Tech Support Forum - View Single Post

Kicks · 05-16-2007, 07:08 PM

Upon submission to Bleeping Computer I had to split the file and rearrange some stuff because of that sites 3mb limit.
ADSSpy produced no log.
I had to rename a few things to .txt so the uploader would allow them.
Thanks!
-k

Deckard's System Scanner v20070426.43
Run by Ocha on 2007-05-16 at 18:56:16
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
44: 2007-05-17 00:56:24 UTC - RP1440 - Deckard's System Scanner Restore Point
43: 2007-05-17 00:52:11 UTC - RP1439 - Installed Java(TM) SE Runtime Environment 6 Update 1
42: 2007-05-16 04:27:53 UTC - RP1438 - Installed DirectX
41: 2007-05-15 11

33 UTC - RP1437 - System Checkpoint
40: 2007-05-12 22:05:45 UTC - RP1436 - System Checkpoint

-- First Restore Point --
1: 2007-04-02 05:23:52 UTC - RP1397 - System Checkpoint

Performed disk cleanup.

-- HijackThis (run as Ocha.exe) ------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 6:56:45 PM, on 5/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\AIM95\aim.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\msiexec.exe
C:\Documents and Settings\Ocha\desktop\dss.exe
C:\DOCUME~1\Ocha\Desktop\Ocha.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D572CD64-9310-4712-8FFC-A4F9DC9D4AC1} (QbicUpdate Control) - http://qbic.hanafos.com/component/QbicUpdate.CAB
O16 - DPF: {DDE6FED7-88AB-405B-9D77-FD4CDA8B9EB5} (Qbic Control) - http://qbic.hanafos.com/component/Qbic.CAB
O16 - DPF: {E0BE586C-7C66-4909-94D6-D18BBBDD6373} (????????????) - http://app.filebank.co.jp/setup/win/fbx2.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

-- HijackThis Fixed Entries (C:\DOCUME~1\Ocha\Desktop\backups\) ----------------

backup-20070510-233135-113 O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.113.90 85.255.112.5
backup-20070510-233135-188 O17 - HKLM\System\CS6\Services\Tcpip\Parameters: NameServer = 85.255.113.90 85.255.112.5
backup-20070510-233135-434 O17 - HKLM\System\CS5\Services\Tcpip\Parameters: NameServer = 85.255.113.90 85.255.112.5
backup-20070510-233135-448 O20 - Winlogon Notify: ddcca - C:\WINDOWS\system32\ddcca.dll (file missing)
backup-20070510-233135-615 O4 - Startup: .protected
backup-20070510-233135-647 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.90 85.255.112.5
backup-20070510-233135-781 O17 - HKLM\System\CS4\Services\Tcpip\Parameters: NameServer = 85.255.113.90 85.255.112.5
backup-20070510-233135-824 O4 - Global Startup: .protected
backup-20070510-233135-835 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
backup-20070510-233135-914 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.90 85.255.112.5
backup-20070510-233135-925 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.90 85.255.112.5
backup-20070510-233135-980 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
backup-20070510-233431-247 O4 - Startup: .protected
backup-20070510-233431-489 O4 - Global Startup: .protected
backup-20070512-171040-388 O2 - BHO: (no name) - {F891E065-E7FC-4136-B19F-ACFE3D8BEB28} - (no file)
backup-20070512-171040-484 O2 - BHO: (no name) - {F766D392-9489-457E-BEEE-1EBC06B684C1} - (no file)
backup-20070512-171040-783 O20 - Winlogon Notify: hggghhi - hggghhi.dll (file missing)
backup-20070512-171040-878 O2 - BHO: (no name) - {E44527F6-1296-4A84-B67D-A6CEA6ED4B69} - C:\WINDOWS\system32\hggghhi.dll (file missing)
backup-20070512-171041-114 O20 - Winlogon Notify: pmkhi - C:\WINDOWS\system32\pmkhi.dll (file missing)
backup-20070512-171041-580 O20 - Winlogon Notify: rqrqrsp - rqrqrsp.dll (file missing)
backup-20070512-171041-625 O20 - Winlogon Notify: rqrqnkh - rqrqnkh.dll (file missing)

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 NPPTNT2 - c:\windows\system32\npptnt2.sys <Not Verified; INCA Internet Co., Ltd.; nProtect NPSC Kernel Mode Driver for NT>
R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>
R3 aeaudio - c:\windows\system32\drivers\aeaudio.sys <Not Verified; Andrea Electronics Corporation; Andrea Audio Driver>
R3 smwdm - c:\windows\system32\drivers\smwdm.sys <Not Verified; Analog Devices, Inc.; SoundMAX Digital Audio Driver>

S3 CO_Mon - c:\windows\system32\drivers\co_mon.sys (file missing)
S3 GTNDIS5 (GTNDIS5 NDIS Protocol Driver) - c:\windows\system32\gtndis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
S3 iAimTV2 - c:\windows\system32\drivers\watv03nt.sys (file missing)
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S2 CLTNetCnService (Symantec Lic NetConnect service) - "c:\program files\common files\symantec shared\ccsvchst.exe" /h cccommon (file missing)

