|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
04-22-2007, 04:49 PM
|
#1 (permalink) |
|
Registered User
Join Date: Apr 2007
Posts: 29
OS: xp
|
My DSS log
I used Hijack this and did a scan so I could get a log.....can someone please help with this!!! Very much appreciated in advance....
Branden Logfile of HijackThis v1.99.1 Scan saved at 5:42:43 PM, on 4/22/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\svchost.exe C:\WINNT\Explorer.EXE C:\WINNT\system32\LEXBCES.EXE C:\WINNT\system32\spoolsv.exe C:\WINNT\system32\LEXPPS.EXE C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINNT\system32\SK9910DM.EXE C:\WINNT\GWMDMMSG.exe C:\WINNT\System32\hkcmd.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\PopUp Killer\PopUpKiller.EXE C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe C:\Program Files\Winamp\winampa.exe C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe C:\WINNT\updater.exe C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe C:\WINNT\DOBE~1\dvdplay.exe C:\WINNT\?ystem\n?pdb.exe C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINNT\System32\svchost.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\WINNT\system32\wscntfy.exe C:\Program Files\Ipwindows\ipwins.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\WINNT\system32\wuauclt.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Winamp\Winamp.exe C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe C:\Program Files\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINNT\system32\uirlrffw.dll O2 - BHO: (no name) - {36DBC179-A19F-48F2-B16A-6A3E19B42A87} - C:\WINNT\system32\ipv6monl.dll O2 - BHO: (no name) - {3F9D0C61-737D-44D1-BD80-91AF857061CC} - C:\WINNT\system32\cbxyaab.dll O2 - BHO: (no name) - {41493FE9-6FB3-474E-92B7-00DDF50360AF} - C:\WINNT\system32\vtsqr.dll O2 - BHO: (no name) - {6595A644-4380-6477-F24F-1AE33AE4F89B} - C:\WINNT\system32\wdqvs.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O2 - BHO: (no name) - {CC46F77B-FD92-46AC-ADDF-8B4CE70E0EE7} - C:\WINNT\system32\vklnwaim.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check" O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\PopUpKiller.EXE O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe" O4 - HKLM\..\Run: [xloadnet] "C:\Program Files\xloadnet\xloadnet.exe" O4 - HKLM\..\Run: [runner1] C:\WINNT\updater.exe 61A847B5BBF72810329B385473F001F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310 O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [Ltho] "C:\WINNT\DOBE~1\dvdplay.exe" -vt yazb O4 - HKCU\..\Run: [Pqdmwmrx] C:\WINNT\?ystem\n?pdb.exe O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O15 - Trusted Zone: *.sxload.net (HKLM) O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab O20 - Winlogon Notify: cbxyaab - C:\WINNT\SYSTEM32\cbxyaab.dll O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: vtsqr - C:\WINNT\system32\vtsqr.dll O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINNT\system32\WPDShServiceObj.dll O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe Last edited by The Arto; 04-22-2007 at 04:51 PM. |
|
     |
| Important Information |
|
Join the #1 Tech Support Forum Today - It's Totally Free!
TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free. Join TechSupportforum.com Today - Click Here |
|
04-22-2007, 10:07 PM
|
#2 (permalink) |
|
Registered User
Join Date: Apr 2007
Posts: 29
OS: xp
|
My DSS log
Hey guys...I completed all of the 5 steps. My problem exist with endless pop-ups and outer info and my computer running incredibly slow. Like I said, I've done the 5 steps before posting this and hope you can help finish fixing this. During the Panda/Activescan it found and disinfected 3 viruses: Virus:Trj/Downloader.NYN, Virus:Trj/Cimuz.EN, and Virus:Trj/Kazlite.A. I hope this is enough info to help you help me. THank you in advance...your help is much appreciated becuase I don't want to get a new comp over this.
Branden here is the contents of the main.txt from my DSS scan: Deckard's System Scanner v20070411.38 Run by Owner on 2007-04-22 at 22:50:29 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- System Restore -------------------------------------------------------------- Successfully created a Deckard's System Scanner Restore Point. -- Last 5 Restore Point(s) -- 70: 2007-04-23 03:50:35 UTC - RP1043 - Deckard's System Scanner Restore Point 69: 2007-04-23 03:47:25 UTC - RP1042 - Software Distribution Service 2.0 68: 2007-04-23 00:58:30 UTC - RP1041 - Installed Ad-Aware SE Personal 67: 2007-04-22 02:17:47 UTC - RP1040 - Removed pressplay 66: 2007-04-21 13:40:34 UTC - RP1039 - System Checkpoint -- First Restore Point -- 1: 2007-01-23 23:33:19 UTC - RP974 - System Checkpoint Backed up registry hives. Performed disk cleanup. -- HijackThis (run as Owner.exe) ----------------------------------------------- Logfile of HijackThis v1.99.1 Scan saved at 10:53:04 PM, on 4/22/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\svchost.exe C:\WINNT\Explorer.EXE C:\WINNT\system32\LEXBCES.EXE C:\WINNT\system32\spoolsv.exe C:\WINNT\system32\LEXPPS.EXE C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINNT\system32\SK9910DM.EXE C:\WINNT\GWMDMMSG.exe C:\WINNT\System32\hkcmd.