Removing Legacy_amidiageventservice

King Arthur · 07-12-2006, 04:14 PM

I have used hijackthis and found AMIDiageventService.exe, and dissabled it.
Now using Regedit to finish removing all references to AMIDiageventservices. I came accross 2 "Legacy_AMIDiageventservices" enteries. Regedit will not let me remove or modigy either of these 2 enteries, even in safe mode!

Any idea on how to remove these other than wipping the drive and doing a complete new install of XP Pro & service pack 2. Is this trojan in the MBR of the hard drive?

Vikesrock8411 · 07-13-2006, 05:39 PM

Any particular reason you decided you had to disable that? It's not malware.

King Arthur · 07-13-2006, 08:14 PM

HiJackthis Idetified this as malware. If you know what this program does, please tell us so that we are better informed.
Thank you

Vikesrock8411 · 07-13-2006, 08:54 PM

Hijackthis does not identify what is malware and what isn't. It merely displays information from certain registry keys that are often used by malware.

As for what the file does:
http://www.ami.com/products/product....=23&prodid=123

King Arthur · 07-14-2006, 11:43 AM

Since I custom build my own P.C.'s from scratch, & I am not a OEM mfgr. I wonder where I got that program. WinPatrol also flagged it as another suspect possible malware. My antivirus program (AVG), SpyBot, and Adaware did not flag it though.

I am searching for any worm, trojan or virus that captures credit card numbers from my system when making a online purchase without showing up in the active task's, etc. in task manager. I had my credit card number stolen while making a online purchase. I have a very good idea when, but not how. I only used this credit card in question for this purchase only. NO other transactions!

Any tips?
Thanks

Vikesrock8411 · 07-14-2006, 12:16 PM

The driver CD that came with your motherboard is the most likely source of this software.

The easiest way to help you out is if you post your full Hijackhis log here.

King Arthur · 07-14-2006, 01:53 PM

Here is the logfile, minus the AMIDiageventservice, because I got rid of all references exept the root-Legacy entery.

As you can see I am using Shavlik technologies for updates and spyware scaning. Not Windows Update.

Any sugjestions or ideas?
Thanks

Logfile of HijackThis v1.99.1
Scan saved at 12:43:41 PM, on 7/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Shavlik Technologies\NetChk\5.6.0.446\HfNetChkProService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\ProPatches\Scheduler\stSchedEx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
N:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.yahoo.com/config/login?...sbc.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NetChk Patch Service (NetChkPatch) - Unknown owner - C:\Program Files\Shavlik Technologies\NetChk\5.6.0.446\HfNetChkProService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Shavlik Remote Scheduler Service (Shavlik Scheduler) - Shavlik Technologies - C:\WINDOWS\ProPatches\Scheduler\stSchedEx.exe

Vikesrock8411 · 07-15-2006, 01:00 AM

Nothing there, if there's anything hiding on your PC one of these two will usually root it out.

Download GMER to your desktop.

Right Click the Zip and Select Extract All.
Open GMER and Click the Tab labeled RootKit.
Now Click Scan, it will take a while for the scan to complete.
Once done, Copy the results to Notepad and post them in the next reply.

Please open IE and go to
Kaspersky WebScanner

Next Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
- Extended
- Scan Options:
- Scan Archives
  Scan Mail Bases
Click OK
Now under select a target to scan:
- Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

* Turn off the real time scanner of any existing antivirus program while performing the online scan

King Arthur · 07-15-2006, 01:58 PM

Here are the results of my gmer log. This file was setup following the faq at gmer.

Some of the files I do not recognise, mostly the driver related ones.
Can I use Firefox for the other tool reather I.E.?

How does it look to you?
Thank you very much for your help.

