|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
Thread Tools |
12-27-2007, 04:53 PM
|
#1 (permalink) |
|
Registered User
Join Date: Apr 2007
Location: Houston
Posts: 9
OS: XP
|
Help pls...hiding virus/malware
Symptoms: while Symantec checking email, outlook exp started spitting out email so fast it looked like snow flakes. The content said something about no being able to send your shipment...ect. I thought I disabled outlook. A bit later while working off line I noticed the montior icons in the bottom tight tray were on steady blue. I looked at my network connection and it was pumping in and out data like crazy.
Then while working with yahoo, or playing an off line game, it will shut down and go to the control panel. Soon after that I get a blue screen with Stop C000021A{fatal error}winlogon terminated 0X0000001(0X00000000 oX00000000) Ive run Symantec, AVG, Spybot, ad-aware, all in safe mode. They found nothing. I ran hijack and saw nothing that stood out to me except this: O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe I have done all that I know to do which isnt a lot!!  The problem persists. I am certain something is there but what?  I am posting a copy of the hijack log. Is this correct?? thank you Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 5:44:12 PM, on 12/27/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: D:\WINDOWS\System32\smss.exe D:\WINDOWS\system32\winlogon.exe D:\WINDOWS\system32\services.exe D:\WINDOWS\system32\lsass.exe D:\WINDOWS\system32\Ati2evxx.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\System32\svchost.exe D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe D:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe D:\WINDOWS\system32\Ati2evxx.exe D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe D:\WINDOWS\system32\spoolsv.exe d:\windows\explorer.exe D:\WINDOWS\SOUNDMAN.EXE D:\WINDOWS\ALCWZRD.EXE D:\Program Files\Common Files\Symantec Shared\ccApp.exe D:\PROGRA~1\SYMANT~1\VPTray.exe D:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe D:\Program Files\iTunes\iTunesHelper.exe D:\WINDOWS\system32\hphmon04.exe D:\Program Files\Windows Media Player\WMPNSCFG.exe D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe D:\Program Files\Symantec AntiVirus\DefWatch.exe D:\Program Files\Symantec AntiVirus\Rtvscan.exe D:\WINDOWS\System32\svchost.exe D:\Program Files\iPod\bin\iPodService.exe D:\Program Files\Internet Explorer\IEXPLORE.EXE D:\Program Files\Internet Explorer\IEXPLORE.EXE D:\Program Files\Internet Explorer\IEXPLORE.EXE D:\Program Files\Internet Explorer\IEXPLORE.EXE D:\Program Files\Internet Explorer\IEXPLORE.EXE D:\Program Files\Internet Explorer\IEXPLORE.EXE D:\Program Files\Internet Explorer\IEXPLORE.EXE D:\Program Files\Trend Micro\HijackThis\HijackThis.exe F2 - REG:system.ini: Shell=d:\windows\explorer.exe F2 - REG:system.ini: UserInit=d:\windows\system32\userinit.exe O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] D:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] D:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe O4 - HKLM\..\Run: [HPHUPD04] "D:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe" O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [HPHmon04] D:\WINDOWS\system32\hphmon04.exe O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u O4 - HKCU\..\Run: [WMPNSCFG] D:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKCU\..\Run: [StartCCC] D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1176686382750 O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Apple Mobile Device - Apple, Inc. - D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - D:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe O23 - Service: Pml Driver HPH11 - HP - D:\WINDOWS\system32\HPHipm11.exe O23 - Service: SAVRoam (SavRoam) - symantec - D:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - D:\Program Files\Symantec AntiVirus\Rtvscan.exe -- End of file - 5383 bytes |
|
     |
|
12-30-2007, 06:01 AM
|
#2 (permalink) | |
|
Moderator/Analyst, Security Team ; Rangemaster, TSF Academy
Join Date: Oct 2006
Posts: 3,045
OS: XP
|
Re: Help pls...hiding virus/malware
Hi, welcome to TSF!
Quote:
Sounds like something very fishy is going on in your machine.. Open HijackThis > choose Scan Only > Place a checkmark in the boxes beside these entries in bold. F2 - REG:system.ini: Shell=d:\windows\explorer.exe F2 - REG:system.ini: UserInit=d:\windows\system32\userinit.exe O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u If you or your administrator didn't set these policies, please fix these: O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present Close your browsers and all open windows except for HijackThis, then click "Fix checked". Exit HijackThis. ______ Download Deckard's System Scanner to your Desktop. Note: You must be logged onto an account with administrator privileges. 1. Close all applications and windows. 2. Double-click on dss.exe to run it, and follow the prompts. 3. When the scan is complete, a text file will open - main.txt.txt<<this one will be maximized and extra.txt <<this one will be minimized. 4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt.txt in your next reply. 6. Please copy and paste the contents of main.txt and extra.txt to your post. ______ Download this tool to your desktop: http://www.uploads.ejvindh.net/rootchk.exe Run the program. After a short time a logfile will turn up. Copy the contents of the log into the thread. If you already have "rootchk" please delete that one & grab the above one. It is updated often. Notice: Some security-programs prevent the creation of dummy drivers with certain names. This may cause false positives. If the log of rootchk contains a lot of hidden drivers, you may want to turn of your security programs while rootchk is scanning (you should then unhook your network connection as well) ______ On your next reply, please include a
__________________
Proud member of UNITE and ASAP since 2006  If we have helped you, please consider donating. The past won't be able to hurt you unless you keep on looking back at it. |
|
|
|
|
|
12-30-2007, 10:52 AM
|
#3 (permalink) |
|
Registered User
Join Date: Apr 2007
Location: Houston
Posts: 9
OS: XP
|
Re: Help pls...hiding virus/malware
Thank you for the reply. I am out of town presently and wont be back to my PC till after the 2 of jan. Can you please hold this open till I gat home and have a chance to go through the steps?
Thank you, respectfully jd |
|
|
|
|
12-30-2007, 04:55 PM
|
#4 (permalink) |
|
Moderator/Analyst, Security Team ; Rangemaster, TSF Academy
Join Date: Oct 2006
Posts: 3,045
OS: XP
|
Re: Help pls...hiding virus/malware
Sure thing. I shall await your return.