-- Scheduled Tasks -------------------------------------------------------------

2007-05-16 18:52:00 492 --a------ C:\WINDOWS\Tasks\McAfee.com Update Check (D6FYH341-Ocha).job

-- Files created between 2007-04-16 and 2007-05-16 -----------------------------

2007-05-16 16:59:48 0 d-------- C:\Documents and Settings\Ocha\DoctorWeb
2007-05-16 16

03 7147 --a------ C:\dnsbak.reg
2007-05-15 22:04:07 0 d-------- C:\Program Files\Illusion
2007-05-12 19:45:20 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-05-10 23:38:15 996 --a------ C:\WINDOWS\system32\tmp.reg
2007-05-10 23:37:31 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2007-05-10 23:37:31 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-05-09 22:56:41 0 d-------- C:\Documents and Settings\Ocha\Application Data\Symantec
2007-05-09 21

44 0 d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2007-05-09 21:05:49 0 d-------- C:\Documents and Settings\Administrator\Application Data\Talkback
2007-05-09 21:05:16 0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2007-05-09 18:49:43 0 d-------- C:\Program Files\Norton 360
2007-05-09 18:44:48 0 d-------- C:\Program Files\Symantec
2007-05-09 18:43:25 0 d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2007-05-09 18:41:33 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-05-09 04:18:48 0 dr-h----- C:\$VAULT$.AVG
2007-05-09 03:03:07 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-05-04 16:35:00 0 d-------- C:\Documents and Settings\Ocha\Application Data\AVG7
2007-05-04 16:34:41 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-05-04 16:34:18 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-05-04 14:34:39 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg7

-- Find3M Report ---------------------------------------------------------------

2007-05-16 18:53:09 0 d-------- C:\Program Files\Java
2007-05-16 16:30:10 0 d-------- C:\Program Files\WAV to MP3 Encoder
2007-05-16 02:13:11 13358 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-05-15 21:05:52 0 d-------- C:\Documents and Settings\Ocha\Application Data\uTorrent
2007-05-12 20:48:48 0 d-------- C:\Program Files\AIM95
2007-05-10 18:34:20 0 d-------- C:\Program Files\GUILTY GEAR XX #RELOAD
2007-05-09 20:05:00 0 d-------- C:\Documents and Settings\Ocha\Application Data\WeatherBug
2007-04-26 19:44:01 0 d-------- C:\Program Files\mIRC
2007-03-23 11:48:49 0 d-------- C:\Program Files\Windows Media Connect 2
2007-03-04 22:22:37 149504 --a------ C:\WINDOWS\UNWISE.EXE
2007-03-04 22:22:33 90112 --a------ C:\WINDOWS\unvise32.exe <Not Verified; MindVision Software; Installer VISE>
2007-03-04 22:22:05 0 --a------ C:\WINDOWS\test
2007-03-04 22:21:41 7473 --a------ C:\WINDOWS\plqca.dat
2007-03-04 22:21:38 3547 --a------ C:\WINDOWS\oncsc.dat
2007-03-04 22:21:38 0 --a----c- C:\WINDOWS\ofqd.exe
2007-03-04 22:21:34 0 --a----c- C:\WINDOWS\n_xdrfqf.dat
2007-03-04 22:21:34 29256 --a------ C:\WINDOWS\n_aqcvyu.dat
2007-03-04 22:21:34 29256 --a------ C:\WINDOWS\n_aakuom.dat
2007-03-04 22:21:33 0 --a----c- C:\WINDOWS\ntiy.dll
2007-03-04 22:21:32 335 --a------ C:\WINDOWS\nsreg.dat
2007-03-04 22:21:32 45056 --a------ C:\WINDOWS\NCUNINST.EXE <Not Verified; Northern Codeworks; Uninstall>
2007-03-04 22:20:55 8192 --a------ C:\WINDOWS\d3dx.dat
2007-03-04 22:19:32 0 --a----c- C:\WINDOWS\b2_t_%22NEKKETSU+KOUHA+KUNIO-KUN
2007-03-03 17:13:06 2 --a------ C:\1145084210
2007-02-19 15:45:33 155648 --a------ C:\WINDOWS\system32\PoporuAgent.exe <Not Verified; (?) ?? ??????; ??? ?? ?? ????>
2007-02-19 15:45:33 106496 --a------ C:\WINDOWS\system32\PoporuAgent.dll <Not Verified; (?) ?? ??????; ??? ?? ?? ????>

-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"HP Software Update"="\"C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe\""
"WinPatrol"="C:\\Program Files\\BillP Studios\\WinPatrol\\winpatrol.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Weather"="C:\\Program Files\\AWS\\WeatherBug\\Weather.exe 1"
"AIM"="C:\\Program Files\\AIM95\\aim.exe -cnetwait.odl"
"Sonic RecordNow!"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ \0scecli\0scecli\0scecli\0scecli\0\0

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RunDLL]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="bridge"
"hkey"="HKLM"
"command"="rundll32.exe \"C:\\WINDOWS\\Downloaded Program Files\\bridge.dll\",Load"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
Usnsvc REG_MULTI_SZ usnsvc\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0

-- End of Deckard's System Scanner: finished at 2007-05-16 at 18:57:27 ---------