2006-07-15 12:48:55 gmer.sys System [4]: LoadDriver System32\DRIVERS\ipnat.sys
2006-07-15 12:48:55 gmer.sys System [4]: LoadDriver System32\DRIVERS\wanarp.sys
2006-07-15 12:48:55 gmer.sys System [4]: LoadDriver System32\DRIVERS\arp1394.sys
2006-07-15 12:48:57 gmer.sys System [4]: LoadDriver \Registry\Machine\System\CurrentControlSet\Services\Fastfat
2006-07-15 12:48:58 gmer.sys System [4]: LoadDriver System32\DRIVERS\arp1394.sys
2006-07-15 12:49:02 gmer.sys System [4]: LoadDriver \Registry\Machine\System\CurrentControlSet\Services\Cdfs
2006-07-15 12:49:02 gmer.sys System [4]: CreateProcess c:\windows\system32\smss.exe
2006-07-15 12:49:02 gmer.sys smss.exe [740]: CreateProcess c:\windows\system32\autochk.exe
2006-07-15 12:49:04 gmer.sys smss.exe [740]: CreateProcess c:\windows\system32\csrss.exe
2006-07-15 12:49:04 gmer.sys csrss.exe [800]: LoadDriver \SystemRoot\System32\drivers\dxg.sys
2006-07-15 12:49:05 gmer.sys csrss.exe [800]: LoadDriver \SystemRoot\System32\nv4_disp.dll
2006-07-15 12:49:05 gmer.sys csrss.exe [800]: LoadDriver \SystemRoot\System32\vga.dll
2006-07-15 12:49:05 gmer.sys csrss.exe [800]: LoadDriver \SystemRoot\System32\nv4_disp.dll
2006-07-15 12:49:06 gmer.sys smss.exe [740]: CreateProcess c:\windows\system32\winlogon.exe
2006-07-15 12:49:07 gmer.sys winlogon.exe [828]: CreateProcessEx c:\windows\system32\services.exe
2006-07-15 12:49:07 gmer.sys winlogon.exe [828]: CreateProcessEx c:\windows\system32\lsass.exe
2006-07-15 12:49:09 gmer.sys services.exe [872]: CreateProcessEx c:\windows\system32\svchost.exe
2006-07-15 12:49:09 gmer.sys winlogon.exe [828]: CreateProcessEx c:\windows\system32\logonui.exe
2006-07-15 12:49:10 gmer.sys services.exe [872]: CreateProcessEx c:\windows\system32\svchost.exe
2006-07-15 12:49:10 gmer.sys services.exe [872]: CreateProcessEx c:\windows\system32\svchost.exe
2006-07-15 12:49:10 gmer.sys services.exe [872]: CreateProcessEx c:\windows\system32\svchost.exe
2006-07-15 12:49:10 gmer.sys services.exe [872]: CreateProcessEx c:\windows\system32\svchost.exe
2006-07-15 12:49:10 gmer.sys services.exe [872]: CreateProcessEx c:\windows\system32\spoolsv.exe
2006-07-15 12:49:11 gmer.sys svchost.exe [1284]: LoadDriver System32\DRIVERS\rdbss.sys
2006-07-15 12:49:11 gmer.sys svchost.exe [1284]: LoadDriver System32\DRIVERS\mrxsmb.sys
2006-07-15 12:49:11 gmer.sys services.exe [872]: LoadDriver \Registry\Machine\System\CurrentControlSet\Services\ParVdm
2006-07-15 12:49:11 gmer.sys services.exe [872]: LoadDriver \??\C:\WINDOWS\system32\drivers\aslm75.sys
2006-07-15 12:49:11 gmer.sys services.exe [872]: CreateProcessEx c:\program files\grisoft\avg free\avgupsvc.exe
2006-07-15 12:49:11 gmer.sys services.exe [872]: LoadDriver \??\C:\WINDOWS\System32\Drivers\avgtdi.sys