__________________
Proud member of UNITE and ASAP since 2006 If we have helped you, please consider donating. The past won't be able to hurt you unless you keep on looking back at it. |
|
|
|
|
01-04-2008, 09:11 PM
|
#5 (permalink) |
|
Registered User
Join Date: Apr 2007
Location: Houston
Posts: 9
OS: XP
|
Re: Help pls...hiding virus/malware
Thank you for wating. Here is the main Declards scan..
Deckard's System Scanner v20071014.68 Run by dad on 2008-01-04 21:45:12 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- System Restore -------------------------------------------------------------- -- Last 5 Restore Point(s) -- 65: 2008-01-05 03:43:32 UTC - RP226 - Deckard's System Scanner Restore Point 64: 2007-12-29 01:59:31 UTC - RP225 - System Checkpoint 63: 2007-12-27 06:08:54 UTC - RP224 - System Checkpoint 62: 2007-12-25 22:44:08 UTC - RP223 - System Checkpoint 61: 2007-12-23 01:11:36 UTC - RP222 - System Checkpoint -- First Restore Point -- 1: 2007-10-02 03:12:36 UTC - RP162 - System Checkpoint Backed up registry hives. Performed disk cleanup. Total Physical Memory: 511 MiB (512 MiB recommended). -- HijackThis (run as dad.exe) ------------------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:45:45 PM, on 1/4/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: D:\WINDOWS\System32\smss.exe D:\WINDOWS\system32\winlogon.exe D:\WINDOWS\system32\services.exe D:\WINDOWS\system32\lsass.exe D:\WINDOWS\system32\Ati2evxx.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\System32\svchost.exe D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe D:\WINDOWS\system32\Ati2evxx.exe D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe D:\WINDOWS\system32\spoolsv.exe D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe D:\Program Files\Symantec AntiVirus\DefWatch.exe D:\Program Files\Symantec AntiVirus\Rtvscan.exe d:\windows\explorer.exe D:\WINDOWS\SOUNDMAN.EXE D:\Program Files\Common Files\Symantec Shared\ccApp.exe D:\PROGRA~1\SYMANT~1\VPTray.exe D:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe D:\Program Files\iTunes\iTunesHelper.exe D:\WINDOWS\system32\hphmon04.exe D:\Program Files\Windows Media Player\WMPNSCFG.exe D:\WINDOWS\System32\svchost.exe D:\Program Files\iPod\bin\iPodService.exe D:\Program Files\Internet Explorer\IEXPLORE.EXE D:\Documents and Settings\dad\Desktop\dss.exe D:\PROGRA~1\TRENDM~1\HIJACK~1\dad.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ F2 - REG:system.ini: Shell=d:\windows\explorer.exe F2 - REG:system.ini: UserInit=d:\windows\system32\userinit.exe O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] D:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] D:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe O4 - HKLM\..\Run: [HPHUPD04] "D:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe" O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [HPHmon04] D:\WINDOWS\system32\hphmon04.exe O4 - HKCU\..\Run: [StartCCC] D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe O4 - HKCU\..\Run: [WMPNSCFG] D:\Program Files\Windows Media Player\WMPNSCFG.exe O16 - DPF: {34F12AFD-E9B5-492A-85D2-40FA4535BE83} (AxProdInfoCtl Class) - http://www.symantec.com/techsupp/act...a/nprdtinf.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1176686382750 O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Apple Mobile Device - Apple, Inc. - D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - D:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe O23 - Service: Pml Driver HPH11 - HP - D:\WINDOWS\system32\HPHipm11.exe O23 - Service: SAVRoam (SavRoam) - symantec - D:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - D:\Program Files\Symantec AntiVirus\Rtvscan.exe -- End of file - 4939 bytes -- HijackThis Fixed Entries (D:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) ----------- backup-20080104-213714-256 O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE backup-20080104-213714-466 O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present backup-20080104-213714-475 O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present backup-20080104-213714-476 F2 - REG:system.ini: UserInit=d:\windows\system32\userinit.exe backup-20080104-213714-559 F2 - REG:system.ini: Shell=d:\windows\explorer.exe backup-20080104-213714-651 O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u backup-20080104-213946-303 O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE backup-20080104-213946-523 F2 - REG:system.ini: UserInit=d:\windows\system32\userinit.exe backup-20080104-213946-606 F2 - REG:system.ini: Shell=d:\windows\explorer.exe -- File Associations ----------------------------------------------------------- All associations okay. -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------- R0 sfdrv01 (StarForce Protection Environment Driver (version 1.x)) - d:\windows\system32\drivers\sfdrv01.sys <Not Verified; Protection Technology; StarForce Protection System> R0 sfhlp02 (StarForce Protection Helper Driver (version 2.x)) - d:\windows\system32\drivers\sfhlp02.sys <Not Verified; Protection Technology; StarForce Protection System> R3 SMBios (Intel (R) System Management BIOS Service) - d:\windows\system32\drivers\smbios.sys <Not Verified; Intel Corporation; Intel (R) System Management BIOS Driver> S3 ENTECH - d:\windows\system32\drivers\entech.sys <Not Verified; EnTech Taiwan; PowerStrip> S3 pcouffin (VSO Software pcouffin) - d:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine> -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled -------------------- R2 Apple Mobile Device - "d:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service> -- Device Manager: Disabled ---------------------------------------------------- No disabled devices found. -- Scheduled Tasks ------------------------------------------------------------- 2007-12-25 19:19:03 284 --a------ D:\WINDOWS\Tasks\AppleSoftwareUpdate.job -- Files created between 2007-12-04 and 2008-01-04 ----------------------------- 2007-12-29 16:57:59 0 d-------- D:\WINDOWS\Prefetch 2007-12-28 18:37:58 0 dr-h----- D:\Documents and