|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
Thread Tools |
09-19-2007, 02:17 PM
|
#1 (permalink) |
|
Registered User
Join Date: Sep 2007
Posts: 22
OS: XP
|
ieaklog.dll infected...(s-1-5-18) account still affecting PC
I am not an expert, but somewhat experienced with virus removal. My aunt handed me her wrecked machine and asked me to fix it. After running every free spyware program I could, and after installing Spyware Doctor on the machine, I got rid of at least 4 different trojans. Problem is that the computer is still infected at C:\windows\system32\ieaklog.dll.
I have restored control panel access and restored the missing rundll32.exe, so I have regained quite a bit of functionality, but I'm not quite sure how to remove the rest. Spyware Doctor is not picking up anything anymore, but after running HijackThis and researching, I still have the Plite731.exe running as well as winavXX.exe. Furthermore, they are being run from the account (S-1-5-18), which I'm not familiar with but according to microsoft is a service account. Any information would be well appreciated. Thank you. Deckard's System Scanner v20070905.67 Run by User on 2007-09-19 14:39:22 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- System Restore -------------------------------------------------------------- Successfully created a Deckard's System Scanner Restore Point. -- Last 2 Restore Point(s) -- 2: 2007-09-19 19:39:31 UTC - RP2 - Deckard's System Scanner Restore Point 1: 2007-09-19 18:16:09 UTC - RP1 - System Checkpoint Backed up registry hives. Performed disk cleanup. Total Physical Memory: 448 MiB (512 MiB recommended). -- HijackThis (run as User.exe) ------------------------------------------------ Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 14:40, on 2007-09-19 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Spyware Doctor\svcntaux.exe C:\Program Files\Spyware Doctor\swdsvc.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Canon\CAL\CALMAIN.exe C:\Program Files\Spyware Doctor\SDTrayApp.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\User\Desktop\dss.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\DOCUME~1\User\Desktop\User.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir...ie&ar=iesearch R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE O4 - HKLM\..\Run: [VTTimer] VTTimer.exe O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [plite731] C:\WINDOWS\plite731.exe O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Walgreens PhotoShow Media Manager] C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe O4 - HKCU\..\Run: [Tbsa] "C:\DOCUME~1\User\APPLIC~1\ASKS~1\ati2evxx.exe" -vt yazb O4 - HKCU\..\Run: [Zsu] "C:\Program Files\Common Files\T?sks\msdtc.exe" O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user') O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - ESC Trusted Zone: http://*.update.microsoft.com O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st_current.cab O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://ak.imgag.com/imgag/cp/install/AxCtp2.cab O20 - Winlogon Notify: ieaklog - C:\WINDOWS\SYSTEM32\ieaklog.dll O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- End of file - 7460 bytes -- File Associations ----------------------------------------------------------- All associations okay. -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------- R0 sr (System Restore Filter Driver) - c:\windows\\systemroot\system32\drivers\sr.sys (file missing) R3 catchme - c:\docume~1\user\locals~1\temp\catchme.sys (file missing) -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled -------------------- R2 CCALib8 (Canon Camera Access Library 8) - c:\program files\canon\cal\calmain.exe <Not Verified; Canon Inc.; > -- Device Manager: Disabled ---------------------------------------------------- No disabled devices found. -- Scheduled Tasks ------------------------------------------------------------- 2007-09-19 14:40:26 410 --a------ C:\WINDOWS\Tasks\Symantec NetDetect.job 2007-09-03 19:59:52 462 --a------ C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job 2007-09-03 15:53:01 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job -- Files created between 2007-08-19 and 2007-09-19 ----------------------------- 2007-09-19 11:51:29 0 d-------- C:\Documents and Settings\LocalService\Application Data\Yahoo! 2007-09-19 11:51:26 0 dr------- C:\Documents and Settings\LocalService\Favorites 2007-09-18 16:20:52 0 d-------- C:\Program Files\Spyware Doctor 2007-09-18 16:20:52 0 d-------- C:\Documents and Settings\Administrator\Application Data\PC Tools 2007-09-14 14:52:21 0 d-------- C:\Documents and Settings\User\Application Data\Lavasoft 2007-09-14 14:31:29 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy <SPYBOT~1> 2007-09-13 17:27:46 0 d-------- C:\Documents and Settings\User\Application Data\Help 2007-09-13 16:43:54 0 d--h----- C:\Documents and Settings\Administrator\Templates 2007-09-13 16:43:54 0 dr------- C:\Documents and Settings\Administrator\Start Menu 2007-09-13 16:43:54 0 dr-h----- C:\Documents and Settings\Administrator\SendTo 2007-09-13 16:43:54 0 d--h----- C:\Documents and Settings\Administrator\Recent 2007-09-13 16:43:54 0 d--h----- C:\Documents and Settings\Administrator\PrintHood 2007-09-13 16:43:54 0 d--h----- C:\Documents and Settings\Administrator\NetHood 2007-09-13 16:43:54 0 d-------- C:\Documents and Settings\Administrator\My Documents 2007-09-13 16:43:54 0 d--h----- C:\Documents and Settings\Administrator\Local Settings 2007-09-13 16:43:54 