|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
Thread Tools |
07-04-2008, 01:28 PM
|
#1 (permalink) |
|
Registered User
Join Date: Jul 2008
Posts: 12
OS: winxp
|
Trojan detected. Please help
Hi,
I got a Trojan(s) recently when I was stupid enough to open what seemed like a key generator. My anti-virus program (Sophos) picked up some of it, but I don't think it got all of it. Since then I have downloaded AVG and run scans using that, Kaspersky, and Malewarebytes' Anti-Malware. Anti-Malware picked up some more, but there are still things affecting my computer. Here they are as follows: 2 days ago my bookmarks got deleted Computer would crash occasionally When starting up, laptop would crash when the desktop loaded. Would require 2-3 restarts before it would load successfully. Computer speed may have slowed down. My HiJackThis log is posted below. I would really appreciate it if I could get some help off this because I have been having so many problems. Thanks. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1:28:41 PM, on 7/4/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\brsvc01a.exe C:\WINDOWS\system32\brss01a.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\Program Files\Executive Software\Diskeeper\DkService.exe c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\Program Files\Sophos\AutoUpdate\ALsvc.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBIA.EXE C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Sophos\AutoUpdate\ALMon.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\AIM\aim.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [EPSON Stylus CX6000 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBIA.EXE /FU "C:\WINDOWS\TEMP\E_SB3.tmp" /EF "HKLM" O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - AppInit_DLLs: C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL,avgrsstx.dll, O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe -- End of file - 7323 bytes Again, thanks. |
|
     |
|
07-05-2008, 12:29 AM
|
#2 (permalink) |
|
Registered User
Join Date: Jul 2008
Posts: 12
OS: winxp
|
Re: Trojan detected. Please help
Updated HiJackThis log after cleaning with ATF-Cleaner.
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:28:04 AM, on 7/5/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\brsvc01a.exe C:\WINDOWS\system32\brss01a.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\Program Files\Executive Software\Diskeeper\DkService.exe c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe C:\Program Files\Sophos\AutoUpdate\ALsvc.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe C:\WINDOWS\System32\svchost.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Sophos\AutoUpdate\ALMon.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\AIM\aim.exe C:\Program Files\MSN Messenger\usnsvc.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [EPSON Stylus CX6000 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBIA.EXE /FU "C:\WINDOWS\TEMP\E_SB3.tmp" /EF "HKLM" O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - AppInit_DLLs: C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL,avgrsstx.dll, O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe -- End of file - 7442 bytes |
|
|
|
|
07-08-2008, 09:16 AM
|
#4 (permalink) |
|
Registered User
Join Date: Jul 2008
Posts: 12
OS: winxp
|
Re: Trojan detected. Please help
I just did a Malwarebytes' scan and got a warning from both Sophos and AVG saying that the files
C:/System Volume Information/_restore{F845EDB-f751-4BE4-A620-64F2CA1BfB5F}/RP988/A0523950.exe and C:/System Volume Information/_restore{F845EDB-f751-4BE4-A620-64F2CA1BfB5F}/RP988/A0523951.dll files were infected. These did not come up in scans before. What should I do to fix them? AVG said that it could not remove these files. |
|
|
|
|
07-08-2008, 09:27 AM
|
#5 (permalink) | ||
|
Moderator, Analyst, Security Team
Join Date: Oct 2006
Location: Důn Čideann,Scotland.
