|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
04-03-2007, 07:43 AM
|
#1 (permalink) |
|
Registered User
Join Date: Apr 2007
Posts: 8
OS: XP
|
Win32/Rustock.gen!C (help!)
Hello,
Im new to the forum but have been advised Ill get the best help here  Ive seen a previous post which details someone else having this problem, but it wont let me post a reply?! (so sorry to annoy anyone but Ive had to make a new post) Should I follow the same steps that were advised in previous posts? Ive only got this far (as of yet) Any help really appreciated!  Stephen Quigley, N.Ireland ----------- Logfile of HijackThis v1.99.1 Scan saved at 14:35:33, on 03/04/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\BroadJump\Client Foundation\CFD.exe C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe C:\Program Files\SpywareBot\SpywareBot.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\WinRAR\WinRAR.exe C:\DOCUME~1\ME\LOCALS~1\Temp\Rar$EX00.468\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bebo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/...C01&lc=0809&ac R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.presario.net/scripts/r...search&ap=b204 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/r...search&ap=b204 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/r...search&ap=b204 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://desktop.presario.net/scripts/...C01&lc=0809&ac O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase8300.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1172622521826 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1173539138452 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/W...gPublisher.exe O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://ebanking.northernbank.co.uk/.../e-Safekey.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe Last edited by QUIGGS2001; 04-03-2007 at 07:57 AM. |
|
     |
| Important Information |
|
Join the #1 Tech Support Forum Today - It's Totally Free!
TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free. Join TechSupportforum.com Today - Click Here |
|
04-03-2007, 12:49 PM
|
#2 (permalink) | |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,682
OS: 2000 Pro; XP Pro; XP Home
|
Re: Win32/Rustock.gen!C (help!)
Hi, and welcome.
Quote:
Please do this: Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
What DSS will do:
---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you.  Microsoft MVP - Consumer Security 2009
|
|
|
|
|
|
04-03-2007, 03:50 PM
|
#3 (permalink) |
|
Registered User
Join Date: Apr 2007
Posts: 8
OS: XP
|
Re: Win32/Rustock.gen!C (help!)
Thankyou very much for the reply and help.
Hopefully I have followed your instructions correctly. Deckard's System Scanner v20070328.36 Run by ME on 2007-04-03 at 22:42:05 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- System Restore -------------------------------------------------------------- Successfully created a Deckard's System Scanner Restore Point. -- Last 5 Restore Point(s) -- 92: 2007-04-03 21:42:15 UTC - RP92 - Deckard's System Scanner Restore Point 91: 2007-04-03 14:55:22 UTC - RP91 - Software Distribution Service 2.0 90: 2007-04-03 14:38:14 UTC - RP90 - Software Distribution Service 2.0 89: 2007-04-03 14:14:36 UTC - RP89 - Software Distribution Service 2.0 88: 2007-04-03 14:12:48 UTC - RP88 - Installed Windows Defender -- First Restore Point -- 1: 2007-02-25 10:02:51 UTC - RP1 - System Checkpoint Backed up registry hives. Performed disk cleanup. -- HijackThis (run as ME.exe) -------------------------------------------------- Logfile of HijackThis v1.99.1 Scan saved at 22:44:38, on 03/04/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\BroadJump\Client Foundation\CFD.exe C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\MSN Messenger\usnsvc.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\QuickTime\QuickTimePlayer.exe C:\Documents and Settings\ME\Desktop\dss.exe C:\PROGRA~1\HIJACK~1\ME.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bebo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/...C01&lc=0809&ac R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.presario.net/scripts/r...search&ap=b204 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/r...search&ap=b204 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/r...search&ap=b204 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://desktop.presario.net/scripts/...C01&lc=0809&ac O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase8300.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1172622521826 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1173539138452 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/W...gPublisher.exe O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://ebanking.northernbank.co.uk/.../e-Safekey.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- File Associations ----------------------------------------------------------- All associations okay. -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------- R3 smwdm - c:\windows\system32\drivers\smwdm.sys S1 EXAMPLE - c:\windows\system32\main.sys (file missing) S3 basic2 - c:\windows\system32\drivers\basic2.sys (file missing) S3 BthEnum (Bluetooth Request Block Driver) - c:\windows\system32\drivers\bthenum.sys S3 BthPan (Bluetooth Device (Personal Area Network)) - c:\windows\system32\drivers\bthpan.sys S3 BTHPORT (Bluetooth Port Driver) - c:\windows\system32\drivers\bthport.sys S3 BTHUSB (Bluetooth Radio USB Driver) - c:\windows\system32\drivers\bthusb.sys S3 EXAMPLE1 - c:\windows\system32\ksys.sys S3 Rksample - c:\windows\system32\drivers\rksample.sys (file missing) S3 Runtime - c:\windows\system32\runtime.sys (file missing) S3 usbcm (USB Cable Modem 351000 NDIS Driver) - c:\windows\system32\drivers\usbcm.sys S3 winachsf - c:\windows\system32\drivers\hsf_cnxt.sys (file missing) pe386 driver present -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled -------------------- R2 BthServ (Bluetooth Support Service) - c:\windows\system32\svchost.exe -k bthsvcs -- Scheduled Tasks ------------------------------------------------------------- 2007-04-03 16:47:57 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job<MPSCHE~1.JOB> 2007-04-03 14:20:01 482 --a------ C:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job<SPYWAR~1.JOB> -- Files created between 2007-03-03 and 2007-04-03 ----------------------------- 2007-04-03 18:12:21 0 d-------- C:\WINDOWS\LastGood 2007-04-03 15:40:09 0 d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust<INTERT~1> 2007-04-03 15:40:09 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe 2007-04-03 15:40:08 0 d-------- C:\Documents and Settings\Administrator\WINDOWS 2007-04-03 15:40:08 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT 2007-04-03 15:12:52 0 d-------- C:\Program Files\Windows Defender<WIFD1F~1> 2007-04-03 02:28:59 0 d-------- C:\Documents and Settings\ME\Application Data\SpywareBot<SPYWAR~1> 2007-04-03 02:09:16 626688 --a------ C:\WINDOWS\system32\msvcr80.dll 2007-04-03 01:12:06 0 d-------- C:\WINDOWS\system32\ActiveScan<ACTIVE~1> 2007-04-03 01:09:45 0 d-------- C:\Documents and Settings\ME\.housecall6.6<HOUSEC~1.6> 2007-04-01 20:10:16 0 d-------- C:\Program Files\Windows Live Safety Center<WINDOW~4> 2007-03-29 02:36:28 0 d-------- C:\Documents and Settings\ME\Application Data\DivX 2007-03-29 02:35:50 2432 -----n--- C:\WINDOWS\system32\drivers\cdr4_xp.sys 2007-03-29 02:35:49 2560 -----n--- C:\WINDOWS\system32\drivers\cdralw2k.sys 2007-03-29 02:35:48 129784 -----n--- C:\WINDOWS\system32\pxafs.dll 2007-03-28 20:01:53 118520 -----n--- C:\WINDOWS\system32\pxinsi64.exe 2007-03-28 20:01:53 116472 -----n--- C:\WINDOWS\system32\pxcpyi64.exe 2007-03-28 20:01:53 36624 -----n--- C:\WINDOWS\system32\drivers\PxHelp20.sys 2007-03-28 20:01:35 0 d-------- C:\Program Files\DivX 2007-03-27 16:03:05 0 d-------- C:\Program Files\Dan Elwell's Broadband Speed Test<DANELW~1> 2007-03-27 15:55:52 17024 --a------ C:\WINDOWS\system32\drivers\usbohci.sys 2007-03-27 13:55:02 0 d-------- C:\WINDOWS\pss 2007-03-23 01:53:33 1755 --a------ C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache<QTSBAN~1> 2007-03-21 22:54:21 0 d-------- C:\Documents and Settings\All Users\Application Data\Messenger Plus!<MESSEN~1> 2007-03-19 17:39:15 0 d-------- C:\Documents and Settings\ME\Application Data\VideoEgg 2007-03-19 17:38:12 0 d-------- C:\Documents and Settings\All Users\Application Data\VideoEgg 2007-03-19 17:38:06 0 d-------- C:\Program Files\VideoEgg 2007-03-15 22:57:40 0 d-------- C:\Program Files\SymNetDrv<SYMNET~1> 2007-03-15 22:38:23 0 d-------- C:\Program Files\Norton AntiVirus<NORTON~1> 2007-03-15 22:37:59 91904 --a------ C:\WINDOWS\system32\S32EVNT1.DLL 2007-03-15 22:37:59 124016 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS 2007-03-15 22:37:58 0 d-------- C:\Documents and Settings\ME\Application Data\Symantec 2007-03-15 22:37:39 0 d-------- C:\Program Files\Symantec 2007-03-15 22:37:34 0 d-------- C:\Documents and Settings\All Users\Application Data\Symantec 2007-03-15 22:37:30 0 d-------- C:\Program Files\Common Files\Symantec Shared<SYMANT~1> 2007-03-13 02:03:02 0 d-------- C:\Program Files\AviSynth 2.5<AVISYN~1.5> 2007-03-13 02:02:57 0 d-------- C:\Program Files\pspvideo9<PSPVID~1> 2007-03-12 00:12:23 0 d-------- C:\Documents and Settings\ME\Application Data\uTorrent 2007-03-11 15:16:18 0 d-------- C:\WINDOWS\system32\PreInstall<PREINS~1> 2007-03-11 15:16:16 0 d--h----- C:\WINDOWS\$hf_mig$ 2007-03-11 13:18:51 127208 --a------ C:\WINDOWS\system32\mucltui.dll 2007-03-10 17:07:59 8192 --a------ C:\WINDOWS\system32\wshirda.dll 2007-03-10 17:07:59 27136 --a------ C:\WINDOWS\system32\irmon.dll 2007-03-10 17:07:59 152576 --a------ C:\WINDOWS\system32\irftp.exe 2007-03-10 17:02:42 0 d-------- C:\WINDOWS\Prefetch 2007-03-10 16:55:05 221184 --a------ C:\WINDOWS\system32\wmpns.dll 2007-03-10 16:51:58 0 d-------- C:\WINDOWS\peernet 2007-03-10 16:51:55 0 d-------- C:\WINDOWS\provisioning<PROVIS~1> 2007-03-10 16:47:09 0 d-------- C:\WINDOWS\ServicePackFiles<SERVIC~1> 2007-03-10 16:41:03 0 d-------- C:\WINDOWS\system32\ReinstallBackups<REINST~1> 2007-03-10 16:40:32 22752 --a------ C:\WINDOWS\system32\spupdsvc.exe 2007-03-10 16:36:22 0 d-------- C:\WINDOWS\EHome 2007-03-10 16:29:03 11776 -----n--- C:\WINDOWS\system32\spnpinst.exe 2007-03-10 16:29:02 4569 -----n--- C:\WINDOWS\system32\secupd.dat 2007-03-10 16:08:36 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage<WINDOW~1> 2007-03-05 21:02:16 0 d-------- C:\MAGIX 2007-03-05 20:43:50 0 d-------- C:\WINDOWS\system32\URTTemp 2007-03-05 20:34:56 80480 --a------ C:\WINDOWS\system32\msrclr40.dll 2007-03-05 20:34:55 35424 --a------ C:\WINDOWS\system32\msrecr40.dll 2007-03-05 20:32:00 0 d-------- C:\Program Files\Common Files\Teleca Shared<TELECA~1> 2007-03-05 20:28:42 0 d-------- C:\WINDOWS\Downloaded Installations<DOWNLO~2> 2007-03-03 15:04:52 91136 --a------ C:\WINDOWS\system32\mtxoci.dll 2007-03-03 15:04:52 66560 --a------ C:\WINDOWS\system32\mtxclu.dll 2007-03-03 15:04:51 161280 --a------ C:\WINDOWS\system32\msdtcuiu.dll 2007-03-03 15:04:51 426496 --a------ C:\WINDOWS\system32\msdtcprx.dll 2007-03-03 15:04:51 540160 --a------ C:\WINDOWS\system32\comuid.dll 2007-03-03 15:04:50 395776 --a------ C:\WINDOWS\system32\rpcss.dll 2007-03-03 15:04:50 581120 --a------ C:\WINDOWS\system32\rpcrt4.dll 2007-03-03 15:04:50 956416 --a------ C:\WINDOWS\system32\msdtctm.dll 2007-03-03 15:04:49 1285120 --a------ C:\WINDOWS\system32\ole32.dll 2007-03-03 15:04:49 62464 --a------ C:\WINDOWS\system32\colbact.dll 2007-03-03 15:04:48 101376 --a------ C:\WINDOWS\system32\txflog.dll 2007-03-03 15:04:48 243200 --a------ C:\WINDOWS\system32\es.dll 2007-03-03 15:04:48 1251840 --a------ C:\WINDOWS\system32\comsvcs.dll 2007-03-03 15:04:48 110080 --a------ C:\WINDOWS\system32\clbcatex.dll 2007-03-03 15:04:47 628224 --a------ C:\WINDOWS\system32\catsrvut.dll 2007-03-03 15:04:47 229888 --a------ C:\WINDOWS\system32\catsrv.dll 2007-03-03 15:04:09 39936 --a------ C:\WINDOWS\system32\mf3216.dll 2007-03-03 15:04:07 614912 --a------ C:\WINDOWS\system32\h323msp.dll 2007-03-03 15:04:06 331264 --a------ C:\WINDOWS\system32\ipnathlp.dll 2007-03-03 15:04:06 77312 --a------ C:\WINDOWS\system32\browser.dll 2007-03-03 15:00:06 171280 --a------ C:\WINDOWS\system32\jit.dll 2007-03-03 15:00:06 46352 --a------ C:\WINDOWS\setdebug.exe 2007-03-03 15:00:05 139536 --a------ C:\WINDOWS\system32\javaee.dll 2007-03-03 15:00:05 6550 --a------ C:\WINDOWS\jautoexp.dat 2007-03-03 15:00:04 313856 --a------ C:\WINDOWS\system32\dx3j.dll 2007-03-03 14:59:57 113 --a------ C:\WINDOWS\system32\zonedon.reg 2007-03-03 14:59:57 113 --a------ C:\WINDOWS\system32\zonedoff.reg 2007-03-03 14:59:56 171792 --a------ C:\WINDOWS\system32\wjview.exe 2007-03-03 14:59:56 286992 --a------ C:\WINDOWS\system32\vmhelper.dll 2007-03-03 14:59:55 21264 --a------ C:\WINDOWS\system32\msjdbc10.dll 2007-03-03 14:59:54 947472 --a------ C:\WINDOWS\system32\msjava.dll 2007-03-03 14:59:53 154384 --a------ C:\WINDOWS\system32\msawt.dll 2007-03-03 14:59:53 172304 --a------ C:\WINDOWS\system32\jview.exe 2007-03-03 14:59:52 15120 --a------ C:\WINDOWS\system32\jdbgmgr.exe 2007-03-03 14:59:52 404752 --a------ C:\WINDOWS\system32\javart.dll 2007-03-03 14:59:51 63248 --a------ C:\WINDOWS\system32\javaprxy.dll 2007-03-03 14:59:51 187152 --a------ C:\WINDOWS\system32\javacypt.dll 2007-03-03 14:59:49 49424 --a------ C:\WINDOWS\system32\clspack.exe 2007-03-03 14:56:45 239104 --a------ C:\WINDOWS\system32\srrstr.dll 2007-03-03 14:53:41 26112 --a------ C:\WINDOWS\system32\xpsp1hfm.exe 2007-03-03 14:53:41 0 d--h---c- C:\WINDOWS\$xpsp1hfm$<$XPSP1~1> -- Find3M Report --------------------------------------------------------------- 2007-04-03 22:41:42 0 d-------- C:\Program Files\Soulseek 2007-03-21 22:52:59 0 d-------- C:\Program Files\Messenger Plus! Live<MESSEN~2> 2007-03-20 01:10:16 0 d---s---- C:\Documents and Settings\ME\Application Data\Microsoft<MICROS~1> 2007-03-12 19:56:18 0 d-------- C:\Program Files\QuickTime<QUICKT~1> 2007-03-10 17  30 0 d-------- C:\Program Files\MSN Messenger<MSNMES~1>2007-03-10 16:53:01 0 d-------- C:\Program Files\Messenger<MESSEN~1> 2007-03-10 16:51:58 0 d-------- C:\Program Files\Movie Maker<MOVIEM~1> 2007-03-10 16:46:34 0 d-------- C:\Program Files\Windows NT<WINDOW~1> 2007-03-10 16:42:31 250032 -rahs---- C:\ntldr 2007-03-05 20:41:02 0 d--h----- C:\Program Files\InstallShield Installation Information<INSTAL~1> 2007-03-05 20:28:37 0 d-------- C:\Program Files\Common Files\InstallShield<INSTAL~1> 2007-03-04 22:16:13 0 d-------- C:\Program Files\Common Files\Adobe 2007-03-03 15:05:02 0 d-------- C:\Documents and Settings\ME\Application Data\Ahead 2007-02-28 21:04:38 3584 --a------ C:\WINDOWS\system32\ksys.sys 2007-02-28 02:35:16 0 d-------- C:\Program Files\COMPAQ 2007-02-28 01:46:49 0 d-------- C:\Documents and Settings\ME\Application Data\Apple Computer<APPLEC~1> 2007-02-28 01:39:52 0 d-------- C:\Documents and Settings\ME\Application Data\Sun 2007-02-28 01:39:31 0 d-------- C:\Program Files\Java 2007-02-28 01:37:10 0 d-------- C:\Program Files\Common Files\Java 2007-02-28 01:36:23 0 d-------- C:\Documents and Settings\ME\Application Data\Macromedia<MACROM~1> 2007-02-28 01:29:46 0 d--h----- C:\Program Files\WindowsUpdate<WINDOW~2> 2007-02-28 01:26:37 0 d-------- C:\Program Files\eags on!<EAGSON~1> 2007-02-28 00:40:27 0 d-------- C:\Program Files\BroadJump<BROADJ~1> 2007-02-28 00:40:09 8362602 --a------ C:\back_up.reg 2007-02-25 11:40:23 348160 --a------ C:\WINDOWS\system32\msvcr71.dll 2007-02-25 11:40:23 499712 --a------ C:\WINDOWS\system32\msvcp71.dll 2007-02-25 11:35:17 0 d-------- C:\Program Files\Common Files\Ahead 2007-02-25 11:27:45 0 d-------- C:\Program Files\Nero 2007-02-23 05:29:58 524288 --a------ C:\WINDOWS\system32\DivXsm.exe 2007-02-23 05:29:56 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll 2007-02-23 05:29:49 200704 --a------ C:\WINDOWS\system32\ssldivx.dll 2007-02-23 05:29:49 1044480 --a------ C:\WINDOWS\system32\libdivx.dll 2007-02-23 05:25:24 196608 --a------ C:\WINDOWS\system32\dtu100.dll 2007-02-23 05:25:24 73728 --a------ C:\WINDOWS\system32\dpl100.dll 2007-02-23 05:25:23 53248 --a------ C:\WINDOWS\system32\dpuGUI10.dll 2007-02-23 05:25:22 57344 --a------ C:\WINDOWS\system32\dpv11.dll 2007-02-23 05:25:22 344064 --a------ C:\WINDOWS\system32\dpus11.dll 2007-02-23 05:25:22 593920 --a------ C:\WINDOWS\system32\dpuGUI11.dll 2007-02-23 05:25:22 294912 --a------ C:\WINDOWS\system32\dpu11.dll 2007-02-23 05:25:22 294912 --a------ C:\WINDOWS\system32\dpu10.dll 2007-02-23 05:25:19 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll<DIVX_X~3.DLL> 2007-02-23 05:25:19 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll<DIVX_X~1.DLL> 2007-02-23 05:25:19 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll<DIVX_X~2.DLL> 2007-02-23 05:25:19 639066 --a------ C:\WINDOWS\system32\DivX.dll 2007-02-16 02:40:35 124472 --a------ C:\WINDOWS\system32\DivXCodecUpdateChecker.exe<DIVXCO~1.EXE> 2007-02-07 13:39:08 517840 --a------ C:\WINDOWS\system32\SymNeti.dll 2007-02-07 13:39:04 132816 --a------ C:\WINDOWS\system32\SymRedir.dll 2007-01-19 13:53:04 51056 --a------ C:\WINDOWS\system32\sirenacm.dll -- Registry Dump --------------------------------------------------------------- [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "BJCFD"="C:\\Program Files\\BroadJump\\Client Foundation\\CFD.exe" "SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\"" "KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\ 65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00 "SpywareBot"="C:\\Program Files\\SpywareBot\\SpywareBot.exe -boot" "Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI] "NoChange"="1" "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS] "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] "path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk" "backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup" "location"="Common Startup" "command"="C:\\PROGRA~1\\MICROS~2\\Office\\OSA9.EXE -b -l" "item"="Microsoft Office" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk] "path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Works Calendar Reminders.lnk" "backup"="C:\\WINDOWS\\pss\\Microsoft Works Calendar Reminders.lnkCommon Startup" "location"="Common Startup" "command"="C:\\PROGRA~1\\COMMON~1\\MICROS~1\\WORKSS~1\\wkcalrem.exe " "item"="Microsoft Works Calendar Reminders" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="NMBgMonitor" "hkey"="HKCU" "command"="\"C:\\Program Files\\Common Files\\Ahead\\Lib\\NMBgMonitor.exe\"" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="rundll32" "hkey"="HKLM" "command"="rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="ccApp" "hkey"="HKLM" "command"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\"" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="dumprep 0 -k" "hkey"="HKLM" "command"="%systemroot%\\system32\\dumprep 0 -k" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="msnmsgr" "hkey"="HKCU" "command"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="NeroCheck" "hkey"="HKLM" "command"="C:\\Program Files\\Common Files\\Ahead\\Lib\\NeroCheck.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="RUNDLL32" "hkey"="HKLM" "command"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="qttask" "hkey"="HKLM" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Smapp] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="Smtray" "hkey"="HKLM" "command"="Smtray.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\srmclean] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="srmclean" "hkey"="HKLM" "command"="C:\\Cpqs\\Scom\\srmclean.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="SNDMon" "hkey"="HKLM" "command"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WCOLOREAL] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="coloreal" "hkey"="HKLM" "command"="\"C:\\Program Files\\COMPAQ\\Coloreal\\coloreal.exe\"" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook" [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] "CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE" [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 HTTPFilter REG_MULTI_SZ HTTPFilter\0\0 DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0 bthsvcs REG_MULTI_SZ BthServ\0\0 -- End of Deckard's System Scanner: finished at 2007-04-03 at 22:45:18 --------- |
|
|
|
|
04-03-2007, 04:15 PM
|
#4 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,682
OS: 2000 Pro; XP Pro; XP Home
|
Re: Win32/Rustock.gen!C (help!)
Do not mouseclick combofix's window whilst it's running. That may cause it to stall Also, please do this: Please run Deckard's System Scanner once again, this time using these instructions: Click the Windows 'Start' button > Select 'Run' - then copy/paste this into the run box & click OK "%userprofile%\desktop\dss.exe" /configClick on "Check All" Click Scan! When finished, it shall produce two logs for you. Post those logs in your next reply.
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Microsoft MVP - Consumer Security 2009
|
|
|
|
|
04-03-2007, 04:29 PM
|
#5 (permalink) |
|
Registered User
Join Date: Apr 2007
Posts: 8
OS: XP
|
Re: Win32/Rustock.gen!C (help!)