0 d-------- C:\Documents and Settings\Administrator\Favorites 2007-09-13 16:43:54 0 d-------- C:\Documents and Settings\Administrator\Desktop 2007-09-13 16:43:54 0 d--hs---- C:\Documents and Settings\Administrator\Cookies 2007-09-13 16:43:54 0 dr-h----- C:\Documents and Settings\Administrator\Application Data 2007-09-13 16:43:54 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft 2007-09-13 16:43:54 0 d-------- C:\Documents and Settings\Administrator\Application Data\Gtek 2007-09-13 16:43:53 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT 2007-09-13 15:53:32 0 d-------- C:\Documents and Settings\Monicka\Application Data\Help 2007-09-07 01:16:36 593920 ---hs---- C:\WINDOWS\vddunt.dll 2007-09-07 00:16:30 0 --a------ C:\25270531 2007-09-06 17:25:01 15360 --a------ C:\WINDOWS\system32\drvdotr.dll 2007-09-06 17:25:01 94208 --a------ C:\WINDOWS\system32\drvdot.dll 2007-09-06 17:19:47 76021 --a------ C:\Program Files\setup.exe 2007-09-06 17:19:15 9882 --a------ C:\Program Files\hlpsrv.exe <Not Verified; NoName Corp.; NNC module> 2007-09-06 17:16:04 7680 --a------ C:\44140 2007-08-25 14:41:39 0 --a------ C:\65456765 2007-08-25 12:41:17 0 --a------ C:\58235000 2007-08-25 07:40:50 0 --a------ C:\40207968 2007-08-24 08:16:39 1136281 --a------ C:\WINDOWS\system32\dn0ceec1a5.dat 2007-08-23 18:21:13 3638 --a------ C:\WINDOWS\eo1c5j5m.exe 2007-08-23 08:16:20 94713 -----n--- C:\WINDOWS\system32\ieaklog.dll 2007-08-23 02:09:27 3638 --a------ C:\WINDOWS\zgt5quft.exe -- Find3M Report --------------------------------------------------------------- 2007-09-19 13:13:12 0 d-------- C:\Program Files\Common Files 2007-09-19 12:23:50 0 d-------- C:\Program Files\Common Files\Symantec Shared 2007-09-13 17:21:06 0 d--h----- C:\Documents and Settings\User\Application Data\Move Networks 2007-09-13 15:53:32 0 d-------- C:\Program Files\Norton AntiVirus 2007-08-24 20:52:33 0 d-------- C:\Documents and Settings\User\Application Data\Walgreens 2007-08-18 14:34:26 0 d-------- C:\Program Files\Linksys EasyLink Advisor 2007-08-16 20:50:37 0 d--h----- C:\Documents and Settings\User\Application Data\GTek 2007-08-14 00:30:03 0 d-------- C:\Program Files\Common Files\Scanner 2007-08-14 00:29:46 0 d-------- C:\Program Files\Yahoo! 2007-08-13 19:08:41 41 --a------ C:\WINDOWS\plite731_uninstaller_.bat 2007-08-13 19:08:40 49152 --a------ C:\WINDOWS\TISKY010.exe 2007-08-13 19:05:46 0 d---s---- C:\Documents and Settings\User\Application Data\Microsoft 2007-07-19 08:04:59 0 d-------- C:\Program Files\Common Files\Adobe -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 07:00] "PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 07:00] "PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 07:00] "AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 14:47 C:\WINDOWS\ALCXMNTR.EXE] "VTTimer"="VTTimer.exe" [2005-03-08 05:33 C:\WINDOWS\system32\VTTimer.exe] "RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 04:01] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2002-08-19 23:22] "ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2002-08-19 23:23] "Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2006-12-19 22:52] "BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 22:26] "HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-09-01 06:42] "HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 12:24] "HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 16:18] "DeviceDiscovery"="C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2003-05-21 19:37] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06] "plite731"="C:\WINDOWS\plite731.exe" [] "YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 09:59] "MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 07:00] "SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [2007-08-02 10:49] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24] "Walgreens PhotoShow Media Manager"="C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe" [2006-04-20 01:35] "YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 09:59] "Tbsa"="C:\DOCUME~1\User\APPLIC~1\ASKS~1\ati2evxx.exe" [] "Zsu"="C:\Program Files\Common Files\T?sks\msdtc.exe" [] "EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 18:16] [HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce] "RunNarrator"=Narrator.exe [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] "DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t "WinAVX"=C:\WINDOWS\system32\WinAvXX.exe [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoWindowsUpdate"=1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ieaklog] ieaklog.dll 2007-08-23 08:16 94713 C:\WINDOWS\system32\ieaklog.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice" *Newly Created Service* - SHAREDACCESS Contents of the 'Scheduled Tasks' folder 2007-09-03 20:53:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe 2007-09-04 00:59:52 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job - C:\PROGRA~1\NORTON~1\NAVW32.exe 2007-09-19 19:40:26 C:\WINDOWS\Tasks\Symantec NetDetect.job - C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE -- End of Deckard's System Scanner: finished at 2007-09-19 14:42:31 ------------ Deckard's System Scanner v20070905.67 Extra logfile - please post this as an attachment with your post. -------------------------------------------------------------------------------- -- System Information ---------------------------------------------------------- Microsoft Windows XP Home Edition (build 2600) SP 2.0 Architecture: X86; Language: English CPU 0: AMD Athlon(tm) XP 2800+ Percentage of Memory in Use: 60% Physical Memory (total/avail): 447.48 MiB / 177.4 MiB Pagefile Memory (total/avail): 1058.21 MiB / 602.2 MiB Virtual Memory (total/avail): 2047.88 MiB / 1978.82 MiB C: is Fixed (NTFS) - 74.52 GiB total, 55.53 GiB free. D: is CDROM (No Media) E: is Removable (No Media) F: is Removable (No Media) G: is Removable (No Media) H: is Removable (No Media) I: is Removable (FAT32) \\.