2006-07-15 12:49:11 gmer.sys services.exe [872]: CreateProcessEx c:\windows\system32\ctsvccda.exe
2006-07-15 12:49:11 gmer.sys services.exe [872]: CreateProcessEx c:\program files\executive software\diskeeper\dkservice.exe
2006-07-15 12:49:12 gmer.sys services.exe [872]: CreateProcessEx c:\program files\shavlik technologies\netchk\5.6.0.446\hfnetchkproservice.exe
2006-07-15 12:49:12 gmer.sys svchost.exe [1284]: LoadDriver System32\DRIVERS\srv.sys
2006-07-15 12:49:12 gmer.sys services.exe [872]: CreateProcessEx c:\windows\system32\nvsvc32.exe
2006-07-15 12:49:13 gmer.sys services.exe [872]: LoadDriver \??\C:\WINDOWS\System32\drivers\PfModNT.sys
2006-07-15 12:49:13 gmer.sys services.exe [872]: CreateProcessEx c:\windows\system32\svchost.exe
2006-07-15 12:49:13 gmer.sys services.exe [872]: LoadDriver \??\C:\WINDOWS\system32\SVKP.sys
2006-07-15 12:49:13 gmer.sys services.exe [872]: CreateProcessEx c:\windows\system32\mspmspsv.exe
2006-07-15 12:49:14 gmer.sys winlogon.exe [828]: CreateProcessEx c:\windows\system32\userinit.exe
2006-07-15 12:49:15 gmer.sys userinit.exe [2036]: CreateProcessEx c:\windows\explorer.exe
2006-07-15 12:49:15 gmer.sys nvsvc32.exe [1712]: CreateProcessEx c:\windows\system32\rundll32.exe
2006-07-15 12:49:17 gmer.sys svchost.exe [1284]: LoadDriver System32\DRIVERS\ipnat.sys
2006-07-15 12:49:19 gmer.sys services.exe [872]: CreateProcessEx c:\windows\system32\alg.exe
2006-07-15 12:49:19 gmer.sys Explorer.EXE [204]: CreateProcessEx c:\windows\system32\verclsid.exe
2006-07-15 12:49:20 gmer.sys Explorer.EXE [204]: CreateProcessEx c:\program files\creative\splash screen\cteaxspl.exe
2006-07-15 12:49:20 gmer.sys Explorer.EXE [204]: CreateProcessEx c:\windows\updreg.exe
2006-07-15 12:49:20 gmer.sys Explorer.EXE [204]: CreateProcessEx c:\program files\creative\sbaudigy\program\adgjdet.exe
2006-07-15 12:49:20 gmer.sys Explorer.EXE [204]: CreateProcessEx c:\windows\system32\cthelper.exe
2006-07-15 12:49:20 gmer.sys Explorer.EXE [204]: CreateProcessEx c:\program files\common files\installshield\updateservice\isuspm.exe
2006-07-15 12:49:20 gmer.sys Explorer.EXE [204]: CreateProcessEx c:\program files\executive software\diskeeper\dkicon.exe
2006-07-15 12:49:20 gmer.sys svchost.exe [1044]: CreateProcessEx c:\program files\common files\installshield\updateservice\agent.exe
2006-07-15 12:49:23 gmer.sys services.exe [872]: CreateProcessEx c:\windows\system32\imapi.exe
2006-07-15 12:49:25 gmer.sys Explorer.EXE [204]: CreateProcessEx c:\windows\explorer.exe
2006-07-15 12:49:41 gmer.sys Explorer.EXE [204]: CreateProcessEx c:\windows\system32\verclsid.exe
2006-07-15 12:49:41 gmer.sys Explorer.EXE [204]: CreateProcessEx n:\gmer\gmer.exe