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\PopUp Killer\PopUpKiller.EXE C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe C:\Program Files\Winamp\winampa.exe C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe C:\WINNT\updater.exe C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe C:\WINNT\DOBE~1\dvdplay.exe C:\WINNT\?ystem\n?pdb.exe C:\Program Files\Ipwindows\ipwins.exe C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\wscntfy.exe C:\Program Files\SpywareGuard\sgmain.exe C:\Program Files\SpywareGuard\sgbhp.exe C:\WINNT\system32\wuauclt.exe C:\Documents and Settings\Owner\Desktop\dss.exe C:\PROGRA~1\HIJACK~1\Owner.exe C:\Program Files\Messenger\msmsgs.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINNT\system32\uirlrffw.dll O2 - BHO: (no name) - {3F9D0C61-737D-44D1-BD80-91AF857061CC} - C:\WINNT\system32\cbxyaab.dll O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll O2 - BHO: (no name) - {659CF94F-108F-6425-F24F-1AE33AE4FE9C} - C:\WINNT\system32\aochsz.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O2 - BHO: (no name) - {7786EF98-6143-4274-97D8-D8AA4059DA46} - C:\WINNT\system32\vtsqr.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O2 - BHO: (no name) - {CC46F77B-FD92-46AC-ADDF-8B4CE70E0EE7} - C:\WINNT\system32\vklnwaim.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check" O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\PopUpKiller.EXE O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe" O4 - HKLM\..\Run: [xloadnet] "C:\Program Files\xloadnet\xloadnet.exe" O4 - HKLM\..\Run: [runner1] C:\WINNT\updater.exe 61A847B5BBF72810329B385473F001F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310 O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [Ltho] "C:\WINNT\DOBE~1\dvdplay.exe" -vt yazb O4 - HKCU\..\Run: [Pqdmwmrx] C:\WINNT\?ystem\n?pdb.exe O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O15 - Trusted Zone: *.sxload.net (HKLM) O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O20 - Winlogon Notify: cbxyaab - C:\WINNT\SYSTEM32\cbxyaab.dll O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: vtsqr - C:\WINNT\system32\vtsqr.dll O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINNT\system32\WPDShServiceObj.dll O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe -- File Associations ----------------------------------------------------------- All associations okay. -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------- R1 Cdr4_xp - c:\winnt\system32\drivers\cdr4_xp.sys R1 Cdralw2k - c:\winnt\system32\drivers\cdralw2k.sys R1 cdudf_xp - c:\winnt\system32\drivers\cdudf_xp.sys R1 pwd_2k - c:\winnt\system32\drivers\pwd_2k.sys R1 Sk9920nt (PS/2 Keyboard Filter Driver for NT 4.0) - c:\winnt\system32\drivers\sk9920nt.sys R1 UdfReadr_xp - c:\winnt\system32\drivers\udfreadr_xp.sys R2 ASCTRM - c:\winnt\system32\drivers\asctrm.sys R3 aeaudio - c:\winnt\system32\drivers\aeaudio.sys R3 GTWModem (GTW V.92 Voicemodem) - c:\winnt\system32\drivers\gwmdm.sys R3 ialm - c:\winnt\system32\drivers\ialmnt5.sys R3 mmc_2K - c:\winnt\system32\drivers\mmc_2k.sys R3 MODEMCSA (Unimodem Streaming Filter Device) - c:\winnt\system32\drivers\modemcsa.sys R3 Sk99202k (PS/2 Keyboard Filter Driver for Win2000) - c:\winnt\system32\drivers\sk99202k.sys R3 smwdm - c:\winnt\system32\drivers\smwdm.sys S3 ac97intc (Intel(r) 82801 Audio Driver Install Service (WDM)) - c:\winnt\system32\drivers\ac97intc.sys S3 BCMModem (BCM V.90 56K Modem) - c:\winnt\system32\drivers\bcmdm.sys S3 dvd_2K - c:\winnt\system32\drivers\dvd_2k.sys S3 PCDRDRV (Pcdr Helper Driver) - c:\atf\qctest\pcdoc\pcdrdrv.sys (file missing) S3 WpdUsb - c:\winnt\system32\drivers\wpdusb.sys -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled -------------------- S2 spupdsvc (Windows Service Pack Installer update service) - c:\winnt\system32\spupdsvc.exe -- Scheduled Tasks ------------------------------------------------------------- 2007-04-22 22:53:00 364 --a------ C:\WINNT\Tasks\Symantec NetDetect.job<SYMANT~1.JOB> 2007-04-20 20:00:00 464 --a------ C:\WINNT\Tasks\Norton AntiVirus - Scan my computer.job<NORTON~1.JOB> 2007-04-16 21  00 284 --a------ C:\WINNT\Tasks\AppleSoftwareUpdate.job<APPLES~1.JOB>-- Files created between 2007-03-22 and 2007-04-22 ----------------------------- 2007-04-22 22:26:58 21312 --a------ C:\WINNT\choice.exe 2007-04-22 22:26:29 0 d-------- C:\ie-spyad 2007-04-22 22:21:10 0 d-------- C:\Program Files\SpywareGuard<SPYWAR~2> 2007-04-22 22:13:06 0 d-------- C:\Program Files\SpywareBlaster<SPYWAR~1> 2007-04-22 20:44:36 0 d-------- C:\WINNT\system32\ActiveScan<ACTIVE~1> 2007-04-22 20:44:24 0 d-------- C:\WINNT\LastGood 2007-04-22 19:59:29 0 d-------- C:\Documents and Settings\Owner\Application Data\Lavasoft 2007-04-22 19:58:41 0 d-------- C:\Program Files\Lavasoft 2007-04-22 19:57:25 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard<WISEIN~1> 2007-04-22 19:16:01 123972 --a------ C:\WINNT\system32\wieyuvyi.dll 2007-04-22 18:50:25 0 d-------- C:\Program Files\Outerinfo<OUTERI~1> 2007-04-22 18:50:15 60928 --a------ C:\WINNT\system32\aochsz.dll 2007-04-22 09:02:41 0 d-------- C:\Program Files\Ipwindows<IPWIND~1> 2007-04-21 19:14:50 123972 --a------ C:\WINNT\system32\lcvijrkg.dll 2007-04-21 10:17:41 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP 2007-04-21 04:32:34 