Settings\dad\Recent 2007-12-27 17:43:44 0 d-------- D:\Program Files\Trend Micro 2007-12-26 14:35:46 0 d-------- D:\VundoFix Backups 2007-12-23 16  10 25600 --a------ D:\WINDOWS\system32\WS2Fix.exe2007-12-23 16 10 289144 --a------ D:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >2007-12-23 16 10 81920 --a------ D:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>2007-12-21 22:27:34 0 d-------- D:\Documents and Settings\dad\Application Data\Grisoft 2007-12-21 22:26:53 0 d-------- D:\Documents and Settings\All Users\Application Data\Grisoft 2007-12-21 17:32:47 0 d-------- D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2007-12-19 21:41:14 3114 --a------ D:\WINDOWS\system32\tmp.reg 2007-12-19 21:40:48 288417 --a------ D:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS> 2007-12-19 21:40:48 51200 --a------ D:\WINDOWS\system32\dumphive.exe 2007-12-19 21:40:47 53248 --a------ D:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility> 2007-12-18 21:39:17 0 d-------- D:\Program Files\Photo Viewer 2007-12-16 18:35:31 20400 --a------ D:\WINDOWS\system32\drivers\entech.sys <Not Verified; EnTech Taiwan; PowerStrip> 2007-12-16 18:35:14 0 d-------- D:\Program Files\AquaMark3 2007-12-16 15:09:57 0 d-------- D:\Documents and Settings\dad\Application Data\Printer Info Cache 2007-12-16 15:08:57 0 d-------- D:\Documents and Settings\dad\Application Data\U3 2007-12-15 22:57:12 0 d-------- D:\Program Files\Lavasoft 2007-12-15 22:56:16 0 d-------- D:\Program Files\Common Files\Wise Installation Wizard 2007-12-14 22:51:34 218 --a------ D:\WINDOWS\system32\drivers\atmapi.sys 2007-12-14 22:42:32 182784 --a------ D:\WINDOWS\system32\nvrsma.dll -- Find3M Report --------------------------------------------------------------- 2008-01-04 21:24:43 0 d-------- D:\Program Files\Symantec AntiVirus 2007-12-15 22:56:16 0 d-------- D:\Program Files\Common Files 2007-12-14 22:42:33 577536 --a------ D:\WINDOWS\system32\user32.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System> 2007-11-24 10:44:53 0 d-------- D:\Program Files\iTunes 2007-11-23 18:08:40 0 d-------- D:\Documents and Settings\dad\Application Data\DivX 2007-11-23 18 11 0 d-------- D:\Program Files\DivX2007-11-22 11:01:55 0 d-------- D:\Documents and Settings\dad\Application Data\Apple Computer 2007-11-22 09:55:16 0 d-------- D:\Program Files\iPod 2007-11-22 09:53:52 0 d-------- D:\Program Files\Apple Software Update 2007-11-22 09:53:22 0 d-------- D:\Program Files\Common Files\Apple 2007-10-19 18:56:16 3596288 --a------ D:\WINDOWS\system32\qt-dx331.dll 2007-10-19 18:54:28 196608 --a------ D:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100> 2007-10-19 18:54:28 81920 --a------ D:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100> 2007-10-19 18:54:12 802816 --a------ D:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?> 2007-10-19 18:54:12 823296 --a------ D:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®> 2007-10-19 18:54:12 823296 --a------ D:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®> 2007-10-19 18:54:10 739840 --a------ D:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®> 2007-10-18 03:02:34 12288 --a------ D:\WINDOWS\system32\DivXWMPExtType.dll -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [03/17/2004 02:10 PM D:\WINDOWS\system32\Hdaudpropshortcut.exe] "SoundMan"="SOUNDMAN.EXE" [09/23/2004 05:27 AM D:\WINDOWS\SOUNDMAN.EXE] "ccApp"="D:\Program Files\Common Files\Symantec Shared\ccApp.exe" [04/08/2005 02:52 PM] "vptray"="D:\PROGRA~1\SYMANT~1\VPTray.exe" [04/17/2005 11:30 AM] "HPDJ Taskbar Utility"="D:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe" [04/04/2002 02:03 PM] "HPHUPD04"="D:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe" [04/04/2002 02:04 PM] "RemoteControl"="D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [10/31/2003 06:42 PM] "Adobe Reader Speed Launcher"="D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/2007 07:51 PM] "iTunesHelper"="D:\Program Files\iTunes\iTunesHelper.exe" [11/15/2007 01:11 PM] "HPHmon04"="D:\WINDOWS\system32\hphmon04.exe" [04/04/2002 02:01 PM] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "@"="" [] "StartCCC"="D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [11/10/2006 11:35 AM] "WMPNSCFG"="D:\Program Files\Windows Media Player\WMPNSCFG.exe" [10/18/2006 07:05 PM] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"=0 (0x0) [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice] @="Service" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "<NO NAME>"= [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "HPHmon04"=D:\WINDOWS\system32\hphmon04.exe -- End of Deckard's System Scanner: finished at 2008-01-04 21:46:40 ------------ HERE IS DSS EXTRA TXT: Deckard's System Scanner v20071014.68 Extra logfile - please post this as an attachment with your post. -------------------------------------------------------------------------------- -- System Information ---------------------------------------------------------- Microsoft Windows XP Professional (build 2600) SP 2.0 Architecture: X86; Language: English CPU 0: Intel(R) Pentium(R) 4 CPU 3.00GHz CPU 1: Intel(R) Pentium(R) 4 CPU 3.00GHz Percentage of Memory in Use: 73% Physical Memory (total/avail): 510.73 MiB / 136.77 MiB Pagefile Memory (total/avail): 1246.38 MiB / 891.21 MiB Virtual Memory (total/avail): 2047.88 MiB / 1941.89 MiB A: is Removable (No Media) C: is Fixed (NTFS) - 37.11 GiB total, 23.41 GiB free. D: is Fixed (NTFS) - 37.41 GiB total, 11.78 GiB free. E: is CDROM (No Media) \\.