cp4.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Henry\Application Data\Mozilla\Firefox\Profiles\tzz24cp4.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Henry\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Henry\Local Settings\Application Data\AOL OCP\AIM\Storage\All Users\localStorage\common.cls Object is locked skipped
C:\Documents and Settings\Henry\Local Settings\Application Data\AOL OCP\AIM\Storage\data\linkendink\localStorage\common.cls Object is locked skipped
C:\Documents and Settings\Henry\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Henry\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Henry\Local Settings\Application Data\Mozilla\Firefox\Profiles\tzz24cp4.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Henry\Local Settings\Application Data\Mozilla\Firefox\Profiles\tzz24cp4.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Henry\Local Settings\Application Data\Mozilla\Firefox\Profiles\tzz24cp4.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Henry\Local Settings\Application Data\Mozilla\Firefox\Profiles\tzz24cp4.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Henry\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Henry\Local Settings\History\History.IE5\MSHist012008012320080124\index.dat Object is locked skipped
C:\Documents and Settings\Henry\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Henry\ntuser.dat Object is locked skipped
C:\Documents and Settings\Henry\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\logs\starwind.2008-01-23.18-48-42.log Object is locked skipped
C:\Program Files\World Of Warcraft\Logs\gx.log Object is locked skipped
C:\Program Files\World Of Warcraft\Logs\SESound.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{604AB35D-A7FB-4C77-8E1D-F845A6A23281}\RP223\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.idx Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\TEMP\cch~64199876.htp Object is locked skipped
C:\WINDOWS\TEMP\cch~64199fbe.htp Object is locked skipped
C:\WINDOWS\TEMP\cch~646b824a.htp Object is locked skipped
C:\WINDOWS\TEMP\cch~646b867a.htp Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.

#12
Stamper19

Posted 25 January 2008 - 05:43 PM

Expert

Expert
1,992 posts

Lookin good. How are things running? Lets get Java updated as well while we're at it.

Please update Java.

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to infect your system. Please follow these steps to remove older version Java components and update:

Download the latest version of Java Runtime Environment (JRE) 6 Update 4 and save it to your desktop.
Scroll down to where it says "JJava Runtime Environment (JRE) 6 Update 4...allows end-users to run Java applications".
Click the "Download" button to the right.
Read the License Agreement and then check the box that says: "Accept License Agreement". The page will refresh.
Click on the link to download Windows Offline Installation and save the file to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u4-windows-i586-p.exe to install the newest version.

#13
linkendink

Posted 28 January 2008 - 12:01 AM

Member

Topic Starter
Member
11 posts

My computer seems to be working a lot better now.
Appreciate the help

#14
Stamper19

Posted 28 January 2008 - 10:18 AM

Expert

Expert
1,992 posts

Good to hear.

Congrats - your logs are all clean

There are still a couple of things you should do for the sake of cleaning up.

---------------------------------------------------------------

Time for some housekeeping

Click START then RUN
Now type Combofix /u in the runbox and click OK
When shown the disclaimer, Select "2"

The above procedure will:

Delete the following:
- ComboFix and its associated files and folders.
- VundoFix backups, if present
- The C:\Deckard folder, if present
- The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.

----------------------------------------------------------------

Otherwise, unless you have any questions, you are all set. Included below are some tips for keeping your computer malware free in the future.

Cheers,
Stamper

----------------------------------------------------------------

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Make your Internet Explorer more secure - This can be done by following these simple instructions:
- From within Internet Explorer click on the Tools menu and then click on Options.
- Click once on the Security tab
- Click once on the Internet icon so it becomes highlighted.
- Click once on the Custom Level button.
  - Change the Download signed ActiveX controls to Prompt
  - Change the Download unsigned ActiveX controls to Disable
  - Change the Initialize and script ActiveX controls not marked as safe to Disable
  - Change the Installation of desktop items to Prompt
  - Change the Launching programs and files in an IFRAME to Prompt
  - Change the Navigate sub-frames across different domains to Prompt
  - When all these settings have been made, click on the OK button.
  - If it prompts you as to whether or not you want to save the settings, press the Yes button.
- Next press the Apply button and then the OK to exit the Internet Properties page.
Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

See this link for a listing of some online & their stand-alone antivirus programs:

Virus, Spyware, and Malware Protection and Removal Resources
Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

A tutorial on installing & using this product can be found here:

Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers
Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

A tutorial on installing & using this product can be found here:

Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer
Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware
Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

here are some additional utilities that will enhance your safety

IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Google Toolbar <= Get the free google toolbar to help stop pop up windows.
Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software

#15
Stamper19

Posted 02 February 2008 - 06:35 AM

Expert

Expert
1,992 posts

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.