44544 -ra------ C:\WINNT\updater.exe 2007-04-20 19:14:33 123972 --a------ C:\WINNT\system32\hckbniif.dll 2007-04-20 19:14:30 1386433 ---hs---- C:\WINNT\system32\rqstv.bak2<RQSTV~2.BAK> 2007-04-20 07:11:38 76412 --a------ C:\WINNT\system32\gmnsnyov.dll 2007-04-20 07:11:33 49204 --a------ C:\WINNT\system32\uirlrffw.dll 2007-04-20 07:11:28 125460 --a------ C:\WINNT\system32\vklnwaim.dll 2007-04-20 07:11:10 123972 --a------ C:\WINNT\system32\vfntubfv.dll 2007-04-20 07:10:23 1373003 ---hs---- C:\WINNT\system32\rqstv.bak1<RQSTV~1.BAK> 2007-04-20 07:08:47 281172 ---hs---- C:\WINNT\system32\vtsqr.dll 2007-04-20 07:03:40 0 d-------- C:\Program Files\InetGet2 2007-04-20 07:01:12 2 --a------ C:\WINNT\system32\wnsapiicomsv32.exe<WNSAPI~1.EXE> 2007-04-20 07:00:31 40183 ---hs---- C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe<YAZZLE~2.EXE> 2007-04-20 07:00:25 0 d-------- C:\WINNT\?dobe 2007-04-20 07:00:07 26694 --a------ C:\WINNT\system32\cbxyaab.dll 2007-04-20 06:55:58 32768 --a------ C:\WINNT\system32\a.exe 2007-04-02 14:10:40 146432 ---hs---- C:\Program Files\Common Files\Yazzle1281OinAdmin.exe<YAZZLE~1.EXE> -- Find3M Report --------------------------------------------------------------- 2007-04-22 21:39:04 0 d-------- C:\Program Files\Winamp 2007-04-22 21:35:35 0 d-------- C:\Program Files\QuickTime<QUICKT~1> 2007-04-22 21:32:32 0 d-------- C:\Program Files\PopUp Killer<POPUPK~1> 2007-04-22 21:29:45 0 d-------- C:\Program Files\Norton AntiVirus<NORTON~1> 2007-04-22 21:27:20 0 d-------- C:\Program Files\Messenger<MESSEN~1> 2007-04-22 21:19:26 0 d-------- C:\Program Files\Google 2007-04-22 21:18:43 0 d-------- C:\Program Files\Dell AIO Printer A920<DELLAI~1> 2007-04-22 21:17:58 0 d-------- C:\Program Files\Common Files\Symantec Shared<SYMANT~1> 2007-04-22 19:19:42 0 d-------- C:\Program Files\WildTangent<WILDTA~1> 2007-04-22 19:15:02 0 d-------- C:\Program Files\Viewpoint<VIEWPO~1> 2007-04-21 21:18:01 0 d--h----- C:\Program Files\InstallShield Installation Information<INSTAL~1> 2007-04-19 12:24:16 0 d-------- C:\Program Files\Gerge 2007-04-17 12:53:05 0 d-------- C:\Program Files\Java 2007-04-14 15:10:19 0 d-------- C:\Documents and Settings\Owner\Application Data\U3 2007-04-13 11:00:50 0 d---s---- C:\Documents and Settings\Owner\Application Data\Microsoft<MICROS~1> 2007-03-28 17:32:38 0 d-------- C:\Program Files\Full Tilt Poker.Net<FULLTI~1.NET> 2007-03-24 20:28:34 0 d-------- C:\Program Files\PartyGaming<PARTYG~1> 2007-03-17 08:43:01 292864 --a------ C:\WINNT\system32\winsrv.dll 2007-03-15 09:08:13 101438 --a------ C:\WINNT\b122.exe 2007-03-08 10:36:28 577536 --a------ C:\WINNT\system32\user32.dll 2007-03-08 10:36:28 40960 --a------ C:\WINNT\system32\mf3216.dll 2007-03-08 10:36:28 281600 --a------ C:\WINNT\system32\gdi32.dll 2007-03-08 08:47:48 1843584 --a------ C:\WINNT\system32\win32k.sys 2007-02-05 15:17:02 185344 --a------ C:\WINNT\system32\upnphost.dll -- Registry Dump --------------------------------------------------------------- [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe" "Ltho"="\"C:\\WINNT\\DOBE~1\\dvdplay.exe\" -vt yazb" "Pqdmwmrx"="C:\\WINNT\\?ystem\\n?pdb.exe" "IpWins"="C:\\Program Files\\Ipwindows\\ipwins.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "Hot Key Kbd 9910 Daemon"="SK9910DM.EXE" "GWMDMMSG"="GWMDMMSG.exe" "IgfxTray"="C:\\WINNT\\System32\\igfxtray.exe" "HotKeysCmds"="C:\\WINNT\\System32\\hkcmd.exe" "Keyboard Preload Check"="C:\\OEMDRVRS\\KEYB\\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:\"Keyboard Preload Check\"" "GWMDMpi"="C:\\WINNT\\GWMDMpi.exe" "ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\"" "ccRegVfy"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe\"" "Microsoft Works Portfolio"="C:\\Program Files\\Microsoft Works\\WksSb.exe /AllUsers" "PopUpKiller"="C:\\Program Files\\PopUp Killer\\PopUpKiller.EXE" "Microsoft Works Update Detection"="C:\\Program Files\\Common Files\\Microsoft Shared\\Works Shared\\WkUFind.exe" "WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe" "Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\"" "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\"" "Dell AIO Printer A920"="\"C:\\Program Files\\Dell AIO Printer A920\\dlbkbmgr.exe\"" "xloadnet"="\"C:\\Program Files\\xloadnet\\xloadnet.exe\"" "runner1"="C:\\WINNT\\updater.exe 61A847B5BBF72810329B385473F001F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI] "NoChange"="1" "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS] "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk] "path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\InterVideo WinCinema Manager.lnk" "backup"="C:\\WINNT\\pss\\InterVideo WinCinema Manager.lnkCommon Startup" "location"="Common Startup" "command"="C:\\PROGRA~1\\DVD\\Common\\Bin\\WINCIN~1.EXE " "item"="InterVideo WinCinema Manager" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="DirectCD" "hkey"="HKLM" "command"="\"C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\"" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="aim" "hkey"="HKCU" "command"="C:\\Program Files\\AIM95\\aim.exe -cnetwait.odl" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="Ares" "hkey"="HKCU" "command"="\"C:\\Program Files\\Ares\\Ares.exe\" -h" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Desktop Weather 3] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="The Weather Channel" "hkey"="HKCU" "command"="C:\\PROGRA~1\\THEWEA~1\\The Weather Channel.