Vikesrock8411 · 07-15-2006, 08:19 PM

If you think you are clean, or can handle any removal yourself than that is fine, just let me know. Otherwise please follow the instructions exactly as layed out. Please undo the changes you made as they are showing many items that are not rootkit related.

King Arthur · 07-15-2006, 08:59 PM

The only thing that I have done was to use regedit to remove all references to AMIDiageventsService.exe
The file and it's associated folder were missing all along.
I also used Kaspersky webscanner. It also showed no known malware. I guess the merchant I visited was contaminated with spyware or somesuch malware. Not a secure site after all. Thank you very much for your advice and help. KA

Vikesrock8411 · 07-15-2006, 09:14 PM

I was refferring to the GMER scan, but I didn't have anything else to do so I researched the entries I didn't recognize anyway. Nothing showing there. The only suggestion I have for you is make sure you are buying form vendors you trust and that you only input sensitive information on a secure (encrypted) page. Other than that there isn't a whole lot more you can do. Hope you have better luck with any future transactions

Your log appears to be clean. If you still have any problems let me know and we will work on diagnosing those through other means. If not, there are just a few more things to go through to finish this off and help prevent future infections. Please post one more time even if you have no problems so we can mark this thread as resolved.

Windows Update
Make sure to get the latest updates for Windows and Internet Explorer at Microsoft Update Site.

Prevention
A good virus scanner is a necessity in today's computer environment. Many virus scanners include active components that protect you from infection without even running a scan. Some good free antivirus programs include:
AVG Free
Avast! Home Edition (Antivirus & Firewall)
AntiVir

A firewall is the first line of defense standing between the internet and your computer. Some good free firewalls are:
Zone Alarm
Outpost
Tiny Personal Firewall
Sunbelt Kerio Personal Firewall

Adaware SE and Spybot SD are a pair of anti-spyware scanners that should be run every week or two. Although there is some overlap there are many pieces of malware that is caught by one of these and not the other, therefore it is recommended you use both to compliment each other. Spybot also contains two other useful pieces. The first is "Immunize", this helps protect your computer against known exploits. The second is "TeaTimer", with this feature enabled you will receive notifications of all changes to the registry such as programs adding themselves to start-up and you default search page being changed.

Spyware Blaster is a powerful tool that prevents "drive-by" downloads and other unwanted installations. It also uses no system resources, run it once and you're all set. Spyware Guard Is a realtime protection engine to guard your computer from spyware. This program does for spyware what an antivirus program does for viruses.

IE-Spyad is a program that only needs to be run once to protect you from many malicious sites. It adds domains of known adware companies into the Restricted List of Internet Explorer, preventing them from performing malicious actions on your PC.

The MVPS HOSTS file is a file you can download and use to replace your regular hosts file. It prevents many sites from performing malicious actions by blocking the sites from ever being accessed.

Together these programs form a powerful barrier between the Internet and your computer. However, all the programs stand alone and feel free to eliminate any you are not comfortable with. Any protection you add to your PC is better than no protection at all.

Alternative Programs
Here are some alternatives that are either less suceptible than others to malware or don't contain malware where similar programs do.

Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

Desktop Weather - Free taskbar weather program that is free, malware free, and resource light.

Firefox - This is an increasingly popular alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.

King Arthur · 07-16-2006, 12:30 PM

My gratefull thanks for your hard work and feedback. It is a risk when you use a new and unknown online merchant/service for the first time. I did telephone said merchant and explained my concern about the security of their web site (and what happened). They of course claimed to be safe?? But not encrypted. FYI the merchant was Radio Era Archives, a service for antique radio collector hobbiest's.
Note: I am using most of the utilities you recommended. Thanks again, K.A.

07-12-2006, 04:14 PM	#1 (permalink)
King Arthur Registered User Join Date: Jul 2006 Posts: 8 OS: winXP pro	Removing Legacy_amidiageventservice I have used hijackthis and found AMIDiageventService.exe, and dissabled it. Now using Regedit to finish removing all references to AMIDiageventservices. I came accross 2 "Legacy_AMIDiageventservices" enteries. Regedit will not let me remove or modigy either of these 2 enteries, even in safe mode! Any idea on how to remove these other than wipping the drive and doing a complete new install of XP Pro & service pack 2. Is this trojan in the MBR of the hard drive?