\PHYSICALDRIVE0 - WDC WD800BB-22FJA1 - 74.53 GiB - 1 partition \PARTITION0 (bootable) - Installable File System - 74.52 GiB - C: \\.\PHYSICALDRIVE2 - Generic USB CF Reader USB Device \\.\PHYSICALDRIVE4 - Generic USB MS Reader USB Device \\.\PHYSICALDRIVE1 - Generic USB SD Reader USB Device \\.\PHYSICALDRIVE3 - Generic USB SM Reader USB Device \\.\PHYSICALDRIVE5 - Kingston DataTraveler 2.0 USB Device - 486.34 MiB - 1 partition \PARTITION0 (bootable) - Unknown - 491.98 MiB - I: -- Security Center ------------------------------------------------------------- AUOptions is scheduled to auto-install. Windows Internal Firewall is enabled. FirstRunDisabled is set. [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] -- Environment Variables ------------------------------------------------------- activex=C:\WINDOWS\DOWNLO~1 activex_LFN=C:\WINDOWS\Downloaded Program Files ALLUSERSPROFILE=C:\Documents and Settings\All Users APPDATA=C:\DOCUME~1\ADMINI~1\APPLIC~1 AppData_LFN=C:\Documents and Settings\Administrator\Application Data Cache=C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMPOR~1 Cache_LFN=C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files CD Burning=C:\DOCUME~1\ADMINI~1\LOCALS~1\APPLIC~1\MICROS~1\CDBURN~1 CD Burning_LFN=C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\CD Burning chcp=437 CLASSPATH=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip CLIENTNAME=Console COLLECTIONID=COL7299 Common Administrative Tools=C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\ADMINI~1 Common Administrative Tools_LFN=C:\Documents and Settings\All Users\Start Menu\Programs\Administrative Tools Common AppData=C:\DOCUME~1\ALLUSE~1\APPLIC~1 Common AppData_LFN=C:\Documents and Settings\All Users\Application Data Common Desktop=C:\DOCUME~1\ALLUSE~1\Desktop Common Desktop_LFN=C:\Documents and Settings\All Users\Desktop Common Documents=C:\DOCUME~1\ALLUSE~1\DOCUME~1 Common Documents_LFN=C:\Documents and Settings\All Users\Documents Common Favorites=C:\DOCUME~1\ALLUSE~1\FAVORI~1 Common Favorites_LFN=C:\Documents and Settings\All Users\Favorites Common Music=C:\DOCUME~1\ALLUSE~1\DOCUME~1\MYMUSI~1 Common Pictures=C:\DOCUME~1\ALLUSE~1\DOCUME~1\MYPICT~1 Common Programs=C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs Common Programs_LFN=C:\Documents and Settings\All Users\Start Menu\Programs Common Start Menu=C:\DOCUME~1\ALLUSE~1\STARTM~1 Common Start Menu_LFN=C:\Documents and Settings\All Users\Start Menu Common Startup=C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup Common Startup_LFN=C:\Documents and Settings\All Users\Start Menu\Programs\Startup Common Templates=C:\DOCUME~1\ALLUSE~1\TEMPLA~1 Common Templates_LFN=C:\Documents and Settings\All Users\Templates Common Video=C:\DOCUME~1\ALLUSE~1\DOCUME~1\MYVIDE~1 CommonMusic_LFN=C:\Documents and Settings\All Users\Documents\My Music CommonPictures_LFN=C:\Documents and Settings\All Users\Documents\My Pictures CommonProgramFiles=C:\Program Files\Common Files CommonVideo_LFN=C:\Documents and Settings\All Users\Documents\My Videos COMPUTERNAME=HP-02CD0A0B19E5 ComSpec=C:\WINDOWS\system32\cmd.exe Cookies=C:\DOCUME~1\ADMINI~1\Cookies Cookies_LFN=C:\Documents and Settings\Administrator\Cookies copycmd=/y default AppData=C:\WINDOWS\system32\config\SYSTEM~1\APPLIC~1 default AppData_LFN=C:\WINDOWS\system32\config\systemprofile\Application Data default Cache=C:\DOCUME~1\NETWOR~1\LOCALS~1\TEMPOR~1 default Cache_LFN=C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files default Cookies=C:\DOCUME~1\NETWOR~1\Cookies default Cookies_LFN=C:\Documents and Settings\NetworkService\Cookies default Favorites=C:\DOCUME~1\User\FAVORI~1 default Favorites_LFN=C:\Documents and Settings\User\Favorites default Fonts=C:\WINDOWS\Fonts default Fonts_LFN=C:\WINDOWS\Fonts default History=C:\DOCUME~1\NETWOR~1\LOCALS~1\History default History_LFN=C:\Documents and Settings\NetworkService\Local Settings\History default Local AppData=C:\DOCUME~1\NETWOR~1\LOCALS~1\APPLIC~1 default Local AppData_LFN=C:\Documents and Settings\NetworkService\Local Settings\Application Data default Local Settings=C:\WINDOWS\system32\config\SYSTEM~1\LOCALS~1 default Local Settings_LFN=C:\WINDOWS\system32\config\systemprofile\Local Settings default PrintHood=C:\WINDOWS\system32\config\SYSTEM~1\PRINTH~1 default PrintHood_LFN=C:\WINDOWS\system32\config\systemprofile\PrintHood default Programs=C:\WINDOWS\system32\config\SYSTEM~1\STARTM~1\Programs default Programs_LFN=C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs default Recent=C:\WINDOWS\system32\config\SYSTEM~1\Recent default Recent_LFN=C:\WINDOWS\system32\config\systemprofile\Recent default SendTo=C:\WINDOWS\system32\config\SYSTEM~1\SendTo default SendTo_LFN=C:\WINDOWS\system32\config\systemprofile\SendTo default Startup=C:\DOCUME~1\User\STARTM~1\Programs\Startup default Startup_LFN=C:\Documents and Settings\User\Start Menu\Programs\Startup Desktop=C:\DOCUME~1\ADMINI~1\Desktop Desktop_LFN=C:\Documents and Settings\Administrator\Desktop dircmd=/a Fail2Delete=failed to delete Favorites=C:\DOCUME~1\ADMINI~1\FAVORI~1 Favorites_LFN=C:\Documents