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iRiver Updater] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="Updater" "hkey"="HKLM" "command"="C:\\Program Files\\iRiver\\iRiver Manager\\Updater\\Updater.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="iTunesHelper" "hkey"="HKLM" "command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\"" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="msnmsgr" "hkey"="HKCU" "command"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebRebates0] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="WebRebates0" "hkey"="HKLM" "command"="\"C:\\Program Files\\Web_Rebates\\WebRebates0.exe\"" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="winampa" "hkey"="HKLM" "command"="C:\\Program Files\\Winamp\\winampa.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{3F9D0C61-737D-44D1-BD80-91AF857061CC}"="" "{81559C35-8464-49F7-BB0E-07A383BEF910}"="" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload] "WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}" HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxyaab HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtsqr [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 HTTPFilter REG_MULTI_SZ HTTPFilter\0\0 DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0 WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0 -- End of Deckard's System Scanner: finished at 2007-04-22 at 22:54:43 --------- |
|
|
|
|
04-22-2007, 11:59 PM
|
#4 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 26,792
OS: WinXP and Vista
|
Re: My DSS log
Hello Branden and welcome to TSF,
Download Combofix and save it to your desktop. **Note: It is important that it is saved directly to your desktop** -------------------------------------------------------------------- Close any open browsers. -------------------------------------------------------------------- Double click on combofix.exe & follow the prompts. When finished, it shall produce a log for you. Note: Do not mouseclick combofix's window while it's running. That may cause it to stall Post the ComboFix.txt in your next reply along with a new HijackThis log. |
|
|
|
|
04-23-2007, 08:08 AM
|
#5 (permalink) |
|
Registered User
Join Date: Apr 2007
Posts: 29
OS: xp
|
My Combofix log
Thanks for the prompt reply Ried. Here's my combofix log. Now, I had to do it in safemode because it kept crashing in regular. I'll copy/paste and attach. If I need to do it in regular mode, I will keep trying. Spyguard is constantly going off though so I think it was cause problems.
"Owner" - 07-04-23 8:51:43 Service Pack 2 [SAFE MODE] ComboFix 07-04-22.6V - Running from: "C:\Documents and Settings\Owner\Desktop\" (((((((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Folders Quarantined: C:\qoobox\purity\C\WINNT\DOBE~1 C:\qoobox\purity\C\WINNT\MCROSO~1.NET C:\qoobox\purity\C\WINNT\YSTEM~1 C:\qoobox\purity\C\WINNT\DOBE~1\dvdplay.exe C:\qoobox\purity\C\WINNT\DOBE~1\?dobe C:\qoobox\purity\C\WINNT\YSTEM~1\n?pdb.exe ((((((((((((((((((((((((((((((( Files Created from 2007-03-23 to 2007-04-23 )))))))))))))))))))))))))))))))))) 2007-04-22 22:50 <DIR> d-------- C:\Deckard 2007-04-22 22:26 21,312 --a------ C:\WINNT\choice.exe 2007-04-22 22:26 <DIR> d-------- C:\ie-spyad 2007-04-22 22:21 <DIR> d-------- C:\Program Files\SpywareGuard 2007-04-22 22:13 <DIR> d-------- C:\Program Files\SpywareBlaster 2007-04-22 20:44 <DIR> d-------- C:\WINNT\system32\ActiveScan 2007-04-22 19:59 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Lavasoft 2007-04-22 19:58 <DIR> d-------- C:\Program Files\Lavasoft 2007-04-22 19:57 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2007-04-22 18:50 60,928 --a------ C:\WINNT\system32\aochsz.dll 2007-04-21 10:17 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP 2007-04-20 07:01 2 --a------ C:\WINNT\system32\wnsapiicomsv32.exe (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-04-23 08:48 -------- d-------- C:\Program Files\popup killer 2007-04-22 21:39 -------- d-------- C:\Program Files\winamp 2007-04-22 21:35 -------- d-------- C:\Program Files\quicktime 2007-04-22 21:29 -------- d-------- C:\Program Files\norton antivirus 2007-04-22 21:27 -------- d-------- C:\Program Files\messenger 2007-04-22 21:19 -------- d-------- C:\Program Files\google 2007-04-22 21:18 -------- d-------- C:\Program Files\dell aio printer a920 2007-04-22 19:19 -------- d-------- C:\Program Files\wildtangent 2007-04-22 19:15 -------- d-------- C:\Program Files\viewpoint 2007-04-21 21:18 -------- d--h----- C:\Program Files\installshield installation information 2007-04-19 12:24 -------- d-------- C:\Program Files\gerge 2007-04-14 15:10 -------- d-------- C:\DOCUME~1\Owner\APPLIC~1\u3 2007-03-28 17:32 -------- d-------- C:\Program Files\full tilt poker.net 2007-03-24 20:28 -------- d-------- C:\Program Files\partygaming 2007-03-17 08:43 292864 --a------ C:\WINNT\system32\winsrv.dll 2007-03-15 09:08 101438 --a------ C:\WINNT\b122.exe 2007-03-08 10:36 577536 --a------ C:\WINNT\system32\user32.dll 2007-03-08 10:36 40960 --a------ C:\WINNT\system32\mf3216.dll 2007-03-08 10:36 281600 --a------ C:\WINNT\system32\gdi32.dll 2007-03-08 08:47 1843584 --a------ C:\WINNT\system32\win32k.sys 2007-02-05 15:17 185344 --a------ C:\WINNT\system32\upnphost.dll (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx {1557B435-8242-4686-9AA3-9265BF7525A4} C:\WINNT\system32\uirlrffw.dll [x] {4A368E80-174F-4872-96B5-0B27DDD11DB2} C:\Program Files\SpywareGuard\dlprotect.dll {659CF94F-108F-6425-F24F-1AE33AE4FE9C} C:\WINNT\system32\aochsz.dll {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll {AA58ED58-01DD-4d91-8333-CF10577473F7} c:\program files\google\googletoolbar3.dll {BDF3E430-B101-42AD-A544-FADC6B084872} C:\Program Files\Norton AntiVirus\NavShExt.dll {CC46F77B-FD92-46AC-ADDF-8B4CE70E0EE7} C:\WINNT\system32\vklnwaim.dll [x] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "Hot Key Kbd 9910 Daemon"="SK9910DM.EXE" "GWMDMMSG"="GWMDMMSG.exe" "IgfxTray"="C:\\WINNT\\System32\\igfxtray.exe" "HotKeysCmds"="C:\\WINNT\\System32\\hkcmd.exe" "Keyboard Preload Check"="C:\\OEMDRVRS\\KEYB\\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:\"Keyboard Preload Check\"" "GWMDMpi"="C:\\WINNT\\GWMDMpi.exe" "ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\"" "ccRegVfy"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe\"" "Microsoft Works Portfolio"="C:\\Program Files\\Microsoft Works\\WksSb.exe /AllUsers" "PopUpKiller"="C:\\Program Files\\PopUp Killer\\PopUpKiller.EXE" "Microsoft Works Update Detection"="C:\\Program Files\\Common Files\\Microsoft Shared\\Works Shared\\WkUFind.exe" "WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe" "Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\"" "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\"" "Dell AIO Printer A920"="\"C:\\Program Files\\Dell AIO Printer A920\\dlbkbmgr.exe\"" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe" "Ltho"="\"C:\\WINNT\\DOBE~1\\dvdplay.exe\" -vt yazb" "Pqdmwmrx"="C:\\WINNT\\?ystem\\n?pdb.exe" HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa Authentication Packages REG_MULTI_SZ msv1_0\0\0 Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0 Notification Packages REG_MULTI_SZ scecli\0\0 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk] "path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\InterVideo WinCinema Manager.lnk" "backup"="C:\\WINNT\\pss\\InterVideo WinCinema Manager.lnkCommon Startup" "location"="Common Startup" "command"="C:\\PROGRA~1\\DVD\\Common\\Bin\\WINCIN~1.EXE " "item"="InterVideo WinCinema Manager" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="DirectCD" "hkey"="HKLM" "command"="\"C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\"" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="aim" "hkey"="HKCU" "command"="C:\\Program Files\\AIM95\\aim.exe -cnetwait.odl" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="Ares" "hkey"="HKCU" "command"="\"C:\\Program Files\\Ares\\Ares.exe\" -h" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Desktop Weather 3] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="The Weather Channel" "hkey"="HKCU" "command"="C:\\PROGRA~1\\THEWEA~1\\The Weather Channel.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iRiver Updater] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="Updater" "hkey"="HKLM" "command"="C:\\Program Files\\iRiver\\iRiver Manager\\Updater\\Updater.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="iTunesHelper" "hkey"="HKLM" "command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\"" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="msnmsgr" "hkey"="HKCU" "command"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebRebates0] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="WebRebates0" "hkey"="HKLM" "command"="\"C:\\Program Files\\Web_Rebates\\WebRebates0.exe\"" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="winampa" "hkey"="HKLM" "command"="C:\\Program Files\\Winamp\\winampa.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 HTTPFilter REG_MULTI_SZ HTTPFilter\0\0 DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0 WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0 Contents of the 'Scheduled Tasks' folder C:\WINNT\tasks\AppleSoftwareUpdate.job C:\WINNT\tasks\Norton AntiVirus - Scan my computer.job C:\WINNT\tasks\Symantec NetDetect.job ******************************************************************** catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-04-23 08:56:57 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden services ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 ******************************************************************** Completion time: 07-04-23 8:57:19 C:\ComboFix-quarantined-files.txt ... 07-04-23 08:57 |
|
|
|
|
04-23-2007, 09:28 AM
|
#6 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 26,792
OS: WinXP and Vista
|
Re: My DSS log
ComboFix should have deleted more than what I see it reporting. Disable Spyware Guard and please run ComboFix.exe again. After Combofix, run another scan with HijackThis.
Disable Spywareguard
Post the C:\ComboFix.txt here along with a new HijackThis log |
|
|
|
|
04-23-2007, 11:35 AM
|
#8 (permalink) |
|
Registered User
Join Date: Apr 2007
Posts: 29
OS: xp
|
Re: My DSS log
Here's my new combo scan...