07-13-2006, 05:39 PM	#2 (permalink)
Vikesrock8411 Analyst, Security Team Join Date: Jun 2005 Posts: 3,065 OS: Windows XP	Any particular reason you decided you had to disable that? It's not malware. __________________

07-13-2006, 08:14 PM	#3 (permalink)
King Arthur Registered User Join Date: Jul 2006 Posts: 8 OS: winXP pro	AMIDiageventservice HiJackthis Idetified this as malware. If you know what this program does, please tell us so that we are better informed. Thank you

07-13-2006, 08:54 PM	#4 (permalink)
Vikesrock8411 Analyst, Security Team Join Date: Jun 2005 Posts: 3,065 OS: Windows XP	Hijackthis does not identify what is malware and what isn't. It merely displays information from certain registry keys that are often used by malware. As for what the file does: http://www.ami.com/products/product....=23&prodid=123 __________________

07-14-2006, 12:16 PM	#6 (permalink)
Vikesrock8411 Analyst, Security Team Join Date: Jun 2005 Posts: 3,065 OS: Windows XP	The driver CD that came with your motherboard is the most likely source of this software. The easiest way to help you out is if you post your full Hijackhis log here. __________________

07-14-2006, 11:43 AM	#5 (permalink)
King Arthur Registered User Join Date: Jul 2006 Posts: 8 OS: winXP pro	Since I custom build my own P.C.'s from scratch, & I am not a OEM mfgr. I wonder where I got that program. WinPatrol also flagged it as another suspect possible malware. My antivirus program (AVG), SpyBot, and Adaware did not flag it though. I am searching for any worm, trojan or virus that captures credit card numbers from my system when making a online purchase without showing up in the active task's, etc. in task manager. I had my credit card number stolen while making a online purchase. I have a very good idea when, but not how. I only used this credit card in question for this purchase only. NO other transactions! Any tips? Thanks

07-14-2006, 01:53 PM	#7 (permalink)
King Arthur Registered User Join Date: Jul 2006 Posts: 8 OS: winXP pro	LogFile Here is the logfile, minus the AMIDiageventservice, because I got rid of all references exept the root-Legacy entery. As you can see I am using Shavlik technologies for updates and spyware scaning. Not Windows Update. Any sugjestions or ideas? Thanks Logfile of HijackThis v1.99.1 Scan saved at 12:43:41 PM, on 7/14/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\System32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\WINDOWS\System32\CTsvcCDA.exe C:\Program Files\Executive Software\Diskeeper\DkService.exe C:\Program Files\Shavlik Technologies\NetChk\5.6.0.446\HfNetChkProService.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\ProPatches\Scheduler\stSchedEx.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\CTHELPER.EXE C:\Program Files\Mozilla Firefox\firefox.exe N:\Hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.yahoo.com/config/login?...sbc.yahoo.com/ O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe" O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe" O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: NetChk Patch Service (NetChkPatch) - Unknown owner - C:\Program Files\Shavlik Technologies\NetChk\5.6.0.446\HfNetChkProService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Shavlik Remote Scheduler Service (Shavlik Scheduler) - Shavlik Technologies - C:\WINDOWS\ProPatches\Scheduler\stSchedEx.exe

07-15-2006, 01:00 AM	#8 (permalink)
Vikesrock8411 Analyst, Security Team Join Date: Jun 2005 Posts: 3,065 OS: Windows XP	Nothing there, if there's anything hiding on your PC one of these two will usually root it out. Download GMER to your desktop. Right Click the Zip and Select Extract All. Open GMER and Click the Tab labeled RootKit. Now Click Scan, it will take a while for the scan to complete. Once done, Copy the results to Notepad and post them in the next reply. Please open IE and go to Kaspersky WebScanner Next Click on Kaspersky Online Scanner You will be prompted to install an ActiveX component from Kaspersky, Click Yes. The program will launch and then begin downloading the latest definition files: Once the files have been downloaded click on NEXT Now click on Scan Settings In the scan settings make that the following are selected: Scan using the following Anti-Virus database: Extended Scan Options: Scan Archives Scan Mail Bases Click OK Now under select a target to scan: Select My Computer This will program will start and scan your system. The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected. Now click on the Save as Text button: Save the file to your desktop. Copy and paste that information in your next post. * Turn off the real time scanner of any existing antivirus program while performing the online scan __________________