and Settings\Administrator\Favorites Fonts=C:\WINDOWS\Fonts Fonts_LFN=C:\WINDOWS\Fonts FP_NO_HOST_CHECK=NO F_System=NTFS History=C:\DOCUME~1\ADMINI~1\LOCALS~1\History History_LFN=C:\Documents and Settings\Administrator\Local Settings\History HMSERVER=https://wwss1proa.cce.hp.com/wuss/servlet/WUSSServlet home=C:\ComboFix\ HOMEDRIVE=C: HOMEPATH=\Documents and Settings\User is missing=is missing ITEMID=oj-21918-1 LANG=1033 Local AppData=C:\DOCUME~1\ADMINI~1\LOCALS~1\APPLIC~1 Local AppData_LFN=C:\Documents and Settings\Administrator\Local Settings\Application Data Local Settings_LFN=C:\Documents and Settings\Administrator\Local Settings LOGONSERVER=\\HP-02CD0A0B19E5 NetHood=C:\DOCUME~1\ADMINI~1\NetHood NetHood_LFN=C:\Documents and Settings\Administrator\NetHood not completed=not completed NUMBER_OF_PROCESSORS=1 OS=Windows_NT OSVER=winXPH Path=C:\ComboFix;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem PATHEXT=.CFEXE;.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH Personal=C:\DOCUME~1\ADMINI~1\MYDOCU~1 Personal_LFN=C:\Documents and Settings\Administrator\My Documents PrintHood=C:\DOCUME~1\ADMINI~1\PRINTH~1 PrintHood_LFN=C:\Documents and Settings\Administrator\PrintHood PROCESSOR_ARCHITECTURE=x86 PROCESSOR_IDENTIFIER=x86 Family 6 Model 10 Stepping 0, AuthenticAMD PROCESSOR_LEVEL=6 PROCESSOR_REVISION=0a00 ProgramFiles=C:\Program Files Programs=C:\DOCUME~1\ADMINI~1\STARTM~1\Programs Programs_LFN=C:\Documents and Settings\Administrator\Start Menu\Programs PROMPT=$ QTJAVA=C:\Program Files\QuickTime\QTSystem\QTJava.zip Recent=C:\DOCUME~1\ADMINI~1\Recent Recent_LFN=C:\Documents and Settings\Administrator\Recent SendTo=C:\DOCUME~1\ADMINI~1\SendTo SendTo_LFN=C:\Documents and Settings\Administrator\SendTo Services_=hklm\system\currentcontrolset\services SESSIONID=1172172092407htx60561dbadea:110eae6cea6:-5748 SESSIONNAME=Console Stage=Completed Stage_ Start Menu=C:\DOCUME~1\ADMINI~1\STARTM~1 Start Menu_LFN=C:\Documents and Settings\Administrator\Start Menu Startup=C:\DOCUME~1\ADMINI~1\STARTM~1\Programs\Startup Startup_LFN=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup SWUTVER=1.0.18.30716 system=C:\WINDOWS\system32 SystemDrive=C: SystemRoot=C:\WINDOWS Tasks=C:\WINDOWS\Tasks TEMP=C:\DOCUME~1\User\LOCALS~1\Temp Templates=C:\DOCUME~1\ADMINI~1\TEMPLA~1 Templates_LFN=C:\Documents and Settings\Administrator\Templates TIMEOUT=0 TMP=C:\DOCUME~1\User\LOCALS~1\Temp TOOLPATH=/C:/Program%20Files/Hewlett-Packard/HP%20Software%20Update/install.htm UPDATEDIR=C:\DOCUME~1\User\LOCALS~1\Temp\radE194D.tmp USERDOMAIN=HP-02CD0A0B19E5 USERNAME=User USERPROFILE=C:\Documents and Settings\User VERSION=07-09-19.8 windir=C:\WINDOWS -- User Profiles --------------------------------------------------------------- User (admin) Monicka (admin) Lori (admin) Administrator (admin) -- Add/Remove Programs --------------------------------------------------------- --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL --> C:\WINDOWS\UNNMP.exe /UNINSTALL --> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete Adobe Reader 8.1.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81000000003} Agere Systems PCI Soft Modem --> agrsmdel Apple Software Update --> MsiExec.exe /I{A50C25D7-62E9-4511-AD70-8E2DA5E79B7D} AVG Anti-Rootkit Beta --> C:\Program Files\GRISOFT\AVG Anti-Rootkit Beta\Uninstall.exe BroadJump Client Foundation --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\BroadJump\Client Foundation\Uninst.isu" -c"C:\Program Files\BroadJump\Client Foundation\RmvBJCFD.dll" -b"CFD" -h"CFD" -a Canon Camera Access Library --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\CAL\Uninst.ini" Canon Camera Support Core Library --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\CSCLIB\Uninst.ini" Canon Camera Window DC_DV 5 for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowDVC\Uninst.ini" Canon Camera Window DC_DV 6 for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowDVC6\Uninst.ini" Canon Camera Window MC 6 for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowMC\Uninst.ini" Canon G.726 WMP-Decoder --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\G726Decoder\G726DecUnInstall.ini" Canon MovieEdit Task for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\ZoomBrowser EX\Program\MVWUninst.ini" Canon RAW Image Task for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\RAW Image Task\Uninst.ini" Canon RemoteCapture Task for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\RemoteCaptureTask DC\Uninst.ini" Canon Utilities EOS Utility --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\EOS Utility\Uninst.ini" Canon Utilities PhotoStitch --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\PhotoStitch\Uninst.ini" Canon Utilities ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\ZoomBrowser EX\Program\Uninst.ini" Drivers Install For Linksys Easylink Advisor --> MsiExec.exe /I{A1960A82-DB70-474D-A86B-FA74466103C6} HijackThis 2.0.2 --> "C:\Documents and Settings\User\Desktop\HijackThis.exe" /uninstall Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe" hp deskjet 3600 --> msiexec /x{91A5B6C0-EF4E-4830-AC7D-6761C0A9B292} HP Memories Disc --> MsiExec.exe /X{B376402D-58EA-45EA-BD50-DD924EB67A70} HP Photo and Imaging 2.0 - Deskjet Series --> MsiExec.exe /I{E0828692-FD9D-459F-9312-C645C3CA6650} hp print screen utility --> C:\Program Files\Hewlett-Packard\hp print screen utility\UnInstall\prnunins.exe iTunes --> MsiExec.exe /I{446DBFFA-4088-48E3-8932-74316BA4CAE4} Linksys EasyLink Advisor 1.6 (0032) --> rundll32 C:\PROGRA~1\LINKSY~1\AUInst.dll,ExUninstall LiveReg (Symantec Corporation) --> C:\Program Files\Common Files\Symantec Shared\LiveReg\VcSetup.exe /REMOVE LiveUpdate 1.80 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U Microsoft Base Smart Card Cryptographic Service Provider Package --> "C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe" Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe" Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9} Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe" Microsoft Works 7.0 --> MsiExec.exe /I{764D06D8-D8DE-411E-A1C8-D9E9380F8A84} Nero Suite --> C:\Program Files\Common Files\Ahead\Uninstall\setup.exe /uninstall Norton AntiVirus 2003 --> MsiExec.exe /I{47D5D869-FE57-4F2F-A358-83CFAA7B4968} overland --> MsiExec.exe /I{766273C1-A39B-47EB-ACE8-DEBDD8094BCC} PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall QuickTime --> MsiExec.exe /I{50D8FFDD-90CD-4859-841F-AA1961C7767A} Spyware Doctor 5.0 --> C:\Program Files\Spyware Doctor\unins000.exe VIA Rhine-Family Fast-Ethernet Adapter --> Rundll32.exe vuins32.dll,vuins32Ex $Rhine $VIA VIA/S3G Display Driver --> VTsetvga.exe -s -rRundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\system32\hg201hp.inf Walgreens PhotoShow Deluxe 4 --> "C:\Program Files\Walgreens\Walgreens PhotoShow 4\data\Xtras\Uninstall.exe" Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe" Windows Media Format SDK Hotfix - KB891122 --> "C:\WINDOWS\$NtUninstallKB891122$\spuninst\spuninst.exe" Windows Rights Management Client Backwards Compatibility SP2 --> MsiExec.exe /X{EC905264-BCFE-423B-9C42-C3A106266790} Windows Rights Management Client with Service Pack 2 --> MsiExec.exe /X{BDCF27CA-BFC4-4F49-8D24-A925C9505AB8} Yahoo! Anti-Spy --> C:\PROGRA~1\Yahoo!\Common\unypsr.exe Yahoo! Install Manager --> C:\WINDOWS\system32\regsvr32 /u C:\WINDOWS\DOWNLO~1\YINSTH~1.DLL Yahoo! Search Protection --> C:\PROGRA~1\Yahoo!\SEARCH~1\UNINST~1.EXE Yahoo! Toolbar --> C:\PROGRA~1\Yahoo!\Common\unyt.exe -- Application Event Log ------------------------------------------------------- Event Record #/Type3076 / Error Event Submitted/Written: 09/06/2007 05:19:34 PM Event ID/Source: 1000 / Application Error Event Description: Faulting application msdtc.exe, version 0.0.0.0, faulting module mshtml.dll, version 7.0.6000.16525, fault address 0x00067e2e. Processing media-specific event for [msdtc.exe!ws!] Event Record #/Type3058 / Error Event Submitted/Written: 08/24/2007 08:36:50 PM Event ID/Source: 1001 / Application Hang Event Description: Fault bucket 471789395. Event Record #/Type3057 / Error Event Submitted/Written: 08/24/2007 08:34:53 PM Event ID/Source: 1001 / Application Hang Event Description: Fault bucket 471789395. Event Record #/Type3056 / Error Event Submitted/Written: 08/24/2007 08:34:07 PM Event ID/Source: 1002 / Application Hang Event Description: Hanging application iexplore.exe, version 7.0.6000.16512, hang module hungapp, version 0.0.0.0, hang address 0x00000000. Event Record #/Type3055 / Error Event Submitted/Written: 08/24/2007 08:33:55 PM Event ID/Source: 1002 / Application Hang Event Description: Hanging application iexplore.exe, version 7.0.6000.16512, hang module hungapp, version 0.0.0.0, hang address 0x00000000. -- Security Event Log ---------------------------------------------------------- No Errors/Warnings found. -- System Event Log ------------------------------------------------------------ Event Record #/Type18136 / Error Event Submitted/Written: 09/19/2007 01:14:46 PM Event ID/Source: 10005 / DCOM Event Description: DCOM got error "%%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF} Event Record #/Type18135 / Error Event Submitted/Written: 09/19/2007 01:10:17 PM Event ID/Source: 7023 / Service Control Manager Event Description: The System Restore Service service terminated with the following error: %%2 Event Record #/Type18131 / Error Event Submitted/Written: 09/19/2007 01:10:17 PM Event ID/Source: 104 / SRService Event Description: The System Restore initialization process failed. Event Record #/Type18130 / Error Event Submitted/Written: 09/19/2007 01:09:09 PM Event ID/Source: 10005 / DCOM Event Description: DCOM got error "%%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811} Event Record #/Type18129 / Error Event Submitted/Written: 09/19/2007 01:08:55 PM Event ID/Source: 7026 / Service Control Manager Event Description: The following boot-start or system-start driver(s) failed to load: AFD AmdK7 Fips IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SYMTDI Tcpip -- End of Deckard's System Scanner: finished at 2007-09-19 14:42:31 ------------ |
|
     |
|
09-21-2007, 08:58 AM
|
#2 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 26,752
OS: 2000 Pro; XP Pro; XP Home
|
Re: ieaklog.dll infected...(s-1-5-18) account still affecting PC
Hello, and Welcome to TSF.
Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe. Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence. Is Norton 2003 subscription current? ---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you.  Please do not ask for help via Private Message. |
|
|
|
|
09-21-2007, 12:12 PM
|
#3 (permalink) |
|
Registered User
Join Date: Sep 2007
Posts: 22
OS: XP
|
Re: ieaklog.dll infected...(s-1-5-18) account still affecting PC
In an effort to minimize damage, I do not have the infected PC hooked up to the internet. I didn't realize that my aunt's definitions haven't been updated in years, so I downloaded the free version of AVG, which removed more files.