\PHYSICALDRIVE0 - WDC WD800JD-60LUA0 - 74.53 GiB - 2 partitions \PARTITION0 (bootable) - Installable File System - 37.11 GiB - C: \PARTITION1 - Extended w/Extended Int 13 - 37.41 GiB - D: -- Security Center ------------------------------------------------------------- AUOptions is set to notify before download. Windows Internal Firewall is enabled. FirstRunDisabled is set. AV: Symantec AntiVirus Corporate Edition v10.0.0.359 (Symantec Corporation) [HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" [HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "D:\\Program Files\\Ubisoft\\Demo\\Gearbox Software\\BrothersInArmsEiB\\System\\EiB.exe"="D:\\Program Files\\Ubisoft\\Demo\\Gearbox Software\\BrothersInArmsEiB\\System\\EiB.exe:*:Disabled:Brothers In Arms Earned In Blood" "D:\\Program Files\\EA GAMES\\Battlefield 1942\\BF1942.exe"="D:\\Program Files\\EA GAMES\\Battlefield 1942\\BF1942.exe:*:Enabled:BF1942" "D:\\Program Files\\EA GAMES\\Battlefield Vietnam\\bfvietnam.exe"="D:\\Program Files\\EA GAMES\\Battlefield Vietnam\\bfvietnam.exe:*:Enabled:bfvietnam" "D:\\Program Files\\iTunes\\iTunes.exe"="D:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes" -- Environment Variables ------------------------------------------------------- ALLUSERSPROFILE=D:\Documents and Settings\All Users APPDATA=D:\Documents and Settings\dad\Application Data CLIENTNAME=Console CommonProgramFiles=D:\Program Files\Common Files COMPUTERNAME=DADPC ComSpec=D:\WINDOWS\system32\cmd.exe FP_NO_HOST_CHECK=NO HOMEDRIVE=D: HOMEPATH=\Documents and Settings\dad LOGONSERVER=\\DADPC NUMBER_OF_PROCESSORS=2 OS=Windows_NT Path=D:\WINDOWS\system32;D:\WINDOWS;D:\WINDOWS\System32\Wbem;D:\Program Files\ATI Technologies\ATI.ACE\Core-Static;D:\Program Files\Common Files\Ulead Systems\MPEG;D:\Program Files\Common Files\Ulead Systems\DVD PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH PROCESSOR_ARCHITECTURE=x86 PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 3, GenuineIntel PROCESSOR_LEVEL=15 PROCESSOR_REVISION=0403 ProgramFiles=D:\Program Files PROMPT=$P$G SESSIONNAME=Console SystemDrive=D: SystemRoot=D:\WINDOWS TEMP=D:\DOCUME~1\dad\LOCALS~1\Temp TMP=D:\DOCUME~1\dad\LOCALS~1\Temp USERDOMAIN=DADPC USERNAME=dad USERPROFILE=D:\Documents and Settings\dad windir=D:\WINDOWS -- User Profiles --------------------------------------------------------------- dad (admin) -- Add/Remove Programs --------------------------------------------------------- --> D:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER --> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 D:\WINDOWS\INF\PCHealth.inf Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF} Adobe Flash Player 9 ActiveX --> D:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock Adobe Reader 8.1.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81000000003} Apple Mobile Device Support --> MsiExec.exe /I{B5C209B1-8DDB-4642-A573-375B951514CB} Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4} AquaMark3 --> D:\PROGRA~1\AQUAMA~1\UNWISE.EXE D:\PROGRA~1\AQUAMA~1\INSTALL.LOG Arles Image Web Page Creator 7.2.2 --> "D:\Program Files\Digital Dutch\Arles Image Web Page Creator\unins000.exe" ATI - Software Uninstall Utility --> D:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe ATI Catalyst Control Center --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{055EE59D-217B-43A7-ABFF-507B966405D8}\setup.exe" -l0x0 ATI Display Driver --> rundll32 D:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean AVG Anti-Spyware 7.5 --> D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe Battlecraft 1942 --> D:\WINDOWS\iun6002.exe "D:\Program Files\EA GAMES\Battlecraft 1942\irunin.ini" Battlefield 1942 --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{698D7E61-E4BF-4CA6-8A09-CF6BDBFDEF65}\setup.exe" -l0x9 Battlefield 1942: Secret Weapons of WWII --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{B73B4A99-4173-4747-BBEC-0F05E966F9D2}\Setup.exe" -l0x9 Battlefield 1942: The Road To Rome --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{D057AA08-8CBF-42E3-9EAB-23B8FED1C279}\Setup.exe" -l0x9 Battlefield Vietnam(TM) --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{E35B3C63-E958-4E31-A178-95D22024109A}\setup.exe" -l0x9 Battlefield Vietnam: WW2 Mod --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{F989306B-9287-444F-AE73-E30C7E4AF0F5}\setup.exe" -l0x9 Brothers In Arms EiB Demo --> D:\Program Files\Ubisoft\Demo\Gearbox Software\BrothersInArmsEiB\System\Setup.exe uninstall "BrothersInArmsEiBDemo" Call of Duty Game of the Year Edition --> D:\PROGRA~1\CALLOF~1\Uninstall\Unwise.exe /u D:\PROGRA~1\CALLOF~1\Uninstall\Install.log Core FTP LE 1.3c --> D:\PROGRA~1\CoreFTP\UNWISE.EXE D:\PROGRA~1\CoreFTP\INSTALL.LOG DivX Codec --> D:\Program Files\DivX\DivXCodecUninstall.exe /CODEC DivX Content Uploader --> D:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER DivX Converter --> D:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER DivX Player --> D:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER DivX Web Player --> D:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN Garmin MapSource --> MsiExec.exe /X{F3B76517-C1BC-40A7-814C-4C0A87E7D9DF} Google Earth --> MsiExec.exe /I{407B9B5C-DAC5-4F44-A756-B57CAB4E6A8B} High Definition Audio Driver Package - KB835221 --> D:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe HijackThis 2.0.2 --> "D:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall Hotfix for Windows Media Format 11 SDK (KB929399) --> "D:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe" HP Photo and Imaging 1.0 - HP Photosmart Printer Series --> MsiExec.exe /I{0D396571-7BBD-44CE-ABB3-518BF86B72F7} Intel(R) PRO Network Adapters and Drivers --> Prounstl.exe iTunes --> MsiExec.exe /I{4F5CE18C-D97D-48FF-A510-A0D90C918294} Jane's Combat Simulations WWII Fighters --> D:\WINDOWS\IsUninst.exe -f"D:\Program Files\Jane's Combat Simulations\WWII Fighters\Uninst.isu" LiveUpdate 2.6 (Symantec Corporation) --> D:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U MapSource - North American City Select v4.01 --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Garmin\Setup\NACitySel401\setup.exe" -l0x9 AddRemove Marine Sharpshooter --> D:\PROGRA~1\GROOVE~1\MARINE~1\UNWISE.EXE D:\PROGRA~1\GROOVE~1\MARINE~1\INSTALL.LOG Marine Sharpshooter II: Jungle Warfare --> D:\PROGRA~1\GROOVE~1\MARINE~2\UNWISE.EXE D:\PROGRA~1\GROOVE~1\MARINE~2\INSTALL.LOG Microsoft Compression Client Pack 1.0 for Windows XP --> "D:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe" Microsoft Office 2000 Professional --> MsiExec.exe /I{00010409-78E1-11D2-B60F-006097C998E7} Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "D:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe" Pacific Fighters --> D:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{E149E957-F289-45E3-8645-1794A173F5AB} /l1033 Photo Story 3 for Windows --> MsiExec.exe /I{4F41AD68-89F2-4262-A32C-2F70B01FCE9E} Photo Viewer 2.4 --> "D:\Program Files\Photo Viewer\uninstall.exe" Photosmart Printer 130,230,7150,7350,7550 (Remove only) --> D:\Program Files\HP Photosmart 11\Printer\hphuni04.exe Pixie 3.1 (remove only) --> "D:\Program Files\Nattyware\Pixie\uninstall.exe" PowerDVD --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall PunkBuster for Battlefield 1942 --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{127B684B-A002-44C8-99A7-6CF8F1E26873}\setup.exe" -l0x9 PunkBuster for Battlefield Vietnam --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{D07643A3-CE41-4286-8C78-EB9C83E76DDB}\setup.exe" -l0x9 Realtek High Definition Audio Driver --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\setup.exe" REMOVE Spybot - Search & Destroy 1.4 --> "D:\Program Files\Spybot - Search & Destroy\unins000.exe" Symantec AntiVirus --> MsiExec.exe /I{5A633ED0-E5D7-4D65-AB8D-53ED43510284} Windows Media Format 11 runtime --> "D:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe" XMLinst --> MsiExec.exe /I{EA23971F-2CEE-48FC-B64D-7F74A6EF90F0} -- Application Event Log ------------------------------------------------------- Event Record #/Type6409 / Error Event Submitted/Written: 01/04/2008 09:46:10 PM Event ID/Source: 8 / crypt32 Event Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired. Event Record #/Type6405 / Error Event Submitted/Written: 01/04/2008 09:37:15 PM Event ID/Source: 45 / Symantec AntiVirus Event Description: SYMANTEC TAMPER PROTECTION ALERT Target: D:\PROGRA~1\SYMANT~1\VPTray.exe Event Info: Open Process Action Taken: Blocked Actor Process: D:\Program Files\Trend Micro\HijackThis\HijackThis.exe (PID 4176) Time: Friday, January 04, 2008 9:37:15 PM Event Record #/Type6404 / Error Event Submitted/Written: 01/04/2008 09:37:15 PM Event ID/Source: 45 / Symantec AntiVirus Event Description: SYMANTEC TAMPER PROTECTION ALERT Target: D:\Program Files\Common Files\Symantec Shared\ccApp.exe Event Info: Open Process Action Taken: Blocked Actor Process: D:\Program Files\Trend Micro\HijackThis\HijackThis.exe (PID 4176) Time: Friday, January 04, 2008 9:37:15 PM Event Record #/Type6403 / Error Event Submitted/Written: 01/04/2008 09:37:15 PM Event ID/Source: 45 / Symantec AntiVirus Event Description: SYMANTEC TAMPER PROTECTION ALERT Target: D:\Program Files\Symantec AntiVirus\Rtvscan.exe Event Info: Open Process Action Taken: Blocked Actor Process: D:\Program Files\Trend Micro\HijackThis\HijackThis.exe (PID 4176) Time: Friday, January 04, 2008 9:37:15 PM Event Record #/Type6402 / Error Event Submitted/Written: 01/04/2008 09:37:15 PM Event ID/Source: 45 / Symantec AntiVirus Event Description: SYMANTEC TAMPER PROTECTION ALERT Target: D:\Program Files\Symantec AntiVirus\DefWatch.exe Event Info: Open Process Action Taken: Blocked Actor Process: D:\Program Files\Trend Micro\HijackThis\HijackThis.exe (PID 4176) Time: Friday, January 04, 2008 9:37:15 PM -- Security Event Log ---------------------------------------------------------- No Errors/Warnings found. -- System Event Log ------------------------------------------------------------ Event Record #/Type18790 / Error Event Submitted/Written: 01/04/2008 09:32:25 PM Event ID/Source: 32003 / ipnathlp Event Description: The Network Address Translator (NAT) was unable to request an operation of the kernel-mode translation module. This may indicate misconfiguration, insufficient resources, or an internal error. The data is the error code. Event Record #/Type18789 / Error Event Submitted/Written: 01/04/2008 09:32:25 PM Event ID/Source: 1000 / Dhcp Event Description: Your computer has lost the lease to its IP address 192.168.100.10 on the Network Card with network address 001320653E4D. Event Record #/Type18788 / Warning Event Submitted/Written: 01/04/2008 09:32:25 PM Event ID/Source: 1003 / Dhcp Event Description: Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 001320653E4D. The following error occurred: %%121. Your computer will continue to try and obtain an address on its own from the network address (DHCP) server. Event Record #/Type18787 / Error Event Submitted/Written: 01/04/2008 09:32:08 PM Event ID/Source: 1002 / Dhcp Event Description: The IP address lease 98.196.173.145 for the Network Card with network address 001320653E4D has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message). Event Record #/Type18784 / Warning Event Submitted/Written: 01/04/2008 09:30:36 PM Event ID/Source: 4226 / Tcpip Event Description: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts. -- End of Deckard's System Scanner: finished at 2008-01-04 21:46:40 ------------ AND HERE IS ROOT LOG: ********************************* ROOTCHK-(28-12-07)-LOG, by ejvindh Fri 01/04/2008 22:04:36.89 The rootkits that are detected by this tool were not found. ********************************* ROOTCHK-LOG-end catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-01-04 22:04:38 Windows 5.1.2600 Service Pack 2 scanning hidden processes ... scanning hidden services & system hive ... scanning hidden registry entries ... scanning hidden files ... hidden processes: 0 hidden services: 0 hidden files: 0 I think I have it all there thanks |
|
|
|
|
01-04-2008, 09:15 PM
|
#6 (permalink) |
|
Registered User
Join Date: Apr 2007
Location: Houston
Posts: 9
OS: XP
|
Re: Help pls...hiding virus/malware
I also nopticed that after "fixing"
F2 - REG:system.ini: Shell=d:\windows\explorer.exe F2 - REG:system.ini: UserInit=d:\windows\system32\userinit.exe They appear to have returned |
|
|
|
|
01-05-2008, 06:02 AM
|
#7 (permalink) |
|
Moderator/Analyst, Security Team ; Rangemaster, TSF Academy
Join Date: Oct 2006
Posts: 3,045
OS: XP
|
Re: Help pls...hiding virus/malware
Ack! You have a bad file infector on-board..