"ME" - 07-04-03 23:19:43 Service Pack 2
ComboFix 07-04-04 - Running from: "C:\Documents and Settings\ME\Desktop" (((((((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\system32\5_exception.nls C:\WINDOWS\system32\ksys.sys ((((((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) -------\EXAMPLE -------\EXAMPLE1 -------\Runtime -------\LEGACY_EXAMPLE -------\LEGACY_EXAMPLE1 -------\LEGACY_MCHINJDRV -------\LEGACY_RUNTIME ((((((((((((((((((((((((((((((( Files Created from 2007-03-03 to 2007-04-03 )))))))))))))))))))))))))))))))))) 2007-04-03 22:42 <DIR> d-------- C:\Deckard 2007-04-03 15:40 786,432 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT 2007-04-03 15:40 <DIR> d-------- C:\DOCUME~1\ADMINI~1\WINDOWS 2007-04-03 15:40 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\InterTrust 2007-04-03 15:40 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Adobe 2007-04-03 15:12 <DIR> d-------- C:\Program Files\Windows Defender 2007-04-03 02:28 <DIR> d-------- C:\DOCUME~1\ME\APPLIC~1\SpywareBot 2007-04-03 02:09 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll 2007-04-03 01:12 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2007-04-03 01:09 <DIR> d-------- C:\DOCUME~1\ME\.housecall6.6 2007-04-01 20:10 <DIR> d-------- C:\Program Files\Windows Live Safety Center 2007-03-29 02:36 <DIR> d-------- C:\DOCUME~1\ME\APPLIC~1\DivX 2007-03-29 02:35 2,560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys 2007-03-29 02:35 2,432 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys 2007-03-29 02:35 129,784 --------- C:\WINDOWS\system32\pxafs.dll 2007-03-28 20:01 36,624 --------- C:\WINDOWS\system32\drivers\PxHelp20.sys 2007-03-28 20:01 118,520 --------- C:\WINDOWS\system32\pxinsi64.exe 2007-03-28 20:01 116,472 --------- C:\WINDOWS\system32\pxcpyi64.exe 2007-03-28 20:01 <DIR> d-------- C:\Program Files\DivX 2007-03-27 16:03 <DIR> d-------- C:\Program Files\Dan Elwell's Broadband Speed Test 2007-03-27 15:55 17,024 --a------ C:\WINDOWS\system32\drivers\usbohci.sys 2007-03-27 13:55 <DIR> d-------- C:\WINDOWS\pss 2007-03-21 22:54 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Messenger Plus! 2007-03-19 17:39 <DIR> d-------- C:\DOCUME~1\ME\APPLIC~1\VideoEgg 2007-03-19 17:38 <DIR> d-------- C:\Program Files\VideoEgg 2007-03-19 17:38 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\VideoEgg 2007-03-15 22:57 <DIR> d-------- C:\Program Files\SymNetDrv 2007-03-15 22:38 <DIR> d-------- C:\Program Files\Norton AntiVirus 2007-03-15 22:37 91,904 --a------ C:\WINDOWS\system32\S32EVNT1.DLL 2007-03-15 22:37 124,016 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS 2007-03-15 22:37 <DIR> d-------- C:\Program Files\Symantec 2007-03-15 22:37 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared 2007-03-15 22:37 <DIR> d-------- C:\DOCUME~1\ME\APPLIC~1\Symantec 2007-03-15 22:37 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec 2007-03-13 02:03 <DIR> d-------- C:\Program Files\AviSynth 2.5 2007-03-13 02:02 <DIR> d-------- C:\Program Files\pspvideo9 2007-03-12 00:12 <DIR> d-------- C:\DOCUME~1\ME\APPLIC~1\uTorrent 2007-03-11 15:16 <DIR> d--h----- C:\WINDOWS\$hf_mig$ 2007-03-11 15:16 <DIR> d-------- C:\WINDOWS\system32\PreInstall 2007-03-11 13:18 127,208 --a------ C:\WINDOWS\system32\mucltui.dll 2007-03-10 17:07 8,192 --a------ C:\WINDOWS\system32\wshirda.dll 2007-03-10 17:07 27,136 --a------ C:\WINDOWS\system32\irmon.dll 2007-03-10 17:07 152,576 --a------ C:\WINDOWS\system32\irftp.exe 2007-03-10 17:02 <DIR> d-------- C:\WINDOWS\Prefetch 2007-03-10 16:55 221,184 --a------ C:\WINDOWS\system32\wmpns.dll 2007-03-10 16:51 <DIR> d-------- C:\WINDOWS\provisioning 2007-03-10 16:51 <DIR> d-------- C:\WINDOWS\peernet 2007-03-10 16:47 <DIR> d-------- C:\WINDOWS\ServicePackFiles 2007-03-10 16:41 <DIR> d-------- C:\WINDOWS\system32\ReinstallBackups 2007-03-10 16:40 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe 2007-03-10 16:36 <DIR> d-------- C:\WINDOWS\EHome 2007-03-10 16:29 4,569 --------- C:\WINDOWS\system32\secupd.dat 2007-03-10 16:29 11,776 --------- C:\WINDOWS\system32\spnpinst.exe 2007-03-10 16:08 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage 2007-03-05 21:02 <DIR> d-------- C:\MAGIX 2007-03-05 20:43 <DIR> d-------- C:\WINDOWS\system32\URTTemp 2007-03-05 20:34 80,480 --a------ C:\WINDOWS\system32\msrclr40.dll 2007-03-05 20:34 35,424 --a------ C:\WINDOWS\system32\msrecr40.dll 2007-03-05 20:32 <DIR> d-------- C:\Program Files\Common Files\Teleca Shared 2007-03-05 20:28 <DIR> d-------- C:\WINDOWS\Downloaded Installations 2007-03-03 15:04 956,416 --a------ C:\WINDOWS\system32\msdtctm.dll 2007-03-03 15:04 91,136 --a------ C:\WINDOWS\system32\mtxoci.dll 2007-03-03 15:04 77,312 --a------ C:\WINDOWS\system32\browser.dll 2007-03-03 15:04 66,560 --a------ C:\WINDOWS\system32\mtxclu.dll 2007-03-03 15:04 628,224 --a------ C:\WINDOWS\system32\catsrvut.dll 2007-03-03 15:04 62,464 --a------ C:\WINDOWS\system32\colbact.dll 2007-03-03 15:04 614,912 --a------ C:\WINDOWS\system32\h323msp.dll 2007-03-03 15:04 581,120 --a------ C:\WINDOWS\system32\rpcrt4.dll 2007-03-03 15:04 540,160 --a------ C:\WINDOWS\system32\comuid.dll 2007-03-03 15:04 426,496 --a------ C:\WINDOWS\system32\msdtcprx.dll 2007-03-03 15:04 395,776 --a------ C:\WINDOWS\system32\rpcss.dll 2007-03-03 15:04 39,936 --a------ C:\WINDOWS\system32\mf3216.dll 2007-03-03 15:04 331,264 --a------ C:\WINDOWS\system32\ipnathlp.dll 2007-03-03 15:04 243,200 --a------ C:\WINDOWS\system32\es.dll 2007-03-03 15:04 229,888 --a------ C:\WINDOWS\system32\catsrv.dll 2007-03-03 15:04 161,280 --a------ C:\WINDOWS\system32\msdtcuiu.dll 2007-03-03 15:04 110,080 --a------ C:\WINDOWS\system32\clbcatex.dll 2007-03-03 15:04 101,376 --a------ C:\WINDOWS\system32\txflog.dll 2007-03-03 15:04 1,285,120 --a------ C:\WINDOWS\system32\ole32.dll 2007-03-03 15:04 1,251,840 --a------ C:\WINDOWS\system32\comsvcs.dll 2007-03-03 15:00 6,550 --a------ C:\WINDOWS\jautoexp.dat 2007-03-03 15:00 46,352 --a------ C:\WINDOWS\setdebug.exe 2007-03-03 15:00 313,856 --a------ C:\WINDOWS\system32\dx3j.dll 2007-03-03 15:00 171,280 --a------ C:\WINDOWS\system32\jit.dll 2007-03-03 15:00 139,536 --a------ C:\WINDOWS\system32\javaee.dll 2007-03-03 14:59 947,472 --a------ C:\WINDOWS\system32\msjava.dll 2007-03-03 14:59 63,248 --a------ C:\WINDOWS\system32\javaprxy.dll 2007-03-03 14:59 49,424 --a------ C:\WINDOWS\system32\clspack.exe 2007-03-03 14:59 404,752 --a------ C:\WINDOWS\system32\javart.dll 2007-03-03 14:59 286,992 --a------ C:\WINDOWS\system32\vmhelper.dll 2007-03-03 14:59 21,264 --a------ C:\WINDOWS\system32\msjdbc10.dll 2007-03-03 14:59 187,152 --a------ C:\WINDOWS\system32\javacypt.dll 2007-03-03 14:59 172,304 --a------ C:\WINDOWS\system32\jview.exe 2007-03-03 14:59 171,792 --a------ C:\WINDOWS\system32\wjview.exe 2007-03-03 14:59 154,384 --a------ C:\WINDOWS\system32\msawt.dll 2007-03-03 14:59 15,120 --a------ C:\WINDOWS\system32\jdbgmgr.exe 2007-03-03 14:59 113 --a------ C:\WINDOWS\system32\zonedon.reg 2007-03-03 14:59 113 --a------ C:\WINDOWS\system32\zonedoff.reg 2007-03-03 14:56 239,104 --a------ C:\WINDOWS\system32\srrstr.dll 2007-03-03 14:53 26,112 --a------ C:\WINDOWS\system32\xpsp1hfm.exe 2007-03-03 14:53 <DIR> d--h-c--- C:\WINDOWS\$xpsp1hfm$ (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) Rootkit driver pe386 is present. ... attempting disinfection pe386 ...... driver unloaded successfully. ADS removed - system32: deleted 73098 bytes in 1 streams. 2007-04-03 23:19 -------- d-------- C:\Program Files\soulseek 2007-03-21 22:52 -------- d-------- C:\Program Files\messenger plus! live 2007-03-12 19:56 -------- d-------- C:\Program Files\quicktime 2007-03-10 17:06 -------- d-------- C:\Program Files\msn messenger 2007-03-10 16:53 -------- d-------- C:\Program Files\messenger 2007-03-10 16:51 -------- d-------- C:\Program Files\movie maker 2007-03-10 16:46 -------- d-------- C:\Program Files\windows nt 2007-03-05 20:41 -------- d--h----- C:\Program Files\installshield installation information 2007-03-05 20:28 -------- d-------- C:\Program Files\Common Files\installshield 2007-02-28 02:35 -------- d-------- C:\Program Files\compaq 2007-02-28 01:39 -------- d-------- C:\Program Files\java 2007-02-28 01:39 -------- d-------- C:\DOCUME~1\ME\APPLIC~1\sun 2007-02-28 01:37 -------- d-------- C:\Program Files\Common Files\java 2007-02-28 01:29 -------- d--h----- C:\Program Files\windowsupdate 2007-02-28 01:26 -------- d-------- C:\Program Files\eags on! 2007-02-28 00:40 8362602 --a------ C:\back_up.reg 2007-02-25 11:40 499712 --a------ C:\WINDOWS\system32\msvcp71.dll 2007-02-25 11:40 348160 --a------ C:\WINDOWS\system32\msvcr71.dll 2007-02-25 11:27 -------- d-------- C:\Program Files\nero 2007-02-23 05:29 524288 --a------ C:\WINDOWS\system32\divxsm.exe 2007-02-23 05:29 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll 2007-02-23 05:29 200704 --a------ C:\WINDOWS\system32\ssldivx.dll 2007-02-23 05:29 1044480 --a------ C:\WINDOWS\system32\libdivx.dll 2007-02-23 05:25 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll 2007-02-23 05:25 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll 2007-02-23 05:25 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll 2007-02-23 05:25 73728 --a------ C:\WINDOWS\system32\dpl100.dll 2007-02-23 05:25 639066 --a------ C:\WINDOWS\system32\divx.dll 2007-02-23 05:25 593920 --a------ C:\WINDOWS\system32\dpugui11.dll 2007-02-23 05:25 57344 --a------ C:\WINDOWS\system32\dpv11.dll 2007-02-23 05:25 53248 --a------ C:\WINDOWS\system32\dpugui10.dll 2007-02-23 05:25 344064 --a------ C:\WINDOWS\system32\dpus11.dll 2007-02-23 05:25 294912 --a------ C:\WINDOWS\system32\dpu11.dll 2007-02-23 05:25 294912 --a------ C:\WINDOWS\system32\dpu10.dll 2007-02-23 05:25 196608 --a------ C:\WINDOWS\system32\dtu100.dll 2007-02-16 02:40 124472 --a------ C:\WINDOWS\system32\divxcodecupdatechecker.exe 2007-02-07 13:39 517840 --a------ C:\WINDOWS\system32\symneti.dll 2007-02-07 13:39 269616 --a------ C:\WINDOWS\system32\drivers\symtdi.sys 2007-02-07 13:39 132816 --a------ C:\WINDOWS\system32\symredir.dll 2007-02-07 13:38 47184 --a------ C:\WINDOWS\system32\drivers\symndis.sys 2007-02-07 13:38 36976 --a------ C:\WINDOWS\system32\drivers\symids.sys 2007-02-07 13:38 17968 --a------ C:\WINDOWS\system32\drivers\symredrv.sys 2007-02-07 13:38 173392 --a------ C:\WINDOWS\system32\drivers\symfw.sys 2007-02-07 13:38 11536 --a------ C:\WINDOWS\system32\drivers\symdns.sys 2007-01-19 13:53 51056 --a------ C:\WINDOWS\system32\sirenacm.dll (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "BJCFD"="C:\\Program Files\\BroadJump\\Client Foundation\\CFD.exe" "SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\"" "SpywareBot"="C:\\Program Files\\SpywareBot\\SpywareBot.exe -boot" "Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI] "NoChange"="1" "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS] "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] "path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk" "backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup" "location"="Common Startup" "command"="C:\\PROGRA~1\\MICROS~2\\Office\\OSA9.EXE -b -l" "item"="Microsoft Office" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk] "path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Works Calendar Reminders.lnk" "backup"="C:\\WINDOWS\\pss\\Microsoft Works Calendar Reminders.lnkCommon Startup" "location"="Common Startup" "command"="C:\\PROGRA~1\\COMMON~1\\MICROS~1\\WORKSS~1\\wkcalrem.exe " "item"="Microsoft Works Calendar Reminders" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="NMBgMonitor" "hkey"="HKCU" "command"="\"C:\\Program Files\\Common Files\\Ahead\\Lib\\NMBgMonitor.exe\"" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="rundll32" "hkey"="HKLM" "command"="rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="ccApp" "hkey"="HKLM" "command"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\"" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="dumprep 0 -k" "hkey"="HKLM" "command"="%systemroot%\\system32\\dumprep 0 -k" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="msnmsgr" "hkey"="HKCU" "command"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="NeroCheck" "hkey"="HKLM" "command"="C:\\Program Files\\Common Files\\Ahead\\Lib\\NeroCheck.