Posts: 2,790
OS: XP
|
Re: Trojan detected. Please help
Hello and welcome to TSF
Quote:
Quote:
Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
======= Logs Required C:\Deckard\System Scanner\main.txt C:\Deckard\System Scanner\extra.txt<----Attached
__________________
Member of ASAP since 2007 Member of UNITE since 2008 **Notice to BT customers** Trial of BT-Phorm spyware to start 30th September, 2008- for more information please visit No DPI website for more information.  Phorm, previously known as 121Media were responsible for the Apropos rootkit, see Here for more information on said rootkit. If we have helped you in anyway,please consider Donating |
||
|
|
|
|
07-08-2008, 09:50 AM
|
#6 (permalink) |
|
Registered User
Join Date: Jul 2008
Posts: 12
OS: winxp
|
Re: Trojan detected. Please help
Thanks for the quick reply. Here is my main.txt:
Deckard's System Scanner v20071014.68 Run by Owner on 2008-07-08 09:44:01 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- System Restore -------------------------------------------------------------- Successfully created a Deckard's System Scanner Restore Point. -- Last 5 Restore Point(s) -- 34: 2008-07-08 16:44:11 UTC - RP1001 - Deckard's System Scanner Restore Point 33: 2008-07-08 16:37:02 UTC - RP1000 - Installed AVG 8.0 32: 2008-07-08 16:36:06 UTC - RP999 - Removed AVG 8.0 31: 2008-07-08 04:36:00 UTC - RP998 - System Checkpoint 30: 2008-07-07 03:54:26 UTC - RP997 - System Checkpoint -- First Restore Point -- 1: 2008-06-11 02:18:32 UTC - RP968 - System Checkpoint Backed up registry hives. Performed disk cleanup. System Drive C: has 8.9 GiB (less than 15%) free. -- HijackThis (run as Owner.exe) ----------------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:47:08 AM, on 7/8/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\brsvc01a.exe C:\WINDOWS\system32\brss01a.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\Program Files\Executive Software\Diskeeper\DkService.exe c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe C:\Program Files\Sophos\AutoUpdate\ALsvc.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Sophos\AutoUpdate\ALMon.exe C:\Documents and Settings\Owner\Desktop\dss.exe C:\WINDOWS\system32\conime.exe C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [EPSON Stylus CX6000 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBIA.EXE /FU "C:\WINDOWS\TEMP\E_SB3.tmp" /EF "HKLM" O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O20 - AppInit_DLLs: C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe -- End of file - 7318 bytes -- File Associations ----------------------------------------------------------- .reg - regfile - shell\open\command - regedit.exe "%1" %* .scr - scrfile - shell\open\command - "%1" %* -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------- R2 WIBUKEY (WIBU-KEY Kernel Driver) - c:\windows\system32\drivers\wibukey.sys <Not Verified; WIBU-SYSTEMS AG; WIBU-KEY Software Protection System> S3 nhcAcpi_driver (Notebook Hardware Control ACPI Driver) - c:\windows\system32\drivers\nhcacpi.sys (file missing) S3 nhcDriverDevice (Notebook Hardware Control Driver) - c:\windows\system32\drivers\nhcdriver.sys <Not Verified; pBUS-167 Software - http://www.pbus-167.com; Notebook Hardware Control Driver> S3 nhcNT_driver (Notebook Hardware Control NT Driver) - c:\windows\system32\drivers\nhcnt.sys (file missing) S3 NPF (NetGroup Packet Filter Driver) - c:\windows\system32\drivers\npf.sys <Not Verified; CACE Technologies; WinPcap Netgroup Packet Filter Driver> S3 P2k (Motorola USB Device) - c:\windows\system32\drivers\p2k.sys <Not Verified; Motorola Inc; P2k Driver> S3 tbhsd (Tunebite High-Speed Dubbing) - c:\windows\system32\drivers\tbhsd.sys (file missing) S3 tifm21 - c:\windows\system32\drivers\tifm21.sys (file missing) S3 usbsermpt (Motorola USB Modem Driver for MPT) - c:\windows\system32\drivers\usbsermpt.sys <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) 2000 Operating System> S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing) -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled -------------------- R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service> R2 Diskeeper - "c:\program files\executive software\diskeeper\dkservice.exe" <Not Verified; Executive Software International, Inc.; Diskeeper (TM) Disk Defragmenter> R2 SAVAdminService (Sophos Anti-Virus status reporter) - "c:\program files\sophos\sophos anti-virus\savadminservice.exe" <Not Verified; Sophos Plc; Sophos Anti-Virus> R2 SAVService (Sophos Anti-Virus) - "c:\program files\sophos\sophos anti-virus\savservice.exe" <Not Verified; Sophos Plc; Sophos Anti-Virus> R2 Sophos AutoUpdate Service - "c:\program