"Owner" - 07-04-23 12:27:34 Service Pack 2 ComboFix 07-04-22.6V - Running from: "C:\Documents and Settings\Owner\Desktop\" (((((((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Folders Quarantined: C:\qoobox\purity\C\WINNT\DOBE~1 C:\qoobox\purity\C\WINNT\MCROSO~1.NET C:\qoobox\purity\C\WINNT\YSTEM~1 C:\qoobox\purity\C\WINNT\DOBE~1\dvdplay.exe C:\qoobox\purity\C\WINNT\DOBE~1\?dobe C:\qoobox\purity\C\WINNT\YSTEM~1\n?pdb.exe ((((((((((((((((((((((((((((((( Files Created from 2007-03-23 to 2007-04-23 )))))))))))))))))))))))))))))))))) 2007-04-23 08:57 49,152 --a------ C:\WINNT\nircmd.exe 2007-04-22 22:50 <DIR> d-------- C:\Deckard 2007-04-22 22:26 21,312 --a------ C:\WINNT\choice.exe 2007-04-22 22:26 <DIR> d-------- C:\ie-spyad 2007-04-22 22:21 <DIR> d-------- C:\Program Files\SpywareGuard 2007-04-22 22:13 <DIR> d-------- C:\Program Files\SpywareBlaster 2007-04-22 20:44 <DIR> d-------- C:\WINNT\system32\ActiveScan 2007-04-22 19:59 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Lavasoft 2007-04-22 19:58 <DIR> d-------- C:\Program Files\Lavasoft 2007-04-22 19:57 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2007-04-22 18:50 60,928 --a------ C:\WINNT\system32\aochsz.dll 2007-04-21 10:17 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP 2007-04-20 07:01 2 --a------ C:\WINNT\system32\wnsapiicomsv32.exe (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-04-23 09:39 -------- d-------- C:\Program Files\popup killer 2007-04-22 21:39 -------- d-------- C:\Program Files\winamp 2007-04-22 21:35 -------- d-------- C:\Program Files\quicktime 2007-04-22 21:29 -------- d-------- C:\Program Files\norton antivirus 2007-04-22 21:27 -------- d-------- C:\Program Files\messenger 2007-04-22 21:19 -------- d-------- C:\Program Files\google 2007-04-22 21:18 -------- d-------- C:\Program Files\dell aio printer a920 2007-04-22 19:19 -------- d-------- C:\Program Files\wildtangent 2007-04-22 19:15 -------- d-------- C:\Program Files\viewpoint 2007-04-21 21:18 -------- d--h----- C:\Program Files\installshield installation information 2007-04-19 12:24 -------- d-------- C:\Program Files\gerge 2007-04-14 15:10 -------- d-------- C:\DOCUME~1\Owner\APPLIC~1\u3 2007-03-28 17:32 -------- d-------- C:\Program Files\full tilt poker.net 2007-03-24 20:28 -------- d-------- C:\Program Files\partygaming 2007-03-17 08:43 292864 --a------ C:\WINNT\system32\winsrv.dll 2007-03-15 09:08 101438 --a------ C:\WINNT\b122.exe 2007-03-08 10:36 577536 --a------ C:\WINNT\system32\user32.dll 2007-03-08 10:36 40960 --a------ C:\WINNT\system32\mf3216.dll 2007-03-08 10:36 281600 --a------ C:\WINNT\system32\gdi32.dll 2007-03-08 08:47 1843584 --a------ C:\WINNT\system32\win32k.sys 2007-02-05 15:17 185344 --a------ C:\WINNT\system32\upnphost.dll (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx {1557B435-8242-4686-9AA3-9265BF7525A4} C:\WINNT\system32\uirlrffw.dll [x] {4A368E80-174F-4872-96B5-0B27DDD11DB2} C:\Program Files\SpywareGuard\dlprotect.dll {659CF94F-108F-6425-F24F-1AE33AE4FE9C} C:\WINNT\system32\aochsz.dll {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll {AA58ED58-01DD-4d91-8333-CF10577473F7} c:\program files\google\googletoolbar3.dll {BDF3E430-B101-42AD-A544-FADC6B084872} C:\Program Files\Norton AntiVirus\NavShExt.dll {CC46F77B-FD92-46AC-ADDF-8B4CE70E0EE7} C:\WINNT\system32\vklnwaim.dll [x] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "Hot Key Kbd 9910 Daemon"="SK9910DM.EXE" "GWMDMMSG"="GWMDMMSG.exe" "IgfxTray"="C:\\WINNT\\System32\\igfxtray.exe" "HotKeysCmds"="C:\\WINNT\\System32\\hkcmd.exe" "Keyboard Preload Check"="C:\\OEMDRVRS\\KEYB\\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:\"Keyboard Preload Check\"" "GWMDMpi"="C:\\WINNT\\GWMDMpi.exe" "ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\"" "ccRegVfy"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe\"" "Microsoft Works Portfolio"="C:\\Program Files\\Microsoft Works\\WksSb.exe /AllUsers" "PopUpKiller"="C:\\Program Files\\PopUp Killer\\PopUpKiller.EXE" "Microsoft Works Update Detection"="C:\\Program Files\\Common Files\\Microsoft Shared\\Works Shared\\WkUFind.exe" "WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe" "Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\"" "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\"" "Dell AIO Printer A920"="\"C:\\Program Files\\Dell AIO Printer A920\\dlbkbmgr.exe\"" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe" "Ltho"="\"C:\\WINNT\\DOBE~1\\dvdplay.exe\" -vt yazb" "Pqdmwmrx"="C:\\WINNT\\?ystem\\n?pdb.exe" HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa Authentication Packages REG_MULTI_SZ msv1_0\0\0 Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0 Notification Packages REG_MULTI_SZ scecli\0\0 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk] "path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\InterVideo WinCinema Manager.lnk" "backup"="C:\\WINNT\\pss\\InterVideo WinCinema Manager.lnkCommon Startup" "location"="Common Startup" "command"="C:\\PROGRA~1\\DVD\\Common\\Bin\\WINCIN~1.EXE " "item"="InterVideo WinCinema Manager" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="DirectCD" "hkey"="HKLM" "command"="\"C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\"" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="aim" "hkey"="HKCU" "command"="C:\\Program Files\\AIM95\\aim.exe -cnetwait.odl" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="Ares" "hkey"="HKCU" "command"="\"C:\\Program Files\\Ares\\Ares.exe\" -h" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Desktop Weather 3] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="The Weather Channel" "hkey"="HKCU" "command"="C:\\PROGRA~1\\THEWEA~1\\The Weather Channel.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iRiver Updater] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="Updater" "hkey"="HKLM" "command"="C:\\Program Files\\iRiver\\iRiver Manager\\Updater\\Updater.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="iTunesHelper" "hkey"="HKLM" "command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\"" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="msnmsgr" "hkey"="HKCU" "command"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebRebates0] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="WebRebates0" "hkey"="HKLM" "command"="\"C:\\Program Files\\Web_Rebates\\WebRebates0.exe\"" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="winampa" "hkey"="HKLM" "command"="C:\\Program Files\\Winamp\\winampa.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 HTTPFilter REG_MULTI_SZ HTTPFilter\0\0 DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0 WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0 Contents of the 'Scheduled Tasks' folder C:\WINNT\tasks\AppleSoftwareUpdate.job C:\WINNT\tasks\Norton AntiVirus - Scan my computer.job C:\WINNT\tasks\Symantec NetDetect.job ******************************************************************** catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-04-23 12:33:15 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden services ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 ******************************************************************** Completion time: 07-04-23 12:33:38 C:\ComboFix-quarantined-files.txt ... 07-04-23 12:33 |
|
|
|
|
04-23-2007, 11:39 AM
|
#9 (permalink) |
|
Registered User
Join Date: Apr 2007
Posts: 29
OS: xp
|
Re: My DSS log
And my new HijackThis scan....thanks for helping me so efficiently.