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="RUNDLL32" "hkey"="HKLM" "command"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="qttask" "hkey"="HKLM" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Smapp] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="Smtray" "hkey"="HKLM" "command"="Smtray.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\srmclean] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="srmclean" "hkey"="HKLM" "command"="C:\\Cpqs\\Scom\\srmclean.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="SNDMon" "hkey"="HKLM" "command"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WCOLOREAL] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="coloreal" "hkey"="HKLM" "command"="\"C:\\Program Files\\COMPAQ\\Coloreal\\coloreal.exe\"" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook" [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll" HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa Authentication Packages REG_MULTI_SZ msv1_0\0\0 Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0 Notification Packages REG_MULTI_SZ scecli\0\0 [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 HTTPFilter REG_MULTI_SZ HTTPFilter\0\0 DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0 bthsvcs REG_MULTI_SZ BthServ\0\0 Contents of the 'Scheduled Tasks' folder C:\WINDOWS\tasks\MP Scheduled Scan.job C:\WINDOWS\tasks\SpywareBot Scheduled Scan.job ******************************************************************** catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006 http://www.gmer.net scanning hidden processes ... scanning hidden services ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 ******************************************************************** Completion time: 07-04-03 23:25:35 C:\ComboFix-quarantined-files.txt ... 07-04-03 23:25 --------- Deckard's System Scanner v20070328.36 Run by ME on 2007-04-03 at 23:27:45 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- System Restore -------------------------------------------------------------- Successfully created a Deckard's System Scanner Restore Point. -- Last 5 Restore Point(s) -- 93: 2007-04-03 22:27:52 UTC - RP93 - Deckard's System Scanner Restore Point 92: 2007-04-03 21:42:15 UTC - RP92 - Deckard's System Scanner Restore Point 91: 2007-04-03 14:55:22 UTC - RP91 - Software Distribution Service 2.0 90: 2007-04-03 14:38:14 UTC - RP90 - Software Distribution Service 2.0 89: 2007-04-03 14:14:36 UTC - RP89 - Software Distribution Service 2.0 -- First Restore Point -- 1: 2007-02-25 10:02:51 UTC - RP1 - System Checkpoint Performed disk cleanup. -- HijackThis (run as ME.exe) -------------------------------------------------- Logfile of HijackThis v1.99.1 Scan saved at 23:28:00, on 03/04/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\BroadJump\Client Foundation\CFD.exe C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\MSN Messenger\usnsvc.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\ME\desktop\dss.exe C:\PROGRA~1\HIJACK~1\ME.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bebo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/...C01&lc=0809&ac R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.presario.net/scripts/r...search&ap=b204 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/r...search&ap=b204 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/r...search&ap=b204 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase8300.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1172622521826 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1173539138452 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/W...gPublisher.exe O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://ebanking.northernbank.co.uk/.../e-Safekey.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- File Associations ----------------------------------------------------------- All associations okay. -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------- R3 smwdm - c:\windows\system32\drivers\smwdm.sys S3 basic2 - c:\windows\system32\drivers\basic2.sys (file missing) S3 BthEnum (Bluetooth Request Block Driver) - c:\windows\system32\drivers\bthenum.sys S3 BthPan (Bluetooth Device (Personal Area Network)) - c:\windows\system32\drivers\bthpan.sys S3 BTHPORT (Bluetooth Port Driver) - c:\windows\system32\drivers\bthport.sys S3 BTHUSB (Bluetooth Radio USB Driver) - c:\windows\system32\drivers\bthusb.sys S3 Rksample - c:\windows\system32\drivers\rksample.sys (file missing) S3 usbcm (USB Cable Modem 351000 NDIS Driver) - c:\windows\system32\drivers\usbcm.sys S3 winachsf - c:\windows\system32\drivers\hsf_cnxt.sys (file missing) -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled -------------------- R2 BthServ (Bluetooth Support Service) - c:\windows\system32\svchost.exe -k bthsvcs -- Scheduled Tasks ------------------------------------------------------------- 2007-04-03 23:26:42 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job<MPSCHE~1.JOB> 2007-04-03 14:20:01 482 --a------ C:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job<SPYWAR~1.JOB> -- Files created between 2007-03-03 and 2007-04-03 ----------------------------- 2007-04-03 15:40:09 0 d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust<INTERT~1> 2007-04-03 15:40:09 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe 2007-04-03 15:40:08 0 d-------- C:\Documents and Settings\Administrator\WINDOWS 2007-04-03 15:40:08 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT 2007-04-03 15:12:52 0 d-------- C:\Program Files\Windows Defender<WIFD1F~1> 2007-04-03 02:28:59 0 d-------- C:\Documents and Settings\ME\Application Data\SpywareBot<SPYWAR~1> 2007-04-03 02:09:16 626688 --a------ C:\WINDOWS\system32\msvcr80.dll 2007-04-03 01:12:06 0 d-------- C:\WINDOWS\system32\ActiveScan<ACTIVE~1> 2007-04-03 01:09:45 0 d-------- C:\Documents and Settings\ME\.housecall6.6<HOUSEC~1.6> 2007-04-01 20:10:16 0 d-------- C:\Program Files\Windows Live Safety Center<WINDOW~4> 2007-03-29 02:36:28 0 d-------- C:\Documents and Settings\ME\Application Data\DivX 2007-03-29 02:35:50 2432 -----n--- C:\WINDOWS\system32\drivers\cdr4_xp.sys 2007-03-29 02:35:49 2560 -----n--- C:\WINDOWS\system32\drivers\cdralw2k.sys 2007-03-29 02:35:48 129784 -----n--- C:\WINDOWS\system32\pxafs.dll 2007-03-28 20:01:53 118520 -----n--- C:\WINDOWS\system32\pxinsi64.exe 2007-03-28 20:01:53 116472 -----n--- C:\WINDOWS\system32\pxcpyi64.exe 2007-03-28 20:01:53 36624 -----n--- C:\WINDOWS\system32\drivers\PxHelp20.sys 2007-03-28 20:01:35 0 d-------- C:\Program Files\DivX 2007-03-27 16:03:05 0 d-------- C:\Program Files\Dan Elwell's Broadband Speed Test<DANELW~1> 2007-03-27 15:55:52 17024 --a------ C:\WINDOWS\system32\drivers\usbohci.sys 2007-03-27 13:55:02 0 d-------- C:\WINDOWS\pss 2007-03-23 01:53:33 1755 --a------ C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache<QTSBAN~1> 2007-03-21 22:54:21 0 d-------- C:\Documents and Settings\All Users\Application Data\Messenger Plus!<MESSEN~1> 2007-03-19 17:39:15 0 d-------- C:\Documents and Settings\ME\Application Data\VideoEgg 2007-03-19 17:38:12 0 d-------- C:\Documents and Settings\All Users\Application Data\VideoEgg 2007-03-19 17:38:06 0 d-------- C:\Program Files\VideoEgg 2007-03-15 22:57:40 0 d-------- C:\Program Files\SymNetDrv<SYMNET~1> 2007-03-15 22:38:23 0 d-------- C:\Program Files\Norton AntiVirus<NORTON~1> 2007-03-15 22:37:59 91904 --a------ C:\WINDOWS\system32\S32EVNT1.DLL 2007-03-15 22:37:59 124016 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS 2007-03-15 22:37:58 0 d-------- C:\Documents and Settings\ME\Application Data\Symantec 2007-03-15 22:37:39 0 d-------- C:\Program Files\Symantec 2007-03-15 22:37:34 0 d-------- C:\Documents and Settings\All Users\Application Data\Symantec 2007-03-15 22:37:30 0 d-------- C:\Program Files\Common Files\Symantec Shared<SYMANT~1> 2007-03-13 02:03:02 0 d-------- C:\Program Files\AviSynth 2.5<AVISYN~1.5> 2007-03-13 02:02:57 0 d-------- C:\Program Files\pspvideo9<PSPVID~1> 2007-03-12 00:12:23 0 d-------- C:\Documents and Settings\ME\Application Data\uTorrent 2007-03-11 15:16:18 0 d-------- C:\WINDOWS\system32\PreInstall<PREINS~1> 2007-03-11 15:16:16 0 d--h----- C:\WINDOWS\$hf_mig$ 2007-03-11 13:18:51 127208 --a------ C:\WINDOWS\system32\mucltui.dll 2007-03-10 17:07:59 8192 --a------ C:\WINDOWS\system32\wshirda.dll 2007-03-10 17:07:59 27136 --a------ C:\WINDOWS\system32\irmon.dll 2007-03-10 17:07:59 152576 --a------ C:\WINDOWS\system32\irftp.exe 2007-03-10 17:02:42 0 d-------- C:\WINDOWS\Prefetch 2007-03-10 16:55:05 221184 --a------ C:\WINDOWS\system32\wmpns.dll 2007-03-10 16:51:58 0 d-------- C:\WINDOWS\peernet 2007-03-10 16:51:55 0 d-------- C:\WINDOWS\provisioning<PROVIS~1> 2007-03-10 16:47:09 0 d-------- C:\WINDOWS\ServicePackFiles<SERVIC~1> 2007-03-10 16:41:03 0 d-------- C:\WINDOWS\system32\ReinstallBackups<REINST~1> 2007-03-10 16:40:32 22752 --a------ C:\WINDOWS\system32\spupdsvc.exe 2007-03-10 16:36:22 0 d-------- C:\WINDOWS\EHome 2007-03-10 16:29:03 11776 -----n--- C:\WINDOWS\system32\spnpinst.exe 2007-03-10 16:29:02 4569 -----n--- C:\WINDOWS\system32\secupd.dat 2007-03-10 16:08:36 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage<WINDOW~1> 2007-03-05 21:02:16 0 d-------- C:\MAGIX 2007-03-05 20:43:50 0 d-------- C:\WINDOWS\system32\URTTemp 2007-03-05 20:34:56 80480 --a------ C:\WINDOWS\system32\msrclr40.dll 2007-03-05 20:34:55 35424 --a------ C:\WINDOWS\system32\msrecr40.dll 2007-03-05 20:32:00 0 d-------- C:\Program Files\Common Files\Teleca Shared<TELECA~1> 2007-03-05 20:28:42 0 d-------- C:\WINDOWS\Downloaded Installations<DOWNLO~2> 2007-03-03 15:04:52 91136 --a------ C:\WINDOWS\system32\mtxoci.dll 2007-03-03 15:04:52 66560 --a------ C:\WINDOWS\system32\mtxclu.dll 2007-03-03 15:04:51 161280 --a------ C:\WINDOWS\system32\msdtcuiu.dll 2007-03-03 15:04:51 426496 --a------ C:\WINDOWS\system32\msdtcprx.dll 2007-03-03 15:04:51 540160 --a------ C:\WINDOWS\system32\comuid.dll 2007-03-03 15:04:50 395776 --a------ C:\WINDOWS\system32\rpcss.dll 2007-03-03 15:04:50 581120 --a------ C:\WINDOWS\system32\rpcrt4.dll 2007-03-03 15:04:50 956416 --a------ C:\WINDOWS\system32\msdtctm.dll 2007-03-03 15:04:49 1285120 --a------ C:\WINDOWS\system32\ole32.dll 2007-03-03 15:04:49 62464 --a------ C:\WINDOWS\system32\colbact.dll 2007-03-03 15:04:48 101376 --a------ C:\WINDOWS\system32\txflog.dll 2007-03-03 15:04:48 243200 --a------ C:\WINDOWS\system32\es.dll 2007-03-03 15:04:48 1251840 --a------ C:\WINDOWS\system32\comsvcs.dll 2007-03-03 15:04:48 110080 --a------ C:\WINDOWS\system32\clbcatex.dll 2007-03-03 15:04:47 628224 --a------ C:\WINDOWS\system32\catsrvut.dll 2007-03-03 15:04:47 229888 --a------ C:\WINDOWS\system32\catsrv.dll 2007-03-03 15:04:09 39936 --a------ C:\WINDOWS\system32\mf3216.dll 2007-03-03 15:04:07 614912 --a------ C:\WINDOWS\system32\h323msp.dll 2007-03-03 15:04:06 331264 --a------ C:\WINDOWS\system32\ipnathlp.dll 2007-03-03 15:04:06 77312 --a------ C:\WINDOWS\system32\browser.dll 2007-03-03 15:00:06 171280 --a------ C:\WINDOWS\system32\jit.dll 2007-03-03 15:00:06 46352 --a------ C:\WINDOWS\setdebug.exe 2007-03-03 15:00:05 139536 --a------ C:\WINDOWS\system32\javaee.dll 2007-03-03 15:00:05 6550 --a------ C:\WINDOWS\jautoexp.dat 2007-03-03 15:00:04 313856 --a------ C:\WINDOWS\system32\dx3j.dll 2007-03-03 14:59:57 113 --a------ C:\WINDOWS\system32\zonedon.reg 2007-03-03 14:59:57 113 --a------ C:\WINDOWS\system32\zonedoff.reg 2007-03-03 14:59:56 171792 --a------ C:\WINDOWS\system32\wjview.exe 2007-03-03 14:59:56 286992 --a------ C:\WINDOWS\system32\vmhelper.dll 2007-03-03 14:59:55 21264 --a------ C:\WINDOWS\system32\msjdbc10.dll 2007-03-03 14:59:54 947472 --a------ C:\WINDOWS\system32\msjava.dll 2007-03-03 14:59:53 154384 --a------ C:\WINDOWS\system32\msawt.dll 2007-03-03 14:59:53 172304 --a------ C:\WINDOWS\system32\jview.exe 2007-03-03 14:59:52 15120 --a------ C:\WINDOWS\system32\jdbgmgr.exe 2007-03-03 14:59:52 404752 --a------ C:\WINDOWS\system32\javart.dll 2007-03-03 14:59:51 63248 --a------ C:\WINDOWS\system32\javaprxy.dll 2007-03-03 14:59:51 187152 --a------ C:\WINDOWS\system32\javacypt.dll 2007-03-03 14:59:49 49424 --a------ C:\WINDOWS\system32\clspack.exe 2007-03-03 14:56:45 239104 --a------ C:\WINDOWS\system32\srrstr.dll 2007-03-03 14:53:41 26112 --a------ C:\WINDOWS\system32\xpsp1hfm.exe 2007-03-03 14:53:41 0 d--h---c- C:\WINDOWS\$xpsp1hfm$<$XPSP1~1> -- Find3M Report --------------------------------------------------------------- 2007-04-03 23:19:25 0 d-------- C:\Program Files\Soulseek 2007-03-21 22:52:59 0 d-------- C:\Program Files\Messenger Plus! Live<MESSEN~2> 2007-03-20 01:10:16 0 d---s---- C:\Documents and Settings\ME\Application Data\Microsoft<MICROS~1> 2007-03-12 19:56:18 0 d-------- C:\Program Files\QuickTime<QUICKT~1> 2007-03-10 17 30 0 d-------- C:\Program Files\MSN Messenger<MSNMES~1>2007-03-10 16:53:01 0 d-------- C:\Program Files\Messenger<MESSEN~1> 2007-03-10 16:51:58 0 d-------- C:\Program Files\Movie Maker<MOVIEM~1> 2007-03-10 16:46:34 0 d-------- C:\Program Files\Windows NT<WINDOW~1> 2007-03-10 16:42:31 250032 -rahs---- C:\ntldr 2007-03-05 20:41:02 0 d--h----- C:\Program Files\InstallShield Installation Information<INSTAL~1> 2007-03-05 20:28:37 0 d-------- C:\Program Files\Common Files\InstallShield<INSTAL~1> 2007-03-04 22:16:13 0 d-------- C:\Program Files\Common Files\Adobe 2007-03-03 15:05:02 0 d-------- C:\Documents and Settings\ME\Application Data\Ahead 2007-02-28 02:35:16 0 d-------- C:\Program Files\COMPAQ 2007-02-28 01:46:49 0 d-------- C:\Documents and Settings\ME\Application Data\Apple Computer<APPLEC~1> 2007-02-28 01:39:52 0 d-------- C:\Documents and Settings\ME\Application Data\Sun 2007-02-28 01:39:31 0 d-------- C:\Program Files\Java 2007-02-28 01:37:10 0 d-------- C:\Program Files\Common Files\Java 2007-02-28 01:36:23 0 d-------- C:\Documents and Settings\ME\Application Data\Macromedia<MACROM~1> 2007-02-28 01:29:46 0 d--h----- C:\Program Files\WindowsUpdate<WINDOW~2> 2007-02-28 01:26:37 0 d-------- C:\Program Files\eags on!