After looking at hijackthis, it looks a lot cleaner, but I'm still not sure about everything. Please let me know what you think. thanks millions! Deckard's System Scanner v20070905.67 Run by User on 2007-09-21 12:58:08 Computer is in Normal Mode. -------------------------------------------------------------------------------- Total Physical Memory: 448 MiB (512 MiB recommended). -- HijackThis (run as User.exe) ------------------------------------------------ Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:58, on 2007-09-21 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Spyware Doctor\svcntaux.exe C:\Program Files\Spyware Doctor\swdsvc.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Canon\CAL\CALMAIN.exe C:\WINDOWS\System32\alg.exe C:\Program Files\Spyware Doctor\SDTrayApp.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\ALCXMNTR.EXE C:\WINDOWS\system32\VTTimer.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\BroadJump\Client Foundation\CFD.exe C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe C:\Program Files\Messenger\msmsgs.exe C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\Program Files\Grisoft\AVG7\avgcc.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\Documents and Settings\User\Desktop\dss.exe C:\DOCUME~1\User\Desktop\User.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir...ie&ar=iesearch R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE O4 - HKLM\..\Run: [VTTimer] VTTimer.exe O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe" O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Walgreens PhotoShow Media Manager] C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe O4 - HKCU\..\Run: [Tbsa] "C:\DOCUME~1\User\APPLIC~1\ASKS~1\ati2evxx.exe" -vt yazb O4 - HKCU\..\Run: [Zsu] "C:\Program Files\Common Files\T?sks\msdtc.exe" O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user') O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - ESC Trusted Zone: http://*.update.microsoft.com O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st_current.cab O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://ak.imgag.com/imgag/cp/install/AxCtp2.cab O20 - Winlogon Notify: ieaklog - ieaklog.dll (file missing) O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- End of file - 7685 bytes -- Files created between 2007-08-21 and 2007-09-21 ----------------------------- 2007-09-21 12:44:20 0 dr-h----- C:\$VAULT$.AVG 2007-09-21 12:08:06 0 d-------- C:\Documents and Settings\User\Application Data\AVG7 2007-09-21 12:07:54 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7 2007-09-21 12:07:35 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft 2007-09-21 12:07:35 0 d-------- C:\Documents and Settings\All Users\Application Data\avg7 2007-09-19 11:51:29 0 d-------- C:\Documents and Settings\LocalService\Application Data\Yahoo! 2007-09-19 11:51:26 0 dr------- C:\Documents and Settings\LocalService\Favorites 2007-09-18 16:20:52 0 d-------- C:\Program Files\Spyware Doctor 2007-09-18 16:20:52 0 d-------- C:\Documents and Settings\Administrator\Application Data\PC Tools 2007-09-14 14:52:21 0 d-------- C:\Documents and Settings\User\Application Data\Lavasoft 2007-09-14 14:31:29 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy <SPYBOT~1> 2007-09-13 17:27:46 0 d-------- C:\Documents and Settings\User\Application Data\Help 2007-09-13 16:43:54 0 d--h----- C:\Documents and Settings\Administrator\Templates 2007-09-13 16:43:54 0 dr------- C:\Documents and Settings\Administrator\Start Menu 2007-09-13 16:43:54 0 dr-h----- C:\Documents and Settings\Administrator\SendTo 2007-09-13 16:43:54 0 d--h----- C:\Documents and Settings\Administrator\Recent 2007-09-13 16:43:54 0 d--h----- C:\Documents and Settings\Administrator\PrintHood 2007-09-13 16:43:54 0 d--h----- C:\Documents and Settings\Administrator\NetHood 2007-09-13 16:43:54 0 d-------- C:\Documents and Settings\Administrator\My Documents 2007-09-13 16:43:54 0 d--h----- C:\Documents and Settings\Administrator\Local Settings 2007-09-13 16:43:54 0 d-------- C:\Documents and Settings\Administrator\Favorites 2007-09-13 16:43:54 0 d-------- C:\Documents and Settings\Administrator\Desktop 2007-09-13 16:43:54 0 d--hs---- C:\Documents and Settings\Administrator\Cookies 2007-09-13 16:43:54 0 dr-h----- C:\Documents and Settings\Administrator\Application Data 2007-09-13 16:43:54 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft 2007-09-13 16:43:54 0 d-------- C:\Documents and Settings\Administrator\Application Data\Gtek 2007-09-13 16:43:53 565248 --a------ C:\Documents and Settings\Administrator\NTUSER.DAT 2007-09-13 15:53:32 0 d-------- C:\Documents and Settings\Monicka\Application Data\Help 2007-09-07 01:16:36 593920 ---hs---- C:\WINDOWS\vddunt.dll 2007-09-07 00:16:30 0 --a------ C:\25270531 2007-09-06 17:25:01 15360 --a------ C:\WINDOWS\system32\drvdotr.dll 2007-09-06 17:19:47 76021 --a------ C:\Program Files\setup.exe 2007-09-06 17:19:15 9882 --a------ C:\Program Files\hlpsrv.exe <Not Verified; NoName Corp.; NNC module> 2007-09-06 17:16:04 7680 --a------ C:\44140 2007-08-25 14:41:39 0 --a------ C:\65456765 2007-08-25 12:41:17 0 --a------ C:\58235000 2007-08-25 07:40:50 0 --a------ C:\40207968 2007-08-24 08:16:39 1136281 --a------ C:\WINDOWS\system32\dn0ceec1a5.dat 2007-08-23 18:21:13 3638 --a------ C:\WINDOWS\eo1c5j5m.exe 2007-08-23 02:09:27 3638 --a------ C:\WINDOWS\zgt5quft.exe -- Find3M Report --------------------------------------------------------------- 2007-09-21 12:02:37 0 d-------- C:\Program Files\Norton AntiVirus 2007-09-21 12:02:37 0 d-------- C:\Program Files\Common Files\Symantec Shared 2007-09-21 11:38:35 0 d-------- C:\Program Files\Common Files 2007-09-13 17:21:06 0 d--h----- C:\Documents and Settings\User\Application Data\Move Networks 2007-08-24 20:52:33 0 d-------- C:\Documents and Settings\User\Application Data\Walgreens 2007-08-18 14:34:26 0 d-------- C:\Program Files\Linksys EasyLink Advisor 2007-08-16 20:50:37 0 d--h----- C:\Documents and Settings\User\Application Data\GTek 2007-08-14 00:30:03 0 d-------- C:\Program Files\Common Files\Scanner 2007-08-14 00:29:46 0 d-------- C:\Program Files\Yahoo! 2007-08-13 19:08:41 41 --a------ C:\WINDOWS\plite731_uninstaller_.bat 2007-08-13 19:08:40 49152 --a------ C:\WINDOWS\TISKY010.exe -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 07:00] "PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 07:00] "PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 07:00] "AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 14:47 C:\WINDOWS\ALCXMNTR.EXE] "VTTimer"="VTTimer.exe" [2005-03-08 05:33 C:\WINDOWS\system32\VTTimer.exe] "RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 04:01] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50] "Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2006-12-19 22:52] "BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 22:26] "HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-09-01 06:42] "HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 12:24] "HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 16:18] "DeviceDiscovery"="C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2003-05-21 19:37] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06] "YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 09:59] "SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [2007-08-02 10:49] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-09-21 12:07] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24] "Walgreens PhotoShow Media Manager"="C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe" [2006-04-20 01:35] "YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 09:59] "Tbsa"="C:\DOCUME~1\User\APPLIC~1\ASKS~1\ati2evxx.exe" [] "Zsu"="C:\Program Files\Common Files\T?sks\msdtc.exe" [] "EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 18:16] [HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce] "RunNarrator"=Narrator.exe [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] "DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t "WinAVX"=C:\WINDOWS\system32\WinAvXX.exe [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoWindowsUpdate"=1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ieaklog] ieaklog.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice" *Newly Created Service* - AVG7ALRT *Newly Created Service* - AVG7CORE *Newly Created Service* - AVG7RSW *Newly Created Service* - AVG7RSXP *Newly Created Service* - AVG7UPDSVC *Newly Created Service* - AVGCLEAN *Newly Created Service* - AVGEMS *Newly Created Service* - AVGTDI -- End of Deckard's System Scanner: finished at 2007-09-21 12:58:44 ------------ |
|
|
|
|
09-21-2007, 01:07 PM
|
#4 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 26,752
OS: 2000 Pro; XP Pro; XP Home
|
Re: ieaklog.dll infected...(s-1-5-18) account still affecting PC
While I'm glad you're comfortable doing things on your own, please refrain from doing so during the course of our work together. It's best to stabilize a machine before making too many application changes.