07-15-2006, 01:58 PM	#9 (permalink)
King Arthur Registered User Join Date: Jul 2006 Posts: 8 OS: winXP pro	Gmer log Here are the results of my gmer log. This file was setup following the faq at gmer. Some of the files I do not recognise, mostly the driver related ones. Can I use Firefox for the other tool reather I.E.? How does it look to you? Thank you very much for your help. 2006-07-15 12:48:55 gmer.sys System [4]: LoadDriver System32\DRIVERS\ipnat.sys 2006-07-15 12:48:55 gmer.sys System [4]: LoadDriver System32\DRIVERS\wanarp.sys 2006-07-15 12:48:55 gmer.sys System [4]: LoadDriver System32\DRIVERS\arp1394.sys 2006-07-15 12:48:57 gmer.sys System [4]: LoadDriver \Registry\Machine\System\CurrentControlSet\Services\Fastfat 2006-07-15 12:48:58 gmer.sys System [4]: LoadDriver System32\DRIVERS\arp1394.sys 2006-07-15 12:49:02 gmer.sys System [4]: LoadDriver \Registry\Machine\System\CurrentControlSet\Services\Cdfs 2006-07-15 12:49:02 gmer.sys System [4]: CreateProcess c:\windows\system32\smss.exe 2006-07-15 12:49:02 gmer.sys smss.exe [740]: CreateProcess c:\windows\system32\autochk.exe 2006-07-15 12:49:04 gmer.sys smss.exe [740]: CreateProcess c:\windows\system32\csrss.exe 2006-07-15 12:49:04 gmer.sys csrss.exe [800]: LoadDriver \SystemRoot\System32\drivers\dxg.sys 2006-07-15 12:49:05 gmer.sys csrss.exe [800]: LoadDriver \SystemRoot\System32\nv4_disp.dll 2006-07-15 12:49:05 gmer.sys csrss.exe [800]: LoadDriver \SystemRoot\System32\vga.dll 2006-07-15 12:49:05 gmer.sys csrss.exe [800]: LoadDriver \SystemRoot\System32\nv4_disp.dll 2006-07-15 12:49:06 gmer.sys smss.exe [740]: CreateProcess c:\windows\system32\winlogon.exe 2006-07-15 12:49:07 gmer.sys winlogon.exe [828]: CreateProcessEx c:\windows\system32\services.exe 2006-07-15 12:49:07 gmer.sys winlogon.exe [828]: CreateProcessEx c:\windows\system32\lsass.exe 2006-07-15 12:49:09 gmer.sys services.exe [872]: CreateProcessEx c:\windows\system32\svchost.exe 2006-07-15 12:49:09 gmer.sys winlogon.exe [828]: CreateProcessEx c:\windows\system32\logonui.exe 2006-07-15 12:49:10 gmer.sys services.exe [872]: CreateProcessEx c:\windows\system32\svchost.exe 2006-07-15 12:49:10 gmer.sys services.exe [872]: CreateProcessEx c:\windows\system32\svchost.exe 2006-07-15 12:49:10 gmer.sys services.exe [872]: CreateProcessEx c:\windows\system32\svchost.exe 2006-07-15 12:49:10 gmer.sys services.exe [872]: CreateProcessEx c:\windows\system32\svchost.exe 2006-07-15 12:49:10 gmer.sys services.exe [872]: CreateProcessEx c:\windows\system32\spoolsv.exe 2006-07-15 12:49:11 gmer.sys svchost.exe [1284]: LoadDriver System32\DRIVERS\rdbss.sys 2006-07-15 12:49:11 gmer.sys svchost.exe [1284]: LoadDriver System32\DRIVERS\mrxsmb.sys 2006-07-15 12:49:11 gmer.sys services.exe [872]: LoadDriver \Registry\Machine\System\CurrentControlSet\Services\ParVdm 2006-07-15 12:49:11 gmer.sys services.exe [872]: LoadDriver \??