<EAGSON~1> 2007-02-28 00:40:27 0 d-------- C:\Program Files\BroadJump<BROADJ~1> 2007-02-28 00:40:09 8362602 --a------ C:\back_up.reg 2007-02-25 11:40:23 348160 --a------ C:\WINDOWS\system32\msvcr71.dll 2007-02-25 11:40:23 499712 --a------ C:\WINDOWS\system32\msvcp71.dll 2007-02-25 11:35:17 0 d-------- C:\Program Files\Common Files\Ahead 2007-02-25 11:27:45 0 d-------- C:\Program Files\Nero 2007-02-23 05:29:58 524288 --a------ C:\WINDOWS\system32\DivXsm.exe 2007-02-23 05:29:56 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll 2007-02-23 05:29:49 200704 --a------ C:\WINDOWS\system32\ssldivx.dll 2007-02-23 05:29:49 1044480 --a------ C:\WINDOWS\system32\libdivx.dll 2007-02-23 05:25:24 196608 --a------ C:\WINDOWS\system32\dtu100.dll 2007-02-23 05:25:24 73728 --a------ C:\WINDOWS\system32\dpl100.dll 2007-02-23 05:25:23 53248 --a------ C:\WINDOWS\system32\dpuGUI10.dll 2007-02-23 05:25:22 57344 --a------ C:\WINDOWS\system32\dpv11.dll 2007-02-23 05:25:22 344064 --a------ C:\WINDOWS\system32\dpus11.dll 2007-02-23 05:25:22 593920 --a------ C:\WINDOWS\system32\dpuGUI11.dll 2007-02-23 05:25:22 294912 --a------ C:\WINDOWS\system32\dpu11.dll 2007-02-23 05:25:22 294912 --a------ C:\WINDOWS\system32\dpu10.dll 2007-02-23 05:25:19 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll<DIVX_X~3.DLL> 2007-02-23 05:25:19 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll<DIVX_X~1.DLL> 2007-02-23 05:25:19 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll<DIVX_X~2.DLL> 2007-02-23 05:25:19 639066 --a------ C:\WINDOWS\system32\DivX.dll 2007-02-16 02:40:35 124472 --a------ C:\WINDOWS\system32\DivXCodecUpdateChecker.exe<DIVXCO~1.EXE> 2007-02-07 13:39:08 517840 --a------ C:\WINDOWS\system32\SymNeti.dll 2007-02-07 13:39:04 132816 --a------ C:\WINDOWS\system32\SymRedir.dll 2007-01-19 13:53:04 51056 --a------ C:\WINDOWS\system32\sirenacm.dll -- Registry Dump --------------------------------------------------------------- [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "BJCFD"="C:\\Program Files\\BroadJump\\Client Foundation\\CFD.exe" "SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\"" "SpywareBot"="C:\\Program Files\\SpywareBot\\SpywareBot.exe -boot" "Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI] "NoChange"="1" "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS] "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] "path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk" "backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup" "location"="Common Startup" "command"="C:\\PROGRA~1\\MICROS~2\\Office\\OSA9.EXE -b -l" "item"="Microsoft Office" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk] "path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Works Calendar Reminders.lnk" "backup"="C:\\WINDOWS\\pss\\Microsoft Works Calendar Reminders.lnkCommon Startup" "location"="Common Startup" "command"="C:\\PROGRA~1\\COMMON~1\\MICROS~1\\WORKSS~1\\wkcalrem.exe " "item"="Microsoft Works Calendar Reminders" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="NMBgMonitor" "hkey"="HKCU" "command"="\"C:\\Program Files\\Common Files\\Ahead\\Lib\\NMBgMonitor.exe\"" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="rundll32" "hkey"="HKLM" "command"="rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="ccApp" "hkey"="HKLM" "command"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\"" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="dumprep 0 -k" "hkey"="HKLM" "command"="%systemroot%\\system32\\dumprep 0 -k" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="msnmsgr" "hkey"="HKCU" "command"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="NeroCheck" "hkey"="HKLM" "command"="C:\\Program Files\\Common Files\\Ahead\\Lib\\NeroCheck.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="RUNDLL32" "hkey"="HKLM" "command"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="qttask" "hkey"="HKLM" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Smapp] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="Smtray" "hkey"="HKLM" "command"="Smtray.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\srmclean] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="srmclean" "hkey"="HKLM" "command"="C:\\Cpqs\\Scom\\srmclean.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="SNDMon" "hkey"="HKLM" "command"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WCOLOREAL] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="coloreal" "hkey"="HKLM" "command"="\"C:\\Program Files\\COMPAQ\\Coloreal\\coloreal.exe\"" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook" [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] "CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE" [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 HTTPFilter REG_MULTI_SZ HTTPFilter\0\0 DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0 bthsvcs REG_MULTI_SZ BthServ\0\0 -- End of Deckard's System Scanner: finished at 2007-04-03 at 23:28:37 --------- -------- Deckard's System Scanner v20070328.36 Extra logfile - please post this as an attachment with your post. -------------------------------------------------------------------------------- -- System Information ---------------------------------------------------------- Microsoft Windows XP Home Edition (build 2600) SP 2.0 Architecture: X86; Language: English CPU 0: Intel(R) Pentium(R) 4 CPU 1500MHz Percentage of Memory in Use: 38% Physical Memory (total/avail): 511.42 MiB / 316.18 MiB Pagefile Memory (total/avail): 1250.17 MiB / 1090.48 MiB Virtual Memory (total/avail): 2047.88 MiB / 2003.54 MiB A: is Removable (No Media) C: is Fixed (NTFS) - 33.37 GiB total, 15.66 GiB free. D: is Fixed (FAT32) - 3.89 GiB total, 1.85 GiB free. E: is CDROM (No Media) F: is CDROM (No Media) -- Security Center ------------------------------------------------------------- AUOptions is scheduled to auto-install. Windows Internal Firewall is enabled. AntiVirusDisableNotify is set. -- Environment Variables ------------------------------------------------------- ALLUSERSPROFILE=C:\Documents and Settings\All Users APPDATA=C:\Documents and Settings\ME\Application Data CLASSPATH=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip CLIENTNAME=Console CommonProgramFiles=C:\Program Files\Common Files COMPUTERNAME=YOUR-MU12SA9A2I ComSpec=C:\WINDOWS\system32\cmd.exe FP_NO_HOST_CHECK=NO HOMEDRIVE=C: HOMEPATH=\Documents and Settings\ME LOGONSERVER=\\YOUR-MU12SA9A2I NUMBER_OF_PROCESSORS=1 OS=Windows_NT Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\ PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH PROCESSOR_ARCHITECTURE=x86 PROCESSOR_IDENTIFIER=x86 Family 15 Model 0 Stepping 10, GenuineIntel PROCESSOR_LEVEL=15 PROCESSOR_REVISION=000a ProgramFiles=C:\Program Files PROMPT=$P$G QTJAVA=C:\Program Files\QuickTime\QTSystem\QTJava.zip SESSIONNAME=Console SystemDrive=C: SystemRoot=C:\WINDOWS TEMP=C:\DOCUME~1\ME\LOCALS~1\Temp TMP=C:\DOCUME~1\ME\LOCALS~1\Temp USERDOMAIN=YOUR-MU12SA9A2I USERNAME=ME USERPROFILE=C:\Documents and Settings\ME windir=C:\WINDOWS -- User Profiles --------------------------------------------------------------- Owner (new local, admin) ME (admin) Administrator (new local, admin) -- Add/Remove Programs --------------------------------------------------------- --> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER --> C:\Program Files\Nero\Nero 7\nero\uninstall\UNNERO.exe /UNINSTALL --> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu --> C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL --> C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL --> C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL --> C:\WINDOWS\UNNeroVision.exe /UNINSTALL --> C:\WINDOWS\UNRecode.exe /UNINSTALL --> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll" Adobe Flash Player 9 ActiveX --> C:\WINDOWS\System32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log AviSynth 2.5 --> "C:\Program Files\AviSynth 2.5\Uninstall.exe" BroadJump Client Foundation --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\BroadJump\Client Foundation\Uninst.isu" -c"C:\Program Files\BroadJump\Client Foundation\RmvBJCFD.dll" -b"CFD" -h"CFD" -a Coloreal --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BDE90251-93EB-4F6A-89D8-086E2D91DC56}\setup.exe" Compaq Products & Accessories --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F484CCF1-34C3-49CE-80FF-B0B148D556AC}\setup.exe" Compaq WinDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C1939820-A945-11D4-86F6-0001031E5712}\setup.exe" REMOVEALL Dan Elwell's Broadband Speed Test --> "C:\Program Files\Dan Elwell's Broadband Speed Test\unins000.exe" DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC DivX Converter --> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER eags on! 0.8.8 --> "C:\Program Files\eags on!\unins000.exe" HijackThis 1.99.1 --> C:\DOCUME~1\ME\LOCALS~1\Temp\Rar$EX00.468\HijackThis.exe /uninstall J2SE Runtime Environment 5.0 Update 11 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150110} LiveUpdate 3.0 (Symantec Corporation) --> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U MAGIX mp3 maker gold --> C:\MAGIX\mp3mgold\unwise.exe C:\MAGIX\mp3mgold\INSTALL.LOG Messenger Plus! Live --> "C:\Program Files\Messenger Plus! Live\Uninstall.exe" Microsoft Word 2000 SR-1 --> MsiExec.exe /I{00170409-78E1-11D2-B60F-006097C998E7} Microsoft Works 2000 --> MsiExec.exe /I{56364334-9530-11D2-BFFC-00C04FA329AA} Nero 7 Premium --> MsiExec.exe /I{3DE0F289-AEA8-C875-B24B-B0581F501033} NVIDIA Windows 2000/XP Display Drivers --> rundll32.exe C:\WINDOWS\System32\nvinstnt.dll,NvUninstallNT4 nvcq.inf Panda ActiveScan --> C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan PSP Video 9 1.74 --> C:\Program Files\pspvideo9\uninst.exe QuickTime --> MsiExec.exe /I{F07B861C-72B9-40A4-8B1A-AAED4C06A7E8} SoulSeek Client 156b --> "C:\Program Files\Soulseek\uninstall.exe" SoundMAX2 --> C:\Program Files\Analog Devices\SoundMAX 2\ADIOUT.BAT VideoEgg Publisher --> C:\Program Files\VideoEgg\Uninstall.exe Windows Defender --> MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401} Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F} Windows Live OneCare safety scanner --> RunDll32.exe "C:\Program Files\Windows Live Safety Center\wlscCore.dll",UninstallFunction WLSC_SCANNER_PRODUCT WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe -- End of Deckard's System Scanner: finished at 2007-04-03 at 23:28:37 --------- |
|
|
|
|
04-03-2007, 06:50 PM
|
#6 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,682
OS: 2000 Pro; XP Pro; XP Home
|
Re: Win32/Rustock.gen!C (help!)
Good job! I would think that your system feels much better now.