Logfile of HijackThis v1.99.1 Scan saved at 12:38:29 PM, on 4/23/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\svchost.exe C:\WINNT\Explorer.EXE C:\WINNT\system32\LEXBCES.EXE C:\WINNT\system32\spoolsv.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINNT\system32\LEXPPS.EXE C:\WINNT\system32\SK9910DM.EXE C:\WINNT\GWMDMMSG.exe C:\WINNT\System32\hkcmd.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\PopUp Killer\PopUpKiller.EXE C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe C:\Program Files\Winamp\winampa.exe C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\wscntfy.exe C:\Program Files\HijackThis\HijackThis.exe C:\Program Files\Messenger\msmsgs.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINNT\system32\uirlrffw.dll (file missing) O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll O2 - BHO: (no name) - {659CF94F-108F-6425-F24F-1AE33AE4FE9C} - C:\WINNT\system32\aochsz.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O2 - BHO: (no name) - {CC46F77B-FD92-46AC-ADDF-8B4CE70E0EE7} - C:\WINNT\system32\vklnwaim.dll (file missing) O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check" O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\PopUpKiller.EXE O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe" O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [Ltho] "C:\WINNT\DOBE~1\dvdplay.exe" -vt yazb O4 - HKCU\..\Run: [Pqdmwmrx] C:\WINNT\?ystem\n?pdb.exe O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINNT\system32\WPDShServiceObj.dll O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe |
|
|
|
|
04-23-2007, 02:51 PM
|
#10 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 26,792
OS: WinXP and Vista
|
Re: My DSS log
Hi Branden,
Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions. As before, be sure to carry out the instructions in the sequence listed below. *************************************************** All portions of this fix are done from Normal Mode. -------------------------------------------------------------------- Disable Spyware Guard. -------------------------------------------------------------------- Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist: Outerinfo IpWins<--If it's still there Let me know if the uninstall fails -------------------------------------------------------------------- Open HijackThis and click on 'Do a System Scan Only'. 'Check' the following entries: O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINNT\system32\uirlrffw.dll (file missing) O2 - BHO: (no name) - {659CF94F-108F-6425-F24F-1AE33AE4FE9C} - C:\WINNT\system32\aochsz.dll O2 - BHO: (no name) - {CC46F77B-FD92-46AC-ADDF-8B4CE70E0EE7} - C:\WINNT\system32\vklnwaim.dll (file missing) O4 - HKCU\..\Run: [Ltho] "C:\WINNT\DOBE~1\dvdplay.exe" -vt yazb O4 - HKCU\..\Run: [Pqdmwmrx] C:\WINNT\?ystem\n?pdb.exe Click 'Fix Checked' and close HijackThis. -------------------------------------------------------------------- Go to Start>Run then copy/paste the following red text into the Run box then click OK "%userprofile%\desktop\combofix.exe" /v aochsz When finished, it shall produce a log for you. We'll need that log in your next reply Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall -------------------------------------------------------------------- Please run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course: Perform an online scan with Internet Explorer with Panda ActiveScan
* Turn off the real time scanner of any existing antivirus program while performing the online scan -------------------------------------------------------------------- Run a new scan with HijackThis and save the log. -------------------------------------------------------------------- Please include the following in your next reply: C:\ComboFix.txt Panda results New HijackThis log Update on system behavior Last edited by Ried; 04-23-2007 at 02:52 PM. Reason: typo |
|
|
|
|
04-23-2007, 02:57 PM
|
#11 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 26,792
OS: WinXP and Vista
|
Re: My DSS log
My apologies...I omitted the following portion of my fix. Please carry out this instruction before you run the online scan at Panda:
Using 'My Computer', navigate to and delete the following File C:\WINNT\ b122.exe **If the above resists deletion, boot into Safe Mode and delete it. |
|
|
|
|
04-23-2007, 03:02 PM
|
#12 (permalink) |
|
Registered User
Join Date: Apr 2007
Posts: 29
OS: xp
|
Re: My DSS log
you tell me to uninstall OUterinfo in the control panel...but when I go to do it, it wants to me enter the characters I see in a box before it will continue. I didnt know if it was ok to do this....
is it? |
|
|
|
|
04-23-2007, 04:37 PM
|
#14 (permalink) |
|
Registered User
Join Date: Apr 2007
Posts: 29
OS: xp
|
Re: My DSS log
Alright...did everything you said. I didn't have to go into 'safe mode' to remove that file either. The system does appear to be running smoother, but the Panda scan still revealed like 170 spy ware files and like 7 hacker/root kits. But at least it didn't find any viruses this time, and those numbers are incredibly lower than the first time around. I've attached all 3 logs. Let me know what is next. Thanks.