files\sophos\autoupdate\alsvc.exe" <Not Verified; Sophos Plc; Sophos AutoUpdate> S3 rpcapd (Remote Packet Capture Protocol v.0 (experimental)) - "c:\program files\winpcap\rpcapd.exe" -d -f "c:\program files\winpcap\rpcapd.ini" <Not Verified; CACE Technologies; Remote Packet Capture Daemon> -- Device Manager: Disabled ---------------------------------------------------- Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318} Description: Intel(R) PRO/Wireless 2200BG Network Connection Device ID: PCI\VEN_8086&DEV_4220&SUBSYS_27018086&REV_05\4&1D3F0FBB&0&20F0 Manufacturer: Intel(R) Corporation Name: Intel(R) PRO/Wireless 2200BG Network Connection PNP Device ID: PCI\VEN_8086&DEV_4220&SUBSYS_27018086&REV_05\4&1D3F0FBB&0&20F0 Service: w29n51 Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318} Description: 1394 Net Adapter Device ID: V1394\NIC1394\6001493CE0B804 Manufacturer: Microsoft Name: 1394 Net Adapter PNP Device ID: V1394\NIC1394\6001493CE0B804 Service: NIC1394 Class GUID: Description: Mass Storage Controller Device ID: PCI\VEN_104C&DEV_8033&SUBSYS_0460107B&REV_00\4&1D3F0FBB&0&4BF0 Manufacturer: Name: Mass Storage Controller PNP Device ID: PCI\VEN_104C&DEV_8033&SUBSYS_0460107B&REV_00\4&1D3F0FBB&0&4BF0 Service: Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318} Description: Cisco Systems VPN Adapter Device ID: ROOT\NET\0000 Manufacturer: Cisco Systems Name: Cisco Systems VPN Adapter PNP Device ID: ROOT\NET\0000 Service: CVirtA -- Scheduled Tasks ------------------------------------------------------------- 2008-07-02 11:50:14 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job -- Files created between 2008-06-08 and 2008-07-08 ----------------------------- 2008-07-06 00:24:43 408576 --a------ C:\WINDOWS\system32\Smab.dll 2008-07-06 00:24:33 66560 --a------ C:\WINDOWS\MOTA113.exe 2008-07-06 00:24:32 27648 --a------ C:\WINDOWS\system32\AVSredirect.dll 2008-07-06 00:24:31 70656 --a------ C:\WINDOWS\system32\yv12vfw.dll <Not Verified; www.helixcommunity.org; Helix YV12 YUV Codec> 2008-07-06 00:24:27 70656 --a------ C:\WINDOWS\system32\i420vfw.dll <Not Verified; www.helixcommunity.org; Helix I420 YUV Codec> 2008-07-06 00:24:15 217073 --a------ C:\WINDOWS\meta4.exe 2008-07-06 00:21:52 27648 ---hs---- C:\WINDOWS\system32\Smab0.dll 2008-07-06 00:21:51 31232 -r-hs---- C:\WINDOWS\system32\msfDX.dll <Not Verified; Hans Mayerl; msfDX.dll> 2008-07-06 00:21:51 163328 -r-hs---- C:\WINDOWS\system32\flvDX.dll <Not Verified; Gabest; FLV Splitter> 2008-07-06 00:21:46 0 d-------- C:\Program Files\eRightSoft 2008-07-05 23:45:10 0 d-------- C:\DVDVideoSoft 2008-07-05 23:44:47 0 d-------- C:\Program Files\Common Files\DVDVideoSoft 2008-07-05 17:04:08 691545 --a------ C:\WINDOWS\unins000.exe 2008-07-05 17:04:08 2545 --a------ C:\WINDOWS\unins000.dat 2008-07-05 14:21:25 0 d-------- C:\Documents and Settings\Owner\Application Data\Move Networks 2008-07-03 19:21:26 0 d-------- C:\Netgear 2008-07-02 13:46:34 286720 --a------ C:\WINDOWS\iun506.exe <Not Verified; Indigo Rose Corporation; Setup Factory 5.0 Uninstaller> 2008-07-02 13:46:33 0 d-------- C:\Program Files\Mp3 File Editor 2008-07-02 00:49:09 0 d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes 2008-07-02 00:49:04 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-07-02 00:49:03 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-07-01 21:32:10 0 d-------- C:\Program Files\Total Video Converter 2008-07-01 21:18:52 0 d-------- C:\Program Files\Xilisoft 2008-06-30 15:13:20 0 d-------- C:\Program Files\Trend Micro 2008-06-29 21:40:28 0 d--h----- C:\$AVG8.VAULT$ 2008-06-29 21:01:20 0 d-------- C:\Program Files\AVG 2008-06-29 21:01:18 0 d-------- C:\Documents and Settings\All Users\Application Data\avg8 2008-06-29 20:31:35 0 d-------- C:\Program Files\Red Kawa 2008-06-28 12:41:18 6553600 --a------ C:\Documents and Settings\Owner\ntuser.dat 2008-06-14 16:43:20 0 d-------- C:\Logs 2008-06-13 23:31:24 0 d-------- C:\WINDOWS\pss 2008-06-13 13:16:15 0 d-------- C:\Program Files\World of Warcraft 2008-06-12 22:43:27 0 d-------- C:\Program Files\Common Files\Blizzard Entertainment -- Find3M Report --------------------------------------------------------------- 2008-07-05 23:44:47 0 d-------- C:\Program Files\Common Files 2008-07-05 19  41 0 d-------- C:\Program Files\Warcraft III2008-07-04 22:53:16 69381 --a------ C:\WINDOWS\War3Unin.dat 2008-07-04 17 52 0 d-------- C:\Documents and Settings\Owner\Application Data\dvdcss2008-06-29 20:38:02 17920 --a------ C:\WINDOWS\system32\sophosboottasks.exe <Not Verified; Sophos Plc; Sophos Anti-Virus> 2008-06-21 18:16:15 0 d-------- C:\Documents and Settings\Owner\Application Data\XnView 2008-06-15 02:44:09 0 d-------- C:\Program