Let's do some deep scanning.... Please perform this general system scan and cleaning to see if anything else is lurking. Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below. --------------------------------------------------------------------------------------------------- I see parts of Norton, but it does not appear to be installed. Please use the instructions on this page to completely uninstall your Norton Products. --------------------------------------------------------------------------------------------------- I see no evidence of an AntiVirus program on your system. This must be resolved. Connecting to the Internet without antivirus protection is a "Welcome" doormat for malware. It can take as little as eight seconds to infect an unprotected computer. Here are a few very good free Antivirus products which are available:
--------------------------------------------------------------------------------------------------- Download AVG Anti Spyware Use the link at the bottom of the page under "AVG Anti-Spyware Free for Windows" 
--------------------------------------------------------------------------------------------- Please download ATF Cleaner by Atribune. This program is for XP and Windows 2000 only
For Technical Support, double-click the e-mail address located at the bottom of each menu. --------------------------------------------------------------------------------------------------- Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers. --------------------------------------------------------------------------------------------- It appears as though you've already uninstalled this program: SpywareBot<<<<it’s rogueware (or known to be rogueware in the past) and we highly recommend that you uninstall it. Rogue/Suspect means that these products are of unknown, questionable, or dubious value as anti-spyware protection. Go to My Computer->Tools->Folder Options->View tab: * Under the Hidden files and folders heading, select Show hidden files and folders. * Uncheck the Hide protected operating system files (recommended) option. * Also make sure there is no checkmark beside Hide file extensions for known file types * Click Yes to confirm and then click OK. Delete these folders: C:\Program Files\SpywareBot C:\Documents and Settings\ME\Application Data\SpywareBot --------------------------------------------------------------------------------------------- Run AVG Anti-Spyware with it's updated definitions:(...it's important that all windows must be closed)
Restart in normal mode. --------------------------------------------------------------------------------------------- Perform an online scan with Internet Explorer with Panda ActiveScan
* Turn off the real time scanner of any existing antivirus program while performing the online scan --------------------------------------------------------------------------------------------------- Open Hijack This and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here. --------------------------------------------------------------------------------------------- Please return with logs from: AVG Anti-Spyware Panda HJT
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Microsoft MVP - Consumer Security 2009
|
|
|
|
|
04-05-2007, 06:57 PM
|
#7 (permalink) |
|
Registered User
Join Date: Apr 2007
Posts: 8
OS: XP
|
Re: Win32/Rustock.gen!C (help!)
Logfile of HijackThis v1.99.1
Scan saved at 01:55:08, on 06/04/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\Explorer.EXE C:\Program Files\BroadJump\Client Foundation\CFD.exe C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\Program Files\MSN Messenger\usnsvc.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bebo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/...C01&lc=0809&ac R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.presario.net/scripts/r...search&ap=b204 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/r...search&ap=b204 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/r...search&ap=b204 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll --- --------------------------------------------------------- AVG Anti-Spyware - Scan Report --------------------------------------------------------- + Created at: 00:31:05 06/04/2007 + Scan result: C:\QooBox\Quarantine\07-04-03\WINDOWS\system32\ksys.sys.vir -> Rootkit.Agent.eb : Cleaned with backup (quarantined). C:\System Volume Information\_restore{4ED2BF26-1563-496D-98B4-DBD4727DA286}\RP92\A0104461.sys -> Rootkit.Agent.eb : Cleaned with backup (quarantined). C:\System Volume Information\_restore{4ED2BF26-1563-496D-98B4-DBD4727DA286}\RP10\A0004030.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined). C:\System Volume Information\_restore{4ED2BF26-1563-496D-98B4-DBD4727DA286}\RP10\A0005030.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined). C:\System Volume Information\_restore{4ED2BF26-1563-496D-98B4-DBD4727DA286}\RP22\A0005561.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined). C:\System Volume Information\_restore{4ED2BF26-1563-496D-98B4-DBD4727DA286}\RP22\A0006561.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined). C:\System Volume Information\_restore{4ED2BF26-1563-496D-98B4-DBD4727DA286}\RP23\A0006628.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined). C:\System Volume Information\_restore{4ED2BF26-1563-496D-98B4-DBD4727DA286}\RP25\A0007067.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined). C:\System Volume Information\_restore{4ED2BF26-1563-496D-98B4-DBD4727DA286}\RP25\A0007106.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined). C:\System Volume Information\_restore{4ED2BF26-1563-496D-98B4-DBD4727DA286}\RP25\A0007145.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined). C:\System Volume Information\_restore{4ED2BF26-1563-496D-98B4-DBD4727DA286}\RP25\A0008145.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined). C:\System Volume Information\_restore{4ED2BF26-1563-496D-98B4-DBD4727DA286}\RP25\A0008152.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined). C:\System Volume Information\_restore{4ED2BF26-1563-496D-98B4-DBD4727DA286}\RP25\A0009152.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined). C:\System Volume Information\_restore{4ED2BF26-1563-496D-98B4-DBD4727DA286}\RP25\A0010152.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined). C:\System Volume Information\_restore{4ED2BF26-1563-496D-98B4-DBD4727DA286}\RP26\A0011152.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined). C:\System Volume Information\_restore{4ED2BF26-1563-496D-98B4-DBD4727DA286}\RP28\A0014126.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined). C:\System Volume Information\_restore{4ED2BF26-1563-496D-98B4-DBD4727DA286}\RP28\A0014627.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined). C:\System Volume Information\_restore{4ED2BF26-1563-496D-98B4-DBD4727DA286}\RP29\A0014668.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined). C:\System Volume Information\_restore{4ED2BF26-1563-496D-98B4-DBD4727DA286}\RP29\A0014709.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined). C:\System Volume Information\_restore{4ED2BF26-1563-496D-98B4-DBD4727DA286}\RP30\A0015709.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined). C:\System Volume Information\_restore{4ED2BF26-1563-496D-98B4-DBD4727DA286}\RP30\A0017775.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined). C:\System Volume Information\_restore{4ED2BF26-1563-496D-98B4-DBD4727DA286}\RP31\A0017821.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined). C:\System Volume Information\_restore{4ED2BF26-1563-496D-98B4-DBD4727DA286}\RP32\A0020860.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined). C:\System Volume Information\_restore{4ED2BF26-1563-496D-98B4-DBD4727DA286}\RP32\A0022873.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined). C:\System Volume Information\_restore{4ED2BF26-1563-496D-98B4-DBD4727DA286}\RP33\A0022925.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined). C:\System Volume Information\_restore{4ED2BF26-1563-496D-98B4-DBD4727DA286}\RP33\A0022965.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined). C:\System Volume Information\_restore{4ED2BF26-1563-496D-98B4-DBD4727DA286}\RP33\A0023111.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined). C:\System Volume Information\_restore{4ED2BF26-1563-496D-98B4-DBD4727DA286}\RP34\A0026112.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined). C:\System Volume Information\_restore{4ED2BF26-1563-496D-98B4-DBD4727DA286}\RP34\A0026150.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined). C:\System Volume Information\_restore{4ED2BF26-1563-496D-98B4-DBD4727DA286}\RP35\A0029162.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined). C:\System Volume Information\_restore{4ED2BF26-1563-496D-98B4-DBD4727DA286}\RP35\A0029170.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined). C:\System Volume Information\_restore{4ED2BF26-1563-496D-98B4-DBD4727DA286}\RP35\A0029191.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined). C:\System Volume Information\_restore{4ED2BF26-1563-496D-98B4-DBD4727DA286}\RP36\A0032233.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined). C:\System Volume Information\_restore{4ED2BF26-1563-496D-98B4-DBD4727DA286}\RP36\A0032254.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined). C:\System Volume Information\_restore{4ED2BF26-1563-496D-98B4-DBD4727DA286}\RP36\A0033254.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined). C:\System Volume Information\_restore{4ED2BF26-1563-496D-98B4-DBD4727DA286}\RP37\A0036254.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined). C:\System Volume Information\_restore{4ED2BF26-1563-496D-98B4-DBD4727DA286}\RP37\A0036276.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined). C:\System Volume Information\_restore{4ED2BF26-1563-496D-98B4-DBD4727DA286}\RP38\A0039276.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined). C:\System Volume Information\_restore{4ED2BF26-1563-496D-98B4-DBD4727DA286}\RP38\A0039316.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined). C:\System Volume Information\_restore{4ED2BF26-1563-496D-98B4-DBD4727DA286}\RP39\A0042317.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined). C:\System Volume Information\_restore{4ED2BF26-1563-496D-98B4-DBD4727DA286}\RP40\A0047318.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined). C:\System Volume Information\_restore{4ED2BF26-1563-496D-98B4-DBD4727DA286}\RP41\A0050318.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined). C:\System Volume Information\_restore{4ED2BF26-1563-496D-98B4-DBD4727DA286}\RP42\A0051318.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined). C:\System Volume Information\_restore{4ED2BF26-1563-496D-98B4-DBD4727DA286}\RP43\A0054329.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined). C:\System Volume Information\_restore{4ED2BF26-1563-496D-98B4-DBD4727DA286}\RP44\A0055329.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined). C:\System Volume Information\_restore{4ED2BF26-1563-496D-98B4-DBD4727DA286}\RP46\A0059329.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined). C:\System Volume Information\_restore{4ED2BF26-1563-496D-98B4-DBD4727DA286}\RP47\A0060329.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined). C:\System Volume Information\_restore{4ED2BF26-1563-496D-98B4-DBD4727DA286}\RP48\A0061329.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined). C:\System Volume Information\_restore{4ED2BF26-1563-496D-98B4-DBD4727DA286}\RP49\A0062329.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined). C:\System Volume Information\_restore{4ED2BF26-1563-496D-98B4-DBD4727DA286}\RP50\A0063329.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined). C:\System Volume Information\_restore{4ED2BF26-1563-496D-98B4-DBD4727DA286}\RP51\A0064329.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined). C:\System Volume Information\_restore{4ED2BF26-1563-496D-98B4-DBD4727DA286}\RP52\A0065329.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined). C:\System Volume Information\_restore{4ED2BF26-1563-496D-98B4-DBD4727DA286}\RP52\A0065337.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined). C:\System Volume Information\_restore{4ED2BF26-1563-496D-98B4-DBD4727DA286}\RP52\A0065367.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined). C:\System Volume Information\_restore{4ED2BF26-1563-496D-98B4-DBD4727DA286}\RP53\A0066367.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined). C:\System Volume Information\_restore{4ED2BF26-1563-496D-98B4-DBD4727DA286}\RP54\A0067367.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined). C:\System Volume Information\_restore{4ED2BF26-1563-496D-98B4-DBD4727DA286}\RP55\A0068367.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined). C:\System Volume Information\_restore{4ED2BF26-1563-496D-98B4-DBD4727DA286}\RP56\A0069367.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined). C:\System Volume Information\_restore{4ED2BF26-1563-496D-98B4-DBD4727DA286}\RP57\A0070367.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined). C:\System Volume Information\_restore{4ED2BF26-1563-496D-98B4-DBD4727DA286}\RP58\A0071367.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined). C:\System Volume Information\_restore{4ED2BF26-1563-496D-98B4-DBD4727DA286}\RP58\A0071375.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined). C:\System Volume Information\_restore{4ED2BF26-1563-496D-98B4-DBD4727DA286}\RP59\A0072375.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined). C:\System Volume Information\_restore{4ED2BF26-1563-496D-98B4-DBD4727DA286}\RP59\A0072385.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined). C:\System Volume Information\_restore{4ED2BF26-1563-496D-98B4-DBD4727DA286}\RP60\A0073385.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined). C:\System Volume Information\_restore{4ED2BF26-1563-496D-98B4-DBD4727DA286}\RP61\A0074385.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined). C:\System Volume Information\_restore{4ED2BF26-1563-496D-98B4-DBD4727DA286}\RP62\A0075385.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined). C:\System Volume Information\_restore{4ED2BF26-1563-496D-98B4-DBD4727DA286}\RP63\A0076385.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined). C:\System Volume Information\_restore{4ED2BF26-1563-496D-98B4-DBD4727DA286}\RP64\A0077385.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined). C:\System Volume Information\_restore{4ED2BF26-1563-496D-98B4-DBD4727DA286}\RP65\A0078385.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined). C:\System Volume Information\_restore{4ED2BF26-1563-496D-98B4-DBD4727DA286}\RP66\A0079385.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined). C:\System Volume Information\_restore{4ED2BF26-1563-496D-98B4-DBD4727DA286}\RP67\A0080385.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined). C:\System Volume Information\_restore{4ED2BF26-1563-496D-98B4-DBD4727DA286}\RP68\A0081385.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined). C:\System Volume Information\_restore{4ED2BF26-1563-496D-98B4-DBD4727DA286}\RP69\A0082385.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined). C:\System Volume Information\_restore{4ED2BF26-1563-496D-98B4-DBD4727DA286}\RP70\A0083385.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined). C:\System Volume Information\_restore{4ED2BF26-1563-496D-98B4-DBD4727DA286}\RP71\A0084385.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined). C:\System Volume Information\_restore{4ED2BF26-1563-496D-98B4-DBD4727DA286}\RP72\A0085385.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined). C:\System Volume Information\_restore{4ED2BF26-1563-496D-98B4-DBD4727DA286}\RP73\A0086385.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined). C:\System Volume Information\_restore{4ED2BF26-1563-496D-98B4-DBD4727DA286}\RP74\A0087385.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined). C:\System Volume Information\_restore{4ED2BF26-1563-496D-98B4-DBD4727DA286}\RP75\A0088385.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined). C:\System Volume Information\_restore{4ED2BF26-1563-496D-98B4-DBD4727DA286}\RP76\A0089385.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined). C:\System Volume Information\_restore{4ED2BF26-1563-496D-98B4-DBD4727DA286}\RP77\A0090385.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined). C:\System Volume Information\_restore{4ED2BF26-1563-496D-98B4-DBD4727DA286}\RP78\A0091385.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined). C:\System Volume Information\_restore{4ED2BF26-1563-496D-98B4-DBD4727DA286}\RP79\A0092385.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined). C:\System Volume Information\_restore{4ED2BF26-1563-496D-98B4-DBD4727DA286}\RP80\A0093385.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined). C:\System Volume Information\_restore{4ED2BF26-1563-496D-98B4-DBD4727DA286}\RP81\A0094385.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined). C:\System Volume Information\_restore{4ED2BF26-1563-496D-98B4-DBD4727DA286}\RP82\A0095385.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined). C:\System Volume Information\_restore{4ED2BF26-1563-496D-98B4-DBD4727DA286}\RP83\A0096385.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined). ::Report end ---- Incident Status Location Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\ME\Cookies\me@adtech[2].txt Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\ME\Cookies\me@atdmt[2].txt Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\ME\Cookies\me@bs.serving-sys[2].txt Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\ME\Cookies\me@doubleclick[2].txt Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\ME\Cookies\me@serving-sys[2].txt Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\ME\Cookies\me@tribalfusion[2].txt |
|
|
|
|
04-05-2007, 07:20 PM
|
#8 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,682
OS: 2000 Pro; XP Pro; XP Home
|
Re: Win32/Rustock.gen!C (help!)
Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot Close HijackThis now. --------------------------------------------------------------------------------------------- Please run Deckard's System Scanner once again, this time using these instructions: Click the Windows 'Start' button > Select 'Run' - then copy/paste this into the run box & click OK "%userprofile%\desktop\dss.exe" /configClick on "Check All" Click Scan! When finished, it shall produce two logs for you. Post those logs in your next reply.
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Microsoft MVP - Consumer Security 2009
|
|
|
|
|
04-06-2007, 02:44 AM
|
#9 (permalink) |
|
Registered User
Join Date: Apr 2007
Posts: 8
OS: XP
|
Re: Win32/Rustock.gen!C (help!)
Deckard's System Scanner v20070328.36
Run by ME on 2007-04-06 at 09:43:14 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- System Restore -------------------------------------------------------------- Successfully created a Deckard's System Scanner Restore Point. -- Last 5 Restore Point(s) -- 95: 2007-04-06 08:43:22 UTC - RP95 - Deckard's System Scanner Restore Point 94: 2007-04-05 02:16:09 UTC - RP94 - Software Distribution Service 2.0 93: 2007-04-03 22:27:52 UTC - RP93 - Deckard's System Scanner Restore Point 92: 2007-04-03 21:42:15 UTC - RP92 - Deckard's System Scanner Restore Point 91: 2007-04-03 14:55:22 UTC - RP91 - Software Distribution Service 2.0 -- First Restore Point -- 1: 2007-02-25 10:02:51 UTC - RP1 - System Checkpoint Performed disk cleanup. -- HijackThis (run as ME.exe) -------------------------------------------------- Logfile of HijackThis v1.99.1 Scan saved at 09:43:31, on 06/04/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\BroadJump\Client Foundation\CFD.exe C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\MSN Messenger\usnsvc.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\ME\desktop\dss.exe C:\PROGRA~1\HIJACK~1\ME.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bebo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/...C01&lc=0809&ac R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.presario.net/scripts/r...search&ap=b204 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/r...search&ap=b204 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/r...search&ap=b204 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase8300.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1172622521826 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1173539138452 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/W...gPublisher.exe O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://ebanking.northernbank.co.uk/.../e-Safekey.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe -- HijackThis Fixed Entries (C:\PROGRA~1\HIJACK~1\backups\) -------------------- backup-20070406-094243-781 O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot -- File Associations ----------------------------------------------------------- All associations okay. -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------- R3 smwdm - c:\windows\system32\drivers\smwdm.sys S3 basic2 - c:\windows\system32\drivers\basic2.sys (file missing) S3 BthEnum (Bluetooth Request Block Driver) - c:\windows\system32\drivers\bthenum.sys S3 BthPan (Bluetooth Device (Personal Area Network)) - c:\windows\system32\drivers\bthpan.sys S3 BTHPORT (Bluetooth Port Driver) - c:\windows\system32\drivers\bthport.sys S3 BTHUSB (Bluetooth Radio USB Driver) - c:\windows\system32\drivers\bthusb.sys S3 Rksample - c:\windows\system32\drivers\rksample.sys (file missing) S3 usbcm (USB Cable Modem 351000 NDIS Driver) - c:\windows\system32\drivers\usbcm.sys S3 winachsf - c:\windows\system32\drivers\hsf_cnxt.sys (file missing) -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled -------------------- R2 BthServ (Bluetooth Support Service) - c:\windows\system32\svchost.exe -k bthsvcs -- Scheduled Tasks ------------------------------------------------------------- 2007-04-03 14:20:01 482 --a------ C:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job<SPYWAR~1.JOB> -- Files created between 2007-03-06 and 2007-04-06 ----------------------------- 2007-04-05 03:33:12 3968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys 2007-04-03 15:40:09 0 d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust<INTERT~1> 2007-04-03 15:40:09 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe 2007-04-03 15:40:08 0 d-------- C:\Documents and Settings\Administrator\WINDOWS 2007-04-03 15:40:08 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT 2007-04-03 02:09:16 626688 --a------ C:\WINDOWS\system32\msvcr80.dll 2007-04-03 01:12:06 0 d-------- C:\WINDOWS\system32\ActiveScan<ACTIVE~1> 2007-04-03 01:09:45 0 d-------- C:\Documents and Settings\ME\.housecall6.6<HOUSEC~1.6> 2007-04-01 20:10:16 0 d-------- C:\Program Files\Windows Live Safety Center<WINDOW~4> 2007-03-29 02:36:28 0 d-------- C:\Documents and Settings\ME\Application Data\DivX 2007-03-29 02:35:50 2432 -----n--- C:\WINDOWS\system32\drivers\cdr4_xp.sys 2007-03-29 02:35:49 2560 -----n--- C:\WINDOWS\system32\drivers\cdralw2k.sys 2007-03-29 02:35:48 129784 -----n--- C:\WINDOWS\system32\pxafs.dll 2007-03-28 20:01:53 118520 -----n--- C:\WINDOWS\system32\pxinsi64.exe 2007-03-28 20:01:53 116472 -----n--- C:\WINDOWS\system32\pxcpyi64.exe 2007-03-28 20:01:53 36624 -----n--- C:\WINDOWS\system32\drivers\PxHelp20.sys 2007-03-28 20:01:35 0 d-------- C:\Program Files\DivX 2007-03-27 16:03:05 0 d-------- C:\Program Files\Dan Elwell's Broadband Speed Test<DANELW~1> 2007-03-27 15:55:52 17024 --a------ C:\WINDOWS\system32\drivers\usbohci.sys 2007-03-27 13:55:02 0 d-------- C:\WINDOWS\pss 2007-03-23 01:53:33 1755 --a------ C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache<QTSBAN~1> 2007-03-21 22:54:21 0 d-------- C:\Documents and Settings\All Users\Application Data\Messenger Plus!<MESSEN~1> 2007-03-19 17:39:15 0 d-------- C:\Documents and Settings\ME\Application Data\VideoEgg 2007-03-19 17:38:12 0 d-------- C:\Documents and Settings\All Users\Application Data\VideoEgg 2007-03-19 17:38:06 0 d-------- C:\Program Files\VideoEgg 2007-03-15 22:38:23 0 d-------- C:\Program Files\Norton AntiVirus<NORTON~1> 2007-03-15 22:37:58 0 d-------- C:\Documents and Settings\ME\Application Data\Symantec 2007-03-15 22:37:34 0 d-------- C:\Documents and Settings\All Users\Application Data\Symantec 2007-03-15 22:37:30 0 d-------- C:\Program Files\Common Files\Symantec Shared<SYMANT~1> 2007-03-13 02:03:02 0 d-------- C:\Program Files\AviSynth 2.5<AVISYN~1.5> 2007-03-13 02:02:57 0 d-------- C:\Program Files\pspvideo9<PSPVID~1> 2007-03-12 00:12:23 0 d-------- C:\Documents and Settings\ME\Application Data\uTorrent 2007-03-11 15:16:18 0 d-------- C:\WINDOWS\system32\PreInstall<PREINS~1> 2007-03-11 15:16:16 0 d--h----- C:\WINDOWS\$hf_mig$ 2007-03-11 13:18:51 127208 --a------ C:\WINDOWS\system32\mucltui.dll 2007-03-10 17:07:59 8192 --a------ C:\WINDOWS\system32\wshirda.dll 2007-03-10 17:07:59 27136 --a------ C:\WINDOWS\system32\irmon.dll 2007-03-10 17:07:59 152576 --a------ C:\WINDOWS\system32\irftp.exe 2007-03-10 17:02:42 0 d-------- C:\WINDOWS\Prefetch 2007-03-10 16:55:05 221184 --a------ C:\WINDOWS\system32\wmpns.dll 2007-03-10 16:51:58 0 d-------- C:\WINDOWS\peernet 2007-03-10 16:51:55 0 d-------- C:\WINDOWS\provisioning<PROVIS~1> 2007-03-10 16:47:09 0 d-------- C:\WINDOWS\ServicePackFiles<SERVIC~1> 2007-03-10 16:41:03 0 d-------- C:\WINDOWS\system32\ReinstallBackups<REINST~1> 2007-03-10 16:40:32 22752 --a------ C:\WINDOWS\system32\spupdsvc.exe 2007-03-10 16:36:22 0 d-------- C:\WINDOWS\EHome 2007-03-10 16:29:03 11776 -----n--- C:\WINDOWS\system32\spnpinst.exe 2007-03-10 16:29:02 4569 -----n--- C:\WINDOWS\system32\secupd.dat 2007-03-10 16:08:36 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage<WINDOW~1> -- Find3M Report --------------------------------------------------------------- 2007-04-06 01:20:25 0 d-------- C:\Program Files\MSN Messenger<MSNMES~1> 2007-04-05 03:21:54 0 d-------- C:\Program Files\Messenger<MESSEN~1> 2007-04-03 23:19:25 0 d-------- C:\Program Files\Soulseek 2007-03-21 22:52:59 0 d-------- C:\Program Files\Messenger Plus! Live<MESSEN~2> 2007-03-20 01:10:16 0 d---s---- C:\Documents and Settings\ME\Application Data\Microsoft<MICROS~1> 2007-03-12 19:56:18 0 d-------- C:\Program Files\QuickTime<QUICKT~1> 2007-03-10 16:51:58 0 d-------- C:\Program Files\Movie Maker<MOVIEM~1> 2007-03-10 16:46:34 0 d-------- C:\Program Files\Windows NT<WINDOW~1> 2007-03-10 16:42:31 250032 -rahs---- C:\ntldr 2007-03-08 16:36:28 577536 --a------ C:\WINDOWS\system32\user32.dll 2007-03-08 16:36:28 40960 --a------ C:\WINDOWS\system32\mf3216.dll 2007-03-08 16:36:28 281600 --a------ C:\WINDOWS\system32\gdi32.dll 2007-03-08 14:47:48 1843584 --a------ C:\WINDOWS\system32\win32k.sys 2007-03-05 20:41:02 0 d--h----- C:\Program Files\InstallShield Installation Information<INSTAL~1> 2007-03-05 20:39:59 0 d-------- C:\Program Files\Common Files\Teleca Shared<TELECA~1> 2007-03-05 20:28:37 0 d-------- C:\Program Files\Common Files\InstallShield<INSTAL~1> 2007-03-04 22:16:13 0 d-------- C:\Program Files\Common Files\Adobe 2007-03-03 15:05:02 0 d-------- C:\Documents and Settings\ME\Application Data\Ahead 2007-02-28 02:35:16 0 d-------- C:\Program Files\COMPAQ 2007-02-28 01:46:49 0 d-------- C:\Documents and Settings\ME\Application Data\Apple Computer<APPLEC~1> 2007-02-28 01:39:52 0 d-------- C:\Documents and Settings\ME\Application Data\Sun 2007-02-28 01:39:31 0 d-------- C:\Program Files\Java 2007-02-28 01:37:10 0 d-------- C:\Program Files\Common Files\Java 2007-02-28 01:36:23 0 d-------- C:\Documents and Settings\ME\Application Data\Macromedia<MACROM~1> 2007-02-28 01:29:46 0 d--h----- C:\Program Files\WindowsUpdate<WINDOW~2> 2007-02-28 01:26:37 0 d-------- C:\Program Files\eags on!<EAGSON~1> 2007-02-28 00:40:27 0 d-------- C:\Program Files\BroadJump<BROADJ~1> 2007-02-28 00:40:09 8362602 --a------ C:\back_up.reg 2007-02-25 11:40:23 348160 --a------ C:\WINDOWS\system32\msvcr71.dll 2007-02-25 11:40:23 499712 --a------ C:\WINDOWS\system32\msvcp71.dll 2007-02-25 11:35:17 0 d-------- C:\Program Files\Common Files\Ahead 2007-02-25 11:27:45 0 d-------- C:\Program Files\Nero 2007-02-23 05:29:58 524288 --a------ C:\WINDOWS\system32\DivXsm.exe 2007-02-23 05:29:56 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll 2007-02-23 05:29:49 200704 --a------ C:\WINDOWS\system32\ssldivx.dll 2007-02-23 05:29:49 1044480 --a------ C:\WINDOWS\system32\libdivx.dll 2007-02-23 05:25:24 196608 --a------ C:\WINDOWS\system32\dtu100.dll 2007-02-23 05:25:24 73728 --a------ C:\WINDOWS\system32\dpl100.dll 2007-02-23 05:25:23 53248 --a------ C:\WINDOWS\system32\dpuGUI10.dll 2007-02-23 05:25:22 57344 --a------ C:\WINDOWS\system32\dpv11.dll 2007-02-23 05:25:22 344064 --a------ C:\WINDOWS\system32\dpus11.dll 2007-02-23 05:25:22 593920 --a------ C:\WINDOWS\system32\dpuGUI11.dll 2007-02-23 05:25:22 294912 --a------ C:\WINDOWS\system32\dpu11.dll 2007-02-23 05:25:22 294912 --a------ C:\WINDOWS\system32\dpu10.dll 2007-02-23 05:25:19 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll<DIVX_X~3.DLL> 2007-02-23 05:25:19 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll<DIVX_X~1.DLL> 2007-02-23 05:25:19 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll<DIVX_X~2.DLL> 2007-02-23 05:25:19 639066 --a------ C:\WINDOWS\system32\DivX.dll 2007-02-16 02:40:35 124472 --a------ C:\WINDOWS\system32\DivXCodecUpdateChecker.exe<DIVXCO~1.EXE> 2007-01-19 13:53:04 51056 --a------ C:\WINDOWS\system32\sirenacm.dll -- Registry Dump --------------------------------------------------------------- [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "BJCFD"="C:\\Program Files\\BroadJump\\Client Foundation\\CFD.exe" "SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\"" "!