\C:\WINDOWS\system32\drivers\aslm75.sys 2006-07-15 12:49:11 gmer.sys services.exe [872]: CreateProcessEx c:\program files\grisoft\avg free\avgupsvc.exe 2006-07-15 12:49:11 gmer.sys services.exe [872]: LoadDriver \??\C:\WINDOWS\System32\Drivers\avgtdi.sys 2006-07-15 12:49:11 gmer.sys services.exe [872]: CreateProcessEx c:\windows\system32\ctsvccda.exe 2006-07-15 12:49:11 gmer.sys services.exe [872]: CreateProcessEx c:\program files\executive software\diskeeper\dkservice.exe 2006-07-15 12:49:12 gmer.sys services.exe [872]: CreateProcessEx c:\program files\shavlik technologies\netchk\5.6.0.446\hfnetchkproservice.exe 2006-07-15 12:49:12 gmer.sys svchost.exe [1284]: LoadDriver System32\DRIVERS\srv.sys 2006-07-15 12:49:12 gmer.sys services.exe [872]: CreateProcessEx c:\windows\system32\nvsvc32.exe 2006-07-15 12:49:13 gmer.sys services.exe [872]: LoadDriver \??\C:\WINDOWS\System32\drivers\PfModNT.sys 2006-07-15 12:49:13 gmer.sys services.exe [872]: CreateProcessEx c:\windows\system32\svchost.exe 2006-07-15 12:49:13 gmer.sys services.exe [872]: LoadDriver \??\C:\WINDOWS\system32\SVKP.sys 2006-07-15 12:49:13 gmer.sys services.exe [872]: CreateProcessEx c:\windows\system32\mspmspsv.exe 2006-07-15 12:49:14 gmer.sys winlogon.exe [828]: CreateProcessEx c:\windows\system32\userinit.exe 2006-07-15 12:49:15 gmer.sys userinit.exe [2036]: CreateProcessEx c:\windows\explorer.exe 2006-07-15 12:49:15 gmer.sys nvsvc32.exe [1712]: CreateProcessEx c:\windows\system32\rundll32.exe 2006-07-15 12:49:17 gmer.sys svchost.exe [1284]: LoadDriver System32\DRIVERS\ipnat.sys 2006-07-15 12:49:19 gmer.sys services.exe [872]: CreateProcessEx c:\windows\system32\alg.exe 2006-07-15 12:49:19 gmer.sys Explorer.EXE [204]: CreateProcessEx c:\windows\system32\verclsid.exe 2006-07-15 12:49:20 gmer.sys Explorer.EXE [204]: CreateProcessEx c:\program files\creative\splash screen\cteaxspl.exe 2006-07-15 12:49:20 gmer.sys Explorer.EXE [204]: CreateProcessEx c:\windows\updreg.exe 2006-07-15 12:49:20 gmer.sys Explorer.EXE [204]: CreateProcessEx c:\program files\creative\sbaudigy\program\adgjdet.exe 2006-07-15 12:49:20 gmer.sys Explorer.EXE [204]: CreateProcessEx c:\windows\system32\cthelper.exe 2006-07-15 12:49:20 gmer.sys Explorer.EXE [204]: CreateProcessEx c:\program files\common files\installshield\updateservice\isuspm.exe 2006-07-15 12:49:20 gmer.sys Explorer.EXE [204]: CreateProcessEx c:\program files\executive software\diskeeper\dkicon.exe 2006-07-15 12:49:20 gmer.sys svchost.exe [1044]: CreateProcessEx c:\program files\common files\installshield\updateservice\agent.exe 2006-07-15 12:49:23 gmer.sys services.exe [872]: CreateProcessEx c:\windows\system32\imapi.exe 2006-07-15 12:49:25 gmer.sys Explorer.EXE [204]: CreateProcessEx c:\windows\explorer.exe 2006-07-15 12:49:41 gmer.sys Explorer.EXE [204]: CreateProcessEx c:\windows\system32\verclsid.exe 2006-07-15 12:49:41 gmer.sys Explorer.EXE [204]: CreateProcessEx n:\gmer\gmer.exe Last edited by King Arthur; 07-15-2006 at 02:01 PM. Reason: additions