I agree it's looking better. Please post the log from ComboFix as requested, so we may continue.
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Please do not ask for help via Private Message. |
|
|
|
|
09-24-2007, 05:14 PM
|
#5 (permalink) |
|
Registered User
Join Date: Sep 2007
Posts: 22
OS: XP
|
Re: ieaklog.dll infected...(s-1-5-18) account still affecting PC
Sorry for that. I agree that we should get the computer back up before changing anything else.
ComboFix 07-09-19.8 - "Administrator" 2007-09-19 13:10:52.1 - NTFSx86 MINIMAL Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.158 [GMT -5:00] . ADS - svchost.exe: deleted 51200 bytes in 1 streams. ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup.\autorun.exe C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup.\info.exe C:\DOCUME~1\Lori\STARTM~1\Programs\Startup\info.exe C:\DOCUME~1\Lori\STARTM~1\Programs\Startup\system.exe C:\DOCUME~1\Monicka\STARTM~1\Programs\Startup\info.exe C:\DOCUME~1\Monicka\STARTM~1\Programs\Startup\system.exe C:\DOCUME~1\Monicka\STARTM~1\Programs\Startup\ta_start.lnk C:\DOCUME~1\Monicka\STARTM~1\Programs\Startup\think-adz.lnk C:\DOCUME~1\User\APPLIC~1\ASKS~1 C:\DOCUME~1\User\APPLIC~1\ASKS~1\?asks\ C:\DOCUME~1\User\APPLIC~1\ASKS~1\ati2evxx.exe C:\DOCUME~1\User\APPLIC~1\tmp40.tmp.exe C:\DOCUME~1\User\APPLIC~1\tmp44.tmp.exe C:\DOCUME~1\User\APPLIC~1\tmp6.tmp.exe C:\DOCUME~1\User\APPLIC~1\tmpB.tmp.exe C:\DOCUME~1\User\APPLIC~1\WNSXS~1 C:\DOCUME~1\User\err.log C:\DOCUME~1\User\MYDOCU~1\DOBE~1 C:\DOCUME~1\User\STARTM~1\Programs\Startup\info.exe C:\DOCUME~1\User\STARTM~1\Programs\Startup\system.exe C:\Documents and Settings\All Users.\documents\settings C:\Program Files\Common Files\tsks~1 C:\Program Files\Common Files\tsks~1\msdtc.exe C:\Program Files\fetqtivo C:\Program Files\fetqtivo\zqfcnqpa.dll C:\Temp\1cb C:\Temp\1cb\syscheck.log C:\Temp\fse C:\Temp\fse\tmpZTF.log C:\WINDOWS\deskcfg.tmp C:\WINDOWS\sstem3~1 C:\WINDOWS\system32\B1 C:\WINDOWS\system32\drivers\blank.gif C:\WINDOWS\system32\drivers\box_1.gif C:\WINDOWS\system32\drivers\box_2.gif C:\WINDOWS\system32\drivers\box_3.gif C:\WINDOWS\system32\drivers\button_buynow.gif C:\WINDOWS\system32\drivers\button_freescan.gif C:\WINDOWS\system32\drivers\download_box.gif C:\WINDOWS\system32\drivers\footer_back.jpg C:\WINDOWS\system32\drivers\header_1.gif C:\WINDOWS\system32\drivers\header_2.gif C:\WINDOWS\system32\drivers\header_3.gif C:\WINDOWS\system32\drivers\header_4.gif C:\WINDOWS\system32\drivers\infected.gif C:\WINDOWS\system32\drivers\main_back.gif C:\WINDOWS\system32\drivers\perfect_cleaner_box.jpg C:\WINDOWS\system32\drivers\product_1_header.gif C:\WINDOWS\system32\drivers\product_1_name_small.gif C:\WINDOWS\system32\drivers\product_2_header.gif C:\WINDOWS\system32\drivers\product_2_name_small.gif C:\WINDOWS\system32\drivers\product_3_header.gif C:\WINDOWS\system32\drivers\product_3_name_small.gif C:\WINDOWS\system32\drivers\product_features.gif C:\WINDOWS\system32\drivers\pt.htm C:\WINDOWS\system32\drivers\sep_hor.gif C:\WINDOWS\system32\drivers\sep_vert.gif C:\WINDOWS\system32\drivers\shadow.jpg C:\WINDOWS\system32\drivers\spacer.gif C:\WINDOWS\system32\drivers\spy_away_box.jpg C:\WINDOWS\system32\drivers\star.gif C:\WINDOWS\system32\drivers\star_gray.gif C:\WINDOWS\system32\drivers\star_gray_small.gif C:\WINDOWS\system32\drivers\star_small.gif C:\WINDOWS\system32\drivers\style.css C:\WINDOWS\system32\drivers\v.gif C:\WINDOWS\system32\drivers\warning_icon.gif C:\WINDOWS\system32\drivers\win_logo.gif C:\WINDOWS\system32\drivers\x.gif C:\WINDOWS\system32\explore.exe C:\WINDOWS\system32\f02WtR C:\WINDOWS\system32\hxvicbp.dll C:\WINDOWS\system32\l3acdb.dll C:\WINDOWS\system32\printer.exe C:\WINDOWS\system32\urqppoo.dll C:\WINDOWS\system32\WinAvXX.exe C:\WINDOWS\system32\wintisv.exe C:\WINDOWS\system32\X1 . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) -------\LEGACY_ASC355 -------\LEGACY_ICF -------\asc355 ((((((((((((((((((((((((( Files Created from 2007-08-19 to 2007-09-19 ))))))))))))))))))))))))))))))) . 2007-09-19 13:09 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-09-19 11:51 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Yahoo! 2007-09-18 16:21 82,248 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys 2007-09-18 16:21 57,672 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys 2007-09-18 16:21 38,728 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys 2007-09-18 16:21 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys 2007-09-18 16:20 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll 2007-09-18 16:20 <DIR> d-------- C:\Program Files\Spyware Doctor 2007-09-18 16:20 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\PC Tools 2007-09-14 14:52 <DIR> d-------- C:\DOCUME~1\User\APPLIC~1\Lavasoft 2007-09-14 14:31 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy 2007-09-13 17:27 <DIR> d-------- C:\DOCUME~1\User\APPLIC~1\Help 2007-09-13 16:43 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Gtek 2007-09-13 15:53 <DIR> d-------- C:\DOCUME~1\Monicka\APPLIC~1\Help 2007-09-07 01:16 593,920 ---hs---- C:\WINDOWS\vddunt.dll 2007-09-06 17:25 94,208 --a------ C:\WINDOWS\system32\drvdot.dll 2007-09-06 17:25 15,360 --a------ C:\WINDOWS\system32\drvdotr.dll 2007-09-06 17:19 9,882 --a------ C:\Program Files\hlpsrv.exe 2007-09-06 17:19 76,021 --a------ C:\Program Files\setup.exe 2007-08-24 08:16 1,136,281 --a------ C:\WINDOWS\system32\dn0ceec1a5.dat 2007-08-23 18:21 3,638 --a------ C:\WINDOWS\eo1c5j5m.exe 2007-08-23 08:16 94,713 --------- C:\WINDOWS\system32\ieaklog.dll 2007-08-23 02:09 3,638 --a------ C:\WINDOWS\zgt5quft.