Files\Java 2008-06-13 23:25:52 0 d-------- C:\Program Files\Elaborate Bytes 2008-05-18 13:17:36 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-05-18 01:02:24 0 d-------- C:\Program Files\SlySoft 2008-05-16 16:58:46 0 d-------- C:\Documents and Settings\Owner\Application Data\.ABC 2008-05-14 20:08:39 0 d-------- C:\Program Files\XP Codec Pack -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [11/04/2004 04:47 PM] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [11/04/2004 04:47 PM] "Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" [] "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [03/22/2005 09:05 PM] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [05/11/2007 03:06 AM] "EPSON Stylus CX6000 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBIA.exe" [02/13/2006 05:00 AM] "KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" [] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:00 PM] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [07/04/2007 10:33 AM] "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43 AM] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2/13/2006 4:57:01 PM] Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2/13/2006 4:57:01 PM] AutoUpdate Monitor.lnk - C:\Program Files\Sophos\AutoUpdate\ALMon.exe [8/5/2007 4:56:41 PM] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"=0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "appinit_dlls"=C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService] @="service" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^UCLA Cisco VPN Client.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\UCLA Cisco VPN Client.lnk backup=C:\WINDOWS\pss\UCLA Cisco VPN Client.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\STC Policy Manager] C:\Program Files\UCLA STC\STCPM\stcpm.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe -- End of Deckard's System Scanner: finished at 2008-07-08 09:47:53 ------------ Could this be the problem to my computer freezing and all the startup problems? (freezing at desktop) |
|
|
|
|
07-08-2008, 11:00 AM
|
#7 (permalink) | |
|
Moderator, Analyst, Security Team
Join Date: Oct 2006
Location: Důn Čideann,Scotland.
Posts: 2,790
OS: XP
|
Re: Trojan detected. Please help
Hello again
Quote:
============= Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe. ======== Please follow all instructions and in which order they come, if you have any questions, please ask before proceeding. Its important that you follow this through until i give you the all clear, a lack of symptoms does not mean that it is no longer present. Please Do Not Attach logs to your posts unless you are advised to do so. ======== Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs: Java 2 Runtime Environment, SE v1.4.2 J2SE Runtime Environment 5.0 Update 5 J2SE Runtime Environment 5.0 Update 6 J2SE Runtime Environment 5.0 Update 9 J2SE Runtime Environment 5.0 Update 10 J2SE Runtime Environment 5.0 Update 11 Java(TM) SE Runtime Environment 6 Update 1 Java(TM) 6 Update 2 Java(TM) 6 Update 3 Leave Java(TM) 6 Update 5 installed Viewpoint Media Player<----Viewpoint is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546 Additional Information Here and Here ============= Please visit this webpage for instructions for downloading and running ComboFix: http://www.bleepingcomputer.com/comb...o-use-combofix Please ensure you read this guide carefully and install the Recovery Console first. The Windows Recovery Console will allow you to boot up into a special recovery mode. This allows us to help you in the case that your computer has a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time. Once the Recovery Console is installed using ComboFix, you should see a message that says: The Recovery Console was successfully installed.  Please continue as follows: Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Click Yes to allow ComboFix to continue scanning for malware. When the tool is finished, it will produce a report for you. =========== Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here. ============ Logs Required C:\Combofix.txt Hijackthis Log
__________________
Member of ASAP since 2007 Member of UNITE since 2008 **Notice to BT customers** Trial of BT-Phorm spyware to start 30th September, 2008- for more information please visit No DPI website for more information. Phorm, previously known as 121Media were responsible for the Apropos rootkit, see Here for more information on said rootkit. If we have helped you in anyway,please consider Donating |
|
|
|
|
|
07-08-2008, 12:52 PM
|
#9 (permalink) |
|
Moderator, Analyst, Security Team
Join Date: Oct 2006
Location: Důn Čideann,Scotland.