Download combofix.exe
__________________
Proud member of UNITE and ASAP since 2006 If we have helped you, please consider donating. The past won't be able to hurt you unless you keep on looking back at it. |
|
|
|
|
01-05-2008, 10:25 AM
|
#8 (permalink) |
|
Registered User
Join Date: Apr 2007
Location: Houston
Posts: 9
OS: XP
|
Re: Help pls...hiding virus/malware
Wow, thanks for the Very speedy reply
Here is the combofix file. Symantec tamper protection kept popping up even after I turned it off. I dont know if I got a good run on combofox or not....I think it may be okay. If not I'll run it again ComboFix 08-01-06.1 - dad 2008-01-05 11:14:27.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.108 [GMT -6:00] Running from: D:\Documents and Settings\dad\Desktop\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . D:\Documents and Settings\dad\Application Data\inst.exe D:\WINDOWS\sys.log D:\WINDOWS\system32\drivers\atmapi.sys . ((((((((((((((((((((((((( Files Created from 2007-12-06 to 2008-01-06 ))))))))))))))))))))))))))))))) . 2008-01-05 11:13 . 2000-08-31 08:00 51,200 --a------ D:\WINDOWS\NirCmd.exe 2008-01-04 21:43 . 2008-01-04 21:43 <DIR> d-------- D:\Deckard 2007-12-27 17:43 . 2007-12-27 17:43 <DIR> d-------- D:\Program Files\Trend Micro 2007-12-26 14:35 . 2007-12-26 14:35 <DIR> d-------- D:\VundoFix Backups 2007-12-23 16:06 . 2007-09-05 23:22 289,144 --a------ D:\WINDOWS\system32\VCCLSID.exe 2007-12-23 16:06 . 2007-12-20 23:11 81,920 --a------ D:\WINDOWS\system32\IEDFix.exe 2007-12-23 16:06 . 2007-10-03 23:36 25,600 --a------ D:\WINDOWS\system32\WS2Fix.exe 2007-12-21 22:27 . 2007-12-21 22:27 <DIR> d-------- D:\Documents and Settings\dad\Application Data\Grisoft 2007-12-21 22:26 . 2007-12-21 22:26 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Grisoft 2007-12-21 22:26 . 2007-05-30 06:10 10,872 --a------ D:\WINDOWS\system32\drivers\AvgAsCln.sys 2007-12-21 17:32 . 2007-12-21 19:25 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2007-12-19 21:41 . 2007-12-23 16:07 3,114 --a------ D:\WINDOWS\system32\tmp.reg 2007-12-19 21:40 . 2006-04-27 17:49 288,417 --a------ D:\WINDOWS\system32\SrchSTS.exe 2007-12-19 21:40 . 2003-06-05 21:13 53,248 --a------ D:\WINDOWS\system32\Process.exe 2007-12-19 21:40 . 2004-07-31 18:50 51,200 --a------ D:\WINDOWS\system32\dumphive.exe 2007-12-18 21:39 . 2007-12-18 21:39 <DIR> d-------- D:\Program Files\Photo Viewer 2007-12-16 18:35 . 2007-12-16 18:35 <DIR> d-------- D:\Program Files\AquaMark3 2007-12-16 18:35 . 1999-10-21 11:12 20,400 --a------ D:\WINDOWS\system32\drivers\entech.sys 2007-12-16 15:09 . 2007-12-16 15:09 <DIR> d-------- D:\Documents and Settings\dad\Application Data\Printer Info Cache 2007-12-16 15:08 . 2007-12-28 20:54 <DIR> d-------- D:\Documents and Settings\dad\Application Data\U3 2007-12-15 22:57 . 2007-12-15 22:57 <DIR> d-------- D:\Program Files\Lavasoft 2007-12-15 22:56 . 2007-12-15 22:56 <DIR> d-------- D:\Program Files\Common Files\Wise Installation Wizard . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-01-05 17:04 --------- d-----w D:\Program Files\Symantec AntiVirus 2007-12-15 04:42 577,536 ----a-w D:\WINDOWS\system32\user32.dll 2007-11-24 16:44 --------- d-----w D:\Program Files\iTunes 2007-11-24 00:08 --------- d-----w D:\Documents and Settings\dad\Application Data\DivX 2007-11-24 00:06 --------- d-----w D:\Program Files\DivX 2007-11-23 22:57 --------- d-----w D:\Documents and Settings\All Users\Application Data\Apple Computer 2007-11-23 15:27 --------- d-----w D:\Documents and Settings\Default User\Application Data\Apple Computer 2007-11-22 17:01 --------- d-----w D:\Documents and Settings\dad\Application Data\Apple Computer 2007-11-22 15:55 --------- d-----w D:\Program Files\iPod 2007-11-22 15:53 --------- d-----w D:\Program Files\Common Files\Apple 2007-11-22 15:53 --------- d-----w D:\Program Files\Apple Software Update 2007-11-22 15:53 --------- d-----w D:\Documents and Settings\All Users\Application Data\Apple 2007-11-13 10:25 20,480 ----a-w D:\WINDOWS\system32\drivers\secdrv.sys 2007-10-29 22:43 1,287,680 ----a-w D:\WINDOWS\system32\quartz.dll 2007-10-27 23:40 222,720 ----a-w D:\WINDOWS\system32\wmasf.dll 2007-10-20 00:56 524,288 ----a-w D:\WINDOWS\system32\DivXsm.exe 2007-10-20 00:56 3,596,288 ----a-w