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI] "NoChange"="1" "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS] "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] "path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk" "backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup" "location"="Common Startup" "command"="C:\\PROGRA~1\\MICROS~2\\Office\\OSA9.EXE -b -l" "item"="Microsoft Office" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk] "path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Works Calendar Reminders.lnk" "backup"="C:\\WINDOWS\\pss\\Microsoft Works Calendar Reminders.lnkCommon Startup" "location"="Common Startup" "command"="C:\\PROGRA~1\\COMMON~1\\MICROS~1\\WORKSS~1\\wkcalrem.exe " "item"="Microsoft Works Calendar Reminders" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="NMBgMonitor" "hkey"="HKCU" "command"="\"C:\\Program Files\\Common Files\\Ahead\\Lib\\NMBgMonitor.exe\"" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="rundll32" "hkey"="HKLM" "command"="rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="ccApp" "hkey"="HKLM" "command"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\"" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="dumprep 0 -k" "hkey"="HKLM" "command"="%systemroot%\\system32\\dumprep 0 -k" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="msnmsgr" "hkey"="HKCU" "command"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="NeroCheck" "hkey"="HKLM" "command"="C:\\Program Files\\Common Files\\Ahead\\Lib\\NeroCheck.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="RUNDLL32" "hkey"="HKLM" "command"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="qttask" "hkey"="HKLM" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Smapp] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="Smtray" "hkey"="HKLM" "command"="Smtray.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\srmclean] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="srmclean" "hkey"="HKLM" "command"="C:\\Cpqs\\Scom\\srmclean.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="SNDMon" "hkey"="HKLM" "command"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WCOLOREAL] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="coloreal" "hkey"="HKLM" "command"="\"C:\\Program Files\\COMPAQ\\Coloreal\\coloreal.exe\"" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5" [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] "CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"=dword:00000000 [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 HTTPFilter REG_MULTI_SZ HTTPFilter\0\0 DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0 bthsvcs REG_MULTI_SZ BthServ\0\0 -- End of Deckard's System Scanner: finished at 2007-04-06 at 09:44:14 --------- --- Deckard's System Scanner v20070328.36 Extra logfile - please post this as an attachment with your post. -------------------------------------------------------------------------------- -- System Information ---------------------------------------------------------- Microsoft Windows XP Home Edition (build 2600) SP 2.0 Architecture: X86; Language: English CPU 0: Intel(R) Pentium(R) 4 CPU 1500MHz Percentage of Memory in Use: 34% Physical Memory (total/avail): 511.42 MiB / 333.47 MiB Pagefile Memory (total/avail): 1247.92 MiB / 1070.49 MiB Virtual Memory (total/avail): 2047.88 MiB / 1997.95 MiB A: is Removable (No Media) C: is Fixed (NTFS) - 33.37 GiB total, 14.37 GiB free. D: is Fixed (FAT32) - 3.89 GiB total, 1.85 GiB free. E: is CDROM (No Media) F: is CDROM (No Media) -- Security Center ------------------------------------------------------------- AUOptions is scheduled to auto-install. Windows Internal Firewall is enabled. AntiVirusDisableNotify is set. -- Environment Variables ------------------------------------------------------- ALLUSERSPROFILE=C:\Documents and Settings\All Users APPDATA=C:\Documents and Settings\ME\Application Data CLASSPATH=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip CLIENTNAME=Console CommonProgramFiles=C:\Program Files\Common Files COMPUTERNAME=YOUR-MU12SA9A2I ComSpec=C:\WINDOWS\system32\cmd.exe FP_NO_HOST_CHECK=NO HOMEDRIVE=C: HOMEPATH=\Documents and Settings\ME LOGONSERVER=\\YOUR-MU12SA9A2I NUMBER_OF_PROCESSORS=1 OS=Windows_NT Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\ PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH PROCESSOR_ARCHITECTURE=x86 PROCESSOR_IDENTIFIER=x86 Family 15 Model 0 Stepping 10, GenuineIntel PROCESSOR_LEVEL=15 PROCESSOR_REVISION=000a ProgramFiles=C:\Program Files PROMPT=$P$G QTJAVA=C:\Program Files\QuickTime\QTSystem\QTJava.zip SESSIONNAME=Console SystemDrive=C: SystemRoot=C:\WINDOWS TEMP=C:\DOCUME~1\ME\LOCALS~1\Temp TMP=C:\DOCUME~1\ME\LOCALS~1\Temp USERDOMAIN=YOUR-MU12SA9A2I USERNAME=ME USERPROFILE=C:\Documents and Settings\ME windir=C:\WINDOWS -- User Profiles --------------------------------------------------------------- Owner (new local, admin) ME (admin) Administrator (new local, admin) -- Add/Remove Programs --------------------------------------------------------- --> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER --> C:\Program Files\Nero\Nero 7\nero\uninstall\UNNERO.exe /UNINSTALL --> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu --> C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL --> C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL --> C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL --> C:\WINDOWS\UNNeroVision.exe /UNINSTALL --> C:\WINDOWS\UNRecode.exe /UNINSTALL --> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll" Adobe Flash Player 9 ActiveX --> C:\WINDOWS\System32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe AviSynth 2.5 --> "C:\Program Files\AviSynth 2.5\Uninstall.exe" BroadJump Client Foundation --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\BroadJump\Client Foundation\Uninst.isu" -c"C:\Program Files\BroadJump\Client Foundation\RmvBJCFD.dll" -b"CFD" -h"CFD" -a Coloreal --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BDE90251-93EB-4F6A-89D8-086E2D91DC56}\setup.exe" Compaq Products & Accessories --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F484CCF1-34C3-49CE-80FF-B0B148D556AC}\setup.exe" Compaq WinDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C1939820-A945-11D4-86F6-0001031E5712}\setup.exe" REMOVEALL Dan Elwell's Broadband Speed Test --> "C:\Program Files\Dan Elwell's Broadband Speed Test\unins000.exe" DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC DivX Converter --> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER eags on! 0.8.8 --> "C:\Program Files\eags on!\unins000.exe" HijackThis 1.99.1 --> C:\DOCUME~1\ME\LOCALS~1\Temp\Rar$EX00.468\HijackThis.exe /uninstall J2SE Runtime Environment 5.0 Update 11 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150110} MAGIX mp3 maker gold --> C:\MAGIX\mp3mgold\unwise.exe C:\MAGIX\mp3mgold\INSTALL.LOG Messenger Plus! Live --> "C:\Program Files\Messenger Plus! Live\Uninstall.exe" Microsoft Word 2000 SR-1 --> MsiExec.exe /I{00170409-78E1-11D2-B60F-006097C998E7} Microsoft Works 2000 --> MsiExec.exe /I{56364334-9530-11D2-BFFC-00C04FA329AA} Nero 7 Premium --> MsiExec.exe /I{3DE0F289-AEA8-C875-B24B-B0581F501033} NVIDIA Windows 2000/XP Display Drivers --> rundll32.exe C:\WINDOWS\System32\nvinstnt.dll,NvUninstallNT4 nvcq.inf Panda ActiveScan --> C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan PSP Video 9 1.74 --> C:\Program Files\pspvideo9\uninst.exe QuickTime --> MsiExec.exe /I{F07B861C-72B9-40A4-8B1A-AAED4C06A7E8} Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe" SoulSeek Client 156b --> "C:\Program Files\Soulseek\uninstall.exe" SoundMAX2 --> C:\Program Files\Analog Devices\SoundMAX 2\ADIOUT.BAT VideoEgg Publisher --> C:\Program Files\VideoEgg\Uninstall.exe Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F} Windows Live OneCare safety scanner --> RunDll32.exe "C:\Program Files\Windows Live Safety Center\wlscCore.dll",UninstallFunction WLSC_SCANNER_PRODUCT WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe -- End of Deckard's System Scanner: finished at 2007-04-06 at 09:44:14 --------- |
|
|
|
|
04-06-2007, 06:52 AM
|
#10 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,682
OS: 2000 Pro; XP Pro; XP Home
|
Re: Win32/Rustock.gen!C (help!)
OK, please refer to my instructions in Post # 6, where I asked you to install an Anti-Virus program.
Please do so now. I see no evidence of an AntiVirus program on your system. This must be resolved. Connecting to the Internet without antivirus protection is a "Welcome" doormat for malware. It can take as little as eight seconds to infect an unprotected computer. Here are a few very good free Antivirus products which are available:
You don't seem to have a firewall program installed. Using a third-party firewall will allow you to give/deny access for applications that want to go online. Select one of these, or another of your choice:. Once you've done that, post a new HijackThis log. How is your system behaving, please?
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Microsoft MVP - Consumer Security 2009
|
|
|
|
|
04-06-2007, 08:24 AM
|
#11 (permalink) |
|
Registered User
Join Date: Apr 2007
Posts: 8
OS: XP
|
Re: Win32/Rustock.gen!C (help!)
Once again, thanks for all the help to date! This forum is excellent and I really appreciate the time you've taken!
I have AVG installed, as you instructed initially. Im not sure why you cant see it?! My computer is behaving very very well, and Im not experiencing any difficulties any more!  Are there steps we still must cover? |
|
|
|
|
04-06-2007, 09:46 AM
|
#12 (permalink) | |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,682
OS: 2000 Pro; XP Pro; XP Home
|
Re: Win32/Rustock.gen!C (help!)
Hi QUIGGS2001 -
What you've installed at my earlier request is AVG Anti-Spyware, which, while very useful, is not an AntiVirus program. From your Add/Remove list. Quote:
PC Safety and Security--What Do I Need? Once you've read that, choose and install an AntiVirus program, and I'd also recommend a third party firewall. I'd then like to see a HijackThis log, and will have some final instructions for you.
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Microsoft MVP - Consumer Security 2009
|
|
|
|
|
|
04-06-2007, 04:15 PM
|
#13 (permalink) |
|
Registered User
Join Date: Apr 2007
Posts: 8
OS: XP
|
Re: Win32/Rustock.gen!C (help!)
Logfile of HijackThis v1.99.1
Scan saved at 23:15:09, on 06/04/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\Program Files\BroadJump\Client Foundation\CFD.exe C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\Program Files\Comodo\Firewall\cmdagent.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\Program Files\Comodo\Firewall\CPF.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\HijackThis\HijackThis.exe C:\Program Files\Internet Explorer\iexplore.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bebo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/...C01&lc=0809&ac R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.presario.net/scripts/r...search&ap=b204 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/r...search&ap=b204 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/r...search&ap=b204 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase8300.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1172622521826 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1173539138452 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/W...gPublisher.exe O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://ebanking.northernbank.co.uk/.../e-Safekey.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe |
|
|
|
|
04-06-2007, 07:56 PM
|
#14 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,682
OS: 2000 Pro; XP Pro; XP Home
|
Re: Win32/Rustock.gen!C (help!)
Well done. Your logs appear clean. Any more issues? If not you should be good to go. We still have a few items to address.
AVG Anti-Spyware would be a good program to keep, update and run a scan with once a week or so. It adds another layer of protection to your system's security tools. You may want to prevent AVG Anti-Spyware from running at Windows startup, and just call it into service when needed. This may help with system boot times. To do so, right click on the AVG A/S system tray icon, and uncheck Start with Windows. Also disable it's real time protection (unless you decide to purchase it), as this will also use system resources, and will time out at the end of the trial period in 30 days. To do so: Open AVG Anti-Spyware.
Reset hidden/system files and folders
Create a new System Restore point
Enable Windows Auto Update
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:
In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it. Please respond to this thread one more time so we can mark this thread as resolved.
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Microsoft MVP - Consumer Security 2009
|
|
|
|
| Thread Tools | |
|
|
located at the bottom of the page.
then click 