07-15-2006, 08:19 PM	#10 (permalink)
Vikesrock8411 Analyst, Security Team Join Date: Jun 2005 Posts: 3,065 OS: Windows XP	If you think you are clean, or can handle any removal yourself than that is fine, just let me know. Otherwise please follow the instructions exactly as layed out. Please undo the changes you made as they are showing many items that are not rootkit related. __________________

07-15-2006, 08:59 PM	#11 (permalink)
King Arthur Registered User Join Date: Jul 2006 Posts: 8 OS: winXP pro	Thank you The only thing that I have done was to use regedit to remove all references to AMIDiageventsService.exe The file and it's associated folder were missing all along. I also used Kaspersky webscanner. It also showed no known malware. I guess the merchant I visited was contaminated with spyware or somesuch malware. Not a secure site after all. Thank you very much for your advice and help. KA

07-15-2006, 09:14 PM	#12 (permalink)
Vikesrock8411 Analyst, Security Team Join Date: Jun 2005 Posts: 3,065 OS: Windows XP	I was refferring to the GMER scan, but I didn't have anything else to do so I researched the entries I didn't recognize anyway. Nothing showing there. The only suggestion I have for you is make sure you are buying form vendors you trust and that you only input sensitive information on a secure (encrypted) page. Other than that there isn't a whole lot more you can do. Hope you have better luck with any future transactions Your log appears to be clean. If you still have any problems let me know and we will work on diagnosing those through other means. If not, there are just a few more things to go through to finish this off and help prevent future infections. Please post one more time even if you have no problems so we can mark this thread as resolved. Windows Update Make sure to get the latest updates for Windows and Internet Explorer at Microsoft Update Site. Prevention A good virus scanner is a necessity in today's computer environment. Many virus scanners include active components that protect you from infection without even running a scan. Some good free antivirus programs include: AVG Free Avast! Home Edition (Antivirus & Firewall) AntiVir A firewall is the first line of defense standing between the internet and your computer. Some good free firewalls are: Zone Alarm Outpost Tiny Personal Firewall Sunbelt Kerio Personal Firewall Adaware SE and Spybot SD are a pair of anti-spyware scanners that should be run every week or two. Although there is some overlap there are many pieces of malware that is caught by one of these and not the other, therefore it is recommended you use both to compliment each other. Spybot also contains two other useful pieces. The first is "Immunize", this helps protect your computer against known exploits. The second is "TeaTimer", with this feature enabled you will receive notifications of all changes to the registry such as programs adding themselves to start-up and you default search page being changed. Spyware Blaster is a powerful tool that prevents "drive-by" downloads and other unwanted installations. It also uses no system resources, run it once and you're all set. Spyware Guard Is a realtime protection engine to guard your computer from spyware. This program does for spyware what an antivirus program does for viruses. IE-Spyad is a program that only needs to be run once to protect you from many malicious sites. It adds domains of known adware companies into the Restricted List of Internet Explorer, preventing them from performing malicious actions on your PC. The MVPS HOSTS file is a file you can download and use to replace your regular hosts file. It prevents many sites from performing malicious actions by blocking the sites from ever being accessed. Together these programs form a powerful barrier between the Internet and your computer. However, all the programs stand alone and feel free to eliminate any you are not comfortable with. Any protection you add to your PC is better than no protection at all. Alternative Programs Here are some alternatives that are either less suceptible than others to malware or don't contain malware where similar programs do. Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN) Desktop Weather - Free taskbar weather program that is free, malware free, and resource light. Firefox - This is an increasingly popular alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness. __________________

07-16-2006, 12:30 PM	#13 (permalink)
King Arthur Registered User Join Date: Jul 2006 Posts: 8 OS: winXP pro	Resolved My gratefull thanks for your hard work and feedback. It is a risk when you use a new and unknown online merchant/service for the first time. I did telephone said merchant and explained my concern about the security of their web site (and what happened). They of course claimed to be safe?? But not encrypted. FYI the merchant was Radio Era Archives, a service for antique radio collector hobbiest's. Note: I am using most of the utilities you recommended. Thanks again, K.A.