Posts: 2,790
OS: XP
|
Re: Trojan detected. Please help
Copy/paste all logs into your reply unless you are requested to do otherwise.
__________________
Member of ASAP since 2007 Member of UNITE since 2008 **Notice to BT customers** Trial of BT-Phorm spyware to start 30th September, 2008- for more information please visit No DPI website for more information. Phorm, previously known as 121Media were responsible for the Apropos rootkit, see Here for more information on said rootkit. If we have helped you in anyway,please consider Donating |
|
|
|
|
07-08-2008, 04:32 PM
|
#10 (permalink) |
|
Registered User
Join Date: Jul 2008
Posts: 12
OS: winxp
|
Re: Trojan detected. Please help
Hi, I ran ComboFix, but couldn't completely disable Sophos Anti-virus. I ended the process from the Windows Task Manager but I'm not sure if it was completely disabled. Also, at the restart I had Sophos and Spybot automatically run in the task manager. Anyways, here it is: ComboFix 08-07-07.3 - Owner 2008-07-08 16:04:57.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.932.81.1033.18.637 [GMT -7:00] Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . D:\Autorun.inf . ((((((((((((((((((((((((( Files Created from 2008-06-08 to 2008-07-08 ))))))))))))))))))))))))))))))) . 2008-07-08 09:43 . 2008-07-08 09:43 <DIR> d-------- C:\Deckard 2008-07-06 00:24 . 2006-10-07 17:43 502,784 --a------ C:\WINDOWS\x2.64.exe 2008-07-06 00:24 . 2008-02-07 16:15 408,576 --a------ C:\WINDOWS\system32\Smab.dll 2008-07-06 00:24 . 2005-02-28 13:16 240,128 --a------ C:\WINDOWS\system32\x.264.exe 2008-07-06 00:24 . 2006-04-12 09:47 217,073 --a------ C:\WINDOWS\meta4.exe 2008-07-06 00:24 . 2004-01-25 00:00 70,656 --a------ C:\WINDOWS\system32\yv12vfw.dll 2008-07-06 00:24 . 2004-01-25 00:00 70,656 --a------ C:\WINDOWS\system32\i420vfw.dll 2008-07-06 00:24 . 2006-04-05 08:09 66,560 --a------ C:\WINDOWS\MOTA113.exe 2008-07-06 00:24 . 2005-07-14 12:31 27,648 --a------ C:\WINDOWS\system32\AVSredirect.dll 2008-07-06 00:21 . 2008-07-06 00:21 <DIR> d-------- C:\Program Files\eRightSoft 2008-07-05 23:45 . 2008-07-05 23:45 <DIR> d-------- C:\DVDVideoSoft 2008-07-05 23:44 . 2008-07-05 23:48 <DIR> d-------- C:\Program Files\Common Files\DVDVideoSoft 2008-07-05 17:04 . 2008-07-05 17:02 691,545 --a------ C:\WINDOWS\unins000.exe 2008-07-05 17:04 . 2008-07-05 17:04 2,545 --a------ C:\WINDOWS\unins000.dat 2008-07-05 14:21 . 2008-07-05 14:22 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Move Networks 2008-07-03 19:21 . 2008-07-03 19:42 <DIR> d-------- C:\Netgear 2008-07-02 14:45 . 2008-07-02 14:49 46,884,392 --a------ C:\SNSDVOCAL2.WAV 2008-07-02 14:39 . 2008-07-02 14:44 46,884,392 --a------ C:\SNSDVOCAL.WAV 2008-07-02 14:38 . 2008-07-02 14:38 46,900,268 --a------ C:\752_掘ワ - 葆 フ・8ト (Into the new world).wav 2008-07-02 14:33 . 2008-07-02 14:33 46,817,324 --a------ C:\out.wav 2008-07-02 13:46 . 2008-07-02 13:46 <DIR> d-------- C:\Program Files\Mp3 File Editor 2008-07-02 13:46 . 2008-07-02 13:46 286,720 --a------ C:\WINDOWS\iun506.exe 2008-07-02 00:49 . 2008-07-08 00:48 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-07-02 00:49 . 2008-07-02 00:49 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes 2008-07-02 00:49 . 2008-07-02 00:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-07-02 00:49 . 2008-07-07 17:35 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys 2008-07-02 00:49 . 2008-07-07 17:35 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-07-01 21:32 . 2008-07-01 21:32 <DIR> d-------- C:\Program Files\Total Video Converter 2008-07-01 21:18 . 2008-07-01 21:18 <DIR> d-------- C:\Program Files\Xilisoft 2008-06-30 15:13 . 2008-06-30 15:13 <DIR> d-------- C:\Program Files\Trend Micro 2008-06-29 21:40 . 2008-07-04 16:33 <DIR> d--h----- C:\$AVG8.VAULT$ 2008-06-29 21:01 . 2008-06-29 21:01 <DIR> d-------- C:\Program Files\AVG 2008-06-29 21:01 . 