D:\WINDOWS\system32\qt-dx331.dll 2007-10-20 00:56 200,704 ----a-w D:\WINDOWS\system32\ssldivx.dll 2007-10-20 00:56 129,784 ------w D:\WINDOWS\system32\pxafs.dll 2007-10-20 00:56 120,056 ------w D:\WINDOWS\system32\pxcpyi64.exe 2007-10-20 00:56 118,520 ------w D:\WINDOWS\system32\pxinsi64.exe 2007-10-20 00:56 1,044,480 ----a-w D:\WINDOWS\system32\libdivx.dll 2007-10-20 00:54 823,296 ----a-w D:\WINDOWS\system32\divx_xx0c.dll 2007-10-20 00:54 823,296 ----a-w D:\WINDOWS\system32\divx_xx07.dll 2007-10-20 00:54 81,920 ----a-w D:\WINDOWS\system32\dpl100.dll 2007-10-20 00:54 802,816 ----a-w D:\WINDOWS\system32\divx_xx11.dll 2007-10-20 00:54 739,840 ----a-w D:\WINDOWS\system32\DivX.dll 2007-10-20 00:54 196,608 ----a-w D:\WINDOWS\system32\dtu100.dll 2007-10-18 09:06 156,992 ----a-w D:\WINDOWS\system32\DivXCodecVersionChecker.exe 2007-10-18 09:03 593,920 ----a-w D:\WINDOWS\system32\dpuGUI11.dll 2007-10-18 09:03 57,344 ----a-w D:\WINDOWS\system32\dpv11.dll 2007-10-18 09:03 53,248 ----a-w D:\WINDOWS\system32\dpuGUI10.dll 2007-10-18 09:03 344,064 ----a-w D:\WINDOWS\system32\dpus11.dll 2007-10-18 09:03 294,912 ----a-w D:\WINDOWS\system32\dpu11.dll 2007-10-18 09:03 294,912 ----a-w D:\WINDOWS\system32\dpu10.dll 2007-10-18 09:02 12,288 ----a-w D:\WINDOWS\system32\DivXWMPExtType.dll 2007-05-27 21:39 4 ----a-w D:\Program Files\Common Files\Cvtaqlog.dat 2007-05-22 03:12 47,360 ----a-w D:\Documents and Settings\dad\Application Data\pcouffin.sys 2005-12-18 23:44 1,019 ----a-w D:\Program Files\Nero PhotoSnap Viewer.lnk . Infected D:\WINDOWS\system32\user32.dll hex repaired D:\WINDOWS\system32\user32.dll ... is infected !! (additional data below) 577,024 2005-03-02 18:19:56 D:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll 578,048 2007-03-08 15:48:36 D:\WINDOWS\$hf_mig$\KB925902\SP2QFE\user32.dll 577,024 2005-03-02 18:09:30 D:\WINDOWS\$NtUninstallKB925902$\user32.dll 577,024 2005-03-02 18:09:30 D:\WINDOWS\$NtUninstallKB925902$\user32.dll.000 577,536 2007-12-15 04:42:33 D:\WINDOWS\system32\user32.dll 577,536 2007-12-15 04:42:33 D:\WINDOWS\system32\dllcache\user32.dll ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "StartCCC"="D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 11:35 90112] "WMPNSCFG"="D:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 19:05 204288] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 14:10 61952 D:\WINDOWS\system32\Hdaudpropshortcut.exe] "SoundMan"="SOUNDMAN.EXE" [2004-09-23 05:27 77824 D:\WINDOWS\SOUNDMAN.EXE] "ccApp"="D:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 14:52 48752] "vptray"="D:\PROGRA~1\SYMANT~1\VPTray.exe" [2005-04-17 11:30 85184] "HPDJ Taskbar Utility"="D:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-04-04 14:03 188416] "HPHUPD04"="D:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe" [2002-04-04 14:04 49152] "RemoteControl"="D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 18:42 32768] "Adobe Reader Speed Launcher"="D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792] "iTunesHelper"="D:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 13:11 267048] "HPHmon04"="D:\WINDOWS\system32\hphmon04.exe" [2002-04-04 14:01 335872] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "<NO NAME>"= [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "HPHmon04"=D:\WINDOWS\system32\hphmon04.exe *Newly Created Service* - PROCEXP90 . Contents of the 'Scheduled Tasks' folder "2007-12-26 01:19:03 D:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - D:\Program Files\Apple Software Update\SoftwareUpdate.exe . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-01-06 11:16:14 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-01-06 11:16:39 ComboFix-quarantined-files.txt 2008-01-06 17:16:36 . 2007-12-21 23:10:19 --- E O F --- |
|
|
|
|
01-05-2008, 05:02 PM
|
#9 (permalink) |
|
Moderator/Analyst, Security Team ; Rangemaster, TSF Academy
Join Date: Oct 2006
Posts: 3,045
OS: XP
|
Re: Help pls...hiding virus/malware
I wonder how much interferance Norton caused there..
If you can't shut down Norton, reboot to safe mode then run combofix there. To enter Safe Mode.. Click Start > Turn Off Computer > Restart > Tap F8 key just before Windows starts to load, > This will bring up a Menu > Use your keyboard to scroll to Safe Mode> Hit enter.