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-09-19 12:23 --------- d-------- C:\Program Files\Common Files\Symantec Shared 2007-09-13 17:21 --------- d--h----- C:\DOCUME~1\User\APPLIC~1\Move Networks 2007-09-13 15:53 --------- d-------- C:\Program Files\Norton AntiVirus 2007-09-13 14:53 --------- d-------- C:\DOCUME~1\Lori\APPLIC~1\Gtek 2007-09-06 17:46 --------- dr-h----- C:\DOCUME~1\ALLUSE~1\APPLIC~1\yahoo! 2007-09-06 17:16 14336 --a------ C:\WINDOWS\system32\svchost.exe 2007-08-24 20:52 --------- d-------- C:\DOCUME~1\User\APPLIC~1\Walgreens 2007-08-18 14:34 --------- d-------- C:\Program Files\Linksys EasyLink Advisor 2007-08-16 22:21 --------- d--h----- C:\DOCUME~1\Monicka\APPLIC~1\Gtek 2007-08-16 20:50 --------- d-ah----- C:\DOCUME~1\ALLUSE~1\APPLIC~1\GTek 2007-08-16 20:50 --------- d--h----- C:\DOCUME~1\User\APPLIC~1\GTek 2007-08-16 20:50 --------- d-------- C:\DOCUME~1\DEFAUL~1\APPLIC~1\Gtek 2007-08-14 00:30 --------- d-------- C:\Program Files\Common Files\Scanner 2007-08-14 00:29 --------- d-------- C:\Program Files\Yahoo! 2007-08-13 19:08 49152 --a------ C:\WINDOWS\TISKY010.exe 2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll 2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll 2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe 2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll 2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll 2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll 2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll 2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll 2007-06-26 01:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll 2007-06-19 08:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 07:00] "PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 07:00] "PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 07:00] "AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 14:47 C:\WINDOWS\ALCXMNTR.EXE] "VTTimer"="VTTimer.exe" [2005-03-08 05:33 C:\WINDOWS\system32\VTTimer.exe] "RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 04:01] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2002-08-19 23:22] "ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2002-08-19 23:23] "Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2006-12-19 22:52] "BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 22:26] "HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-09-01 06:42] "HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 12:24] "HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 16:18] "DeviceDiscovery"="C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2003-05-21 19:37] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06] "plite731"="C:\WINDOWS\plite731.exe" [] "YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 09:59] "MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 07:00] "SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [2007-08-02 10:49] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24] "Walgreens PhotoShow Media Manager"="C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe" [2006-04-20 01:35] "YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 09:59] "Tbsa"="C:\DOCUME~1\User\APPLIC~1\ASKS~1\ati2evxx.exe" [] "Zsu"="C:\Program Files\Common Files\T?sks\msdtc.exe" [] "EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 18:16] [HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce] "RunNarrator"=Narrator.exe [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] "DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t "WinAVX"=C:\WINDOWS\system32\WinAvXX.exe [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoWindowsUpdate"=1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ieaklog] ieaklog.dll 2007-08-23 08:16 94713 C:\WINDOWS\system32\ieaklog.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice" R2 elagopro;GoProto Protocol Driver for LELA;C:\WINDOWS\system32\DRIVERS\elagopro.sys R2 elaunidr;UniDriver for LELA;C:\WINDOWS\system32\DRIVERS\elaunidr.sys R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys *Newly Created Service* - SHAREDACCESS . Contents of the 'Scheduled Tasks' folder "2007-09-03 20:53:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe "2007-09-04 00:59:52 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job" - C:\PROGRA~1\NORTON~1\NAVW32.exe "2007-09-19 18:30:00 C:\WINDOWS\Tasks\Symantec NetDetect.job" - C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE . ************************************************************************** catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-09-19 13:16:54 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-09-19 13:34:44 - machine was rebooted C:\ComboFix-quarantined-files.txt ... 2007-09-19 13:34 . --- E O F --- |
|
|
|
|
09-24-2007, 06:40 PM
|
#6 (permalink) | |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 26,752
OS: 2000 Pro; XP Pro; XP Home
|
Re: ieaklog.dll infected...(s-1-5-18) account still affecting PC
Open notepad and copy/paste the text in the quotebox below into it: Quote:
|
-> Run -> paste in the following single line command & click OK