2008-07-08 09:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8 2008-06-29 21:01 . 2008-07-03 16:10 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll.old 2008-06-29 20:31 . 2008-06-29 20:31 <DIR> d-------- C:\Program Files\Red Kawa 2008-06-14 16:43 . 2008-06-14 16:43 <DIR> d-------- C:\Logs 2008-06-13 13:16 . 2008-06-15 11:43 <DIR> d-------- C:\Program Files\World of Warcraft 2008-06-12 22:43 . 2008-06-14 16:26 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment 2008-06-11 03:07 . 2008-06-13 06:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys 2008-06-11 03:07 . 2008-06-13 06:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-07-08 22:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint 2008-07-08 22:41 --------- d-----w C:\Program Files\Java 2008-07-06 02:06 --------- d-----w C:\Program Files\Warcraft III 2008-07-06 00:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-07-06 00:05 --------- d-----w C:\Program Files\Spybot - Search & Destroy 2008-07-05 00:06 --------- d-----w C:\Documents and Settings\Owner\Application Data\dvdcss 2008-06-22 01:16 --------- d-----w C:\Documents and Settings\Owner\Application Data\XnView 2008-06-14 06:25 --------- d-----w C:\Program Files\Elaborate Bytes 2008-06-12 01:59 12,288 ----a-w C:\WINDOWS\system32\drivers\nhcDriver.sys 2008-05-18 21:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Elaborate Bytes 2008-05-18 20:17 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2008-05-18 08:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink 2008-05-18 08:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\SlySoft 2008-05-18 08:02 --------- d-----w C:\Program Files\SlySoft 2008-05-16 23:58 --------- d-----w C:\Documents and Settings\Owner\Application Data\.ABC 2008-05-15 03:08 --------- d-----w C:\Program Files\XP Codec Pack 2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys 2006-07-19 22:18 25,600 ----a-w C:\Documents and Settings\Owner\usbsermptxp.sys 2006-07-19 22:18 22,768 -c--a-w C:\Documents and Settings\Owner\usbsermpt.sys 2006-05-03 09:06 163,328 --sh--r C:\WINDOWS\system32\flvDX.dll 2007-02-21 10:47 31,232 --sh--r C:\WINDOWS\system32\msfDX.dll 2007-12-17 12:43 27,648 --sh--w C:\WINDOWS\system32\Smab0.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00 15360] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-04 10:33 68856] "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 16:47 98394] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-04 16:47 688218] "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-03-22 21:05 339968] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06 40048] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-02-13 16:57:01 113664] Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-02-13 16:57:01 113664] AutoUpdate Monitor.lnk - C:\Program Files\Sophos\AutoUpdate\ALMon.exe [2007-08-05 16:56:41 245760] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.I420"= i420vfw.dll "vidc.yv12"= yv12vfw.dll "vidc.ffds"= ffdshow.ax "msacm.ac3filter"= ac3filter.acm [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService] @="service" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^UCLA Cisco VPN Client.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\UCLA Cisco VPN Client.lnk backup=C:\WINDOWS\pss\UCLA Cisco VPN Client.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] --a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl] --a------ 2003-10-31 19:42 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\STC Policy Manager] --a------ 2007-09-26 01:07 1156360 C:\Program Files\UCLA STC\STCPM\STCPM.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg] --a------ 2007-07-04 10:33 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "C:\\Program Files\\DC++\\DCPlusPlus.exe"= "C:\\Program Files\\ABC\\abc.exe"= "C:\\Program Files\\Real\\RealPlayer\\realplay.exe"= "C:\\Program Files\\Warcraft III\\Warcraft III.exe& |