__________________
Proud member of UNITE and ASAP since 2006 If we have helped you, please consider donating. The past won't be able to hurt you unless you keep on looking back at it. |
|
|
|
|
01-05-2008, 10:54 PM
|
#10 (permalink) |
|
Registered User
Join Date: Apr 2007
Location: Houston
Posts: 9
OS: XP
|
Re: Help pls...hiding virus/malware
Okay...here it is copied from safe mode. After running combofix I havent seen anymore signs of email spewing. Is it clean?? ComboFix 08-01-06.1 - dad 2008-01-06 23:43:02.3 - NTFSx86 MINIMAL Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.372 [GMT -6:00] Running from: D:\Documents and Settings\dad\Desktop\ComboFix.exe . ((((((((((((((((((((((((( Files Created from 2007-12-07 to 2008-01-07 ))))))))))))))))))))))))))))))) . 2008-01-05 11:13 . 2000-08-31 08:00 51,200 --a------ D:\WINDOWS\NirCmd.exe 2008-01-04 21:43 . 2008-01-04 21:43 <DIR> d-------- D:\Deckard 2007-12-27 17:43 . 2007-12-27 17:43 <DIR> d-------- D:\Program Files\Trend Micro 2007-12-26 14:35 . 2007-12-26 14:35 <DIR> d-------- D:\VundoFix Backups 2007-12-23 16:06 . 2007-09-05 23:22 289,144 --a------ D:\WINDOWS\system32\VCCLSID.exe 2007-12-23 16:06 . 2007-12-20 23:11 81,920 --a------ D:\WINDOWS\system32\IEDFix.exe 2007-12-23 16:06 . 2007-10-03 23:36 25,600 --a------ D:\WINDOWS\system32\WS2Fix.exe 2007-12-21 22:27 . 2007-12-21 22:27 <DIR> d-------- D:\Documents and Settings\dad\Application Data\Grisoft 2007-12-21 22:26 . 2007-12-21 22:26 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Grisoft 2007-12-21 22:26 . 2007-05-30 06:10 10,872 --a------ D:\WINDOWS\system32\drivers\AvgAsCln.sys 2007-12-21 17:32 . 2007-12-21 19:25 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2007-12-19 21:41 . 2007-12-23 16:07 3,114 --a------ D:\WINDOWS\system32\tmp.reg 2007-12-19 21:40 . 2006-04-27 17:49 288,417 --a------ D:\WINDOWS\system32\SrchSTS.exe 2007-12-19 21:40 . 2003-06-05 21:13 53,248 --a------ D:\WINDOWS\system32\Process.exe 2007-12-19 21:40 . 2004-07-31 18:50 51,200 --a------ D:\WINDOWS\system32\dumphive.exe 2007-12-18 21:39 . 2007-12-18 21:39 <DIR> d-------- D:\Program Files\Photo Viewer 2007-12-16 18:35 . 2007-12-16 18:35 <DIR> d-------- D:\Program Files\AquaMark3 2007-12-16 18:35 . 1999-10-21 11:12 20,400 --a------ D:\WINDOWS\system32\drivers\entech.sys 2007-12-16 15:09 . 2007-12-16 15:09 <DIR> d-------- D:\Documents and Settings\dad\Application Data\Printer Info Cache 2007-12-16 15:08 . 2008-01-06 14:04 <DIR> d-------- D:\Documents and Settings\dad\Application Data\U3 2007-12-15 22:57 . 2007-12-15 22:57 <DIR> d-------- D:\Program Files\Lavasoft 2007-12-15 22:56 . 2007-12-15 22:56 <DIR> d-------- D:\Program Files\Common Files\Wise Installation Wizard . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-01-07 05:40 --------- d-----w D:\Program Files\Symantec AntiVirus 2007-12-15 04:42 577,536 ----a-w D:\WINDOWS\system32\user32.dll 2007-11-24 16:44 --------- d-----w D:\Program Files\iTunes 2007-11-24 00:08 --------- d-----w D:\Documents and Settings\dad\Application Data\DivX 2007-11-24 00:06 --------- d-----w D:\Program Files\DivX 2007-11-23 22:57 --------- d-----w D:\Documents and Settings\All Users\Application Data\Apple Computer 2007-11-23 15:27 --------- d-----w D:\Documents and Settings\Default User\Application Data\Apple Computer 2007-11-22 17:01 --------- d-----w D:\Documents and Settings\dad\Application Data\Apple Computer 2007-11-22 15:55 --------- d-----w D:\Program Files\iPod 2007-11-22 15:53 --------- d-----w D:\Program Files\Common Files\Apple 2007-11-22 15:53 --------- d-----w D:\Program Files\Apple Software Update 2007-11-22 15:53 --------- d-----w D:\Documents and Settings\All Users\Application Data\Apple 2007-11-13 10:25 20,480 ----a-w D:\WINDOWS\system32\drivers\secdrv.sys 2007-10-29 22:43 1,287,680 ----a-w D:\WINDOWS\system32\quartz.dll 2007-10-27 23:40 222,720 ----a-w D:\WINDOWS\system32\wmasf.dll 2007-10-20 00:56 524,288 ----a-w D:\WINDOWS\system32\DivXsm.exe 2007-10-20 00:56 3,596,288 ----a-w D:\WINDOWS\system32\qt-dx331.dll 2007-10-20 00:56 200,704 ----a-w D:\WINDOWS\system32\ssldivx.dll 2007-10-20 00:56 129,784 ------w D:\WINDOWS\system32\pxafs.dll 2007-10-20 00:56 120,056 ------w D:\WINDOWS\system32\pxcpyi64.exe 2007-10-20 00:56 118,520 ------w D:\WINDOWS\system32\pxinsi64.exe 2007-10-20 00:56 1,044,480 ----a-w D:\WINDOWS\system32\libdivx.dll 2007-10-20 00:54 823,296 ----a-w D:\WINDOWS\system32\divx_xx0c.dll 2007-10-20 00:54 823,296 ----a-w D:\WINDOWS\system32\divx_xx07.dll 2007-10-20 00:54 81,920 ----a-w D:\WINDOWS\system32\dpl100.dll 2007-10-20 00:54 802,816 ----a-w D:\WINDOWS\system32\divx_xx11.dll 2007-10-20 00:54 739,840 ----a-w D:\WINDOWS\system32\DivX.dll 2007-10-20 00:54 196,608 ----a-w D:\WINDOWS\system32\dtu100.dll 2007-10-18 09:06 156,992 ----a-w D:\WINDOWS\system32\DivXCodecVersionChecker.exe 2007-10-18 09:03 593,920 |