Branden Potentially unwanted tool:application/regclean32 Not disinfected C:\Documents and Settings\Owner\Desktop\Click to Find and Fix Errors.url Adware:adware/wintools Not disinfected Windows Registry Potentially unwanted tool:application/funweb Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} Spyware:spyware/betterinet Not disinfected Windows Registry Adware:adware/exact.bargainbuddy Not disinfected Windows Registry Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\archive.jar-6b722b07-5236644e.zip[BlackBox.class] Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\archive.jar-6b722b07-5236644e.zip[Dummy.class] Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ponw4dkf.default\cookies.txt[.advertising.com/] Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ponw4dkf.default\cookies.txt[.servedby.advertising.com/] **edited cookies due to limitations in character length** Adware:Adware/PurityScan Not disinfected C:\Program Files\HijackThis\backups\backup-20070423-161915-650.dll Adware:Adware/PurityScan Not disinfected C:\QooBox\purity\C\WINNT\YSTEM~1\n?pdb.exe Adware:Adware/Yazzle Not disinfected C:\QooBox\Quarantine\C\Program Files\Common Files\Yazzle1281OinUninstaller.exe.vir Adware:Adware/Maxifiles Not disinfected C:\QooBox\Quarantine\C\Program Files\Ipwindows\ipwins.dll.vir Adware:Adware/Maxifiles Not disinfected C:\QooBox\Quarantine\C\Program Files\Ipwindows\ipwins.exe.vir Adware:Adware/Maxifiles Not disinfected C:\QooBox\Quarantine\C\Program Files\Ipwindows\UnInstall.exe.vir Spyware:Spyware/Virtumonde Not disinfected C:\QooBox\Quarantine\C\WINNT\system32\cbxyaab.dll.vir Adware:Adware/WinAntivirus2006 Not disinfected C:\QooBox\Quarantine\C\WINNT\system32\gmnsnyov.dll.vir Spyware:Spyware/Virtumonde Not disinfected C:\QooBox\Quarantine\C\WINNT\system32\hckbniif.dll.vir Spyware:Spyware/Virtumonde Not disinfected C:\QooBox\Quarantine\C\WINNT\system32\lcvijrkg.dll.vir Spyware:Spyware/Virtumonde Not disinfected C:\QooBox\Quarantine\C\WINNT\system32\uirlrffw.dll.vir Spyware:Spyware/Virtumonde Not disinfected C:\QooBox\Quarantine\C\WINNT\system32\vfntubfv.dll.vir Spyware:Spyware/Virtumonde Not disinfected C:\QooBox\Quarantine\C\WINNT\system32\wieyuvyi.dll.vir Adware:Adware/Borlander Not disinfected C:\QooBox\Quarantine\C\WINNT\updater.exe.vir Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINNT\nircmd.exe Adware:Adware/Borlander Not disinfected C:\WINNT\updater.exe.tmp "Owner" - 07-04-23 16:22:53 Service Pack 2 ComboFix 07-04-22.6V - Running from: "C:\Documents and Settings\Owner\Desktop\" Command switches used :: "/v aochsz" (((((((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Folders Quarantined: C:\qoobox\purity\C\WINNT\DOBE~1 C:\qoobox\purity\C\WINNT\MCROSO~1.NET C:\qoobox\purity\C\WINNT\YSTEM~1 C:\qoobox\purity\C\WINNT\DOBE~1\dvdplay.exe C:\qoobox\purity\C\WINNT\DOBE~1\?dobe C:\qoobox\purity\C\WINNT\YSTEM~1\n?pdb.exe ((((((((((((((((((((((((((((((( Files Created from 2007-03-23 to 2007-04-23 )))))))))))))))))))))))))))))))))) 2007-04-23 08:57 49,152 --a------ C:\WINNT\nircmd.exe 2007-04-22 22:50 <DIR> d-------- C:\Deckard 2007-04-22 22:26 21,312 --a------ C:\WINNT\choice.exe 2007-04-22 22:26 <DIR> d-------- C:\ie-spyad 2007-04-22 22:21 <DIR> d-------- C:\Program Files\SpywareGuard 2007-04-22 22:13 <DIR> d-------- C:\Program Files\SpywareBlaster 2007-04-22 20:44 <DIR> d-------- C:\WINNT\system32\ActiveScan 2007-04-22 19:59 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Lavasoft 2007-04-22 19:58 <DIR> d-------- C:\Program Files\Lavasoft 2007-04-22 19:57 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2007-04-21 10:17 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP 2007-04-20 07:01 2 --a------ C:\WINNT\system32\wnsapiicomsv32.exe (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-04-23 09:39 -------- d-------- C:\Program Files\popup killer 2007-04-22 21:39 -------- d-------- C:\Program Files\winamp 2007-04-22 21:35 -------- d-------- C:\Program Files\quicktime 2007-04-22 21:29 -------- d-------- C:\Program Files\norton antivirus 2007-04-22 21:27 -------- d-------- C:\Program Files\messenger 2007-04-22 21:19 -------- d-------- C:\Program Files\google 2007-04-22 21:18 -------- d-------- C:\Program Files\dell aio printer a920 2007-04-22 19:19 -------- d-------- C:\Program Files\wildtangent 2007-04-22 19:15 -------- d-------- C:\Program Files\viewpoint 2007-04-21 21:18 -------- d--h----- C:\Program Files\installshield installation information 2007-04-19 12:24 -------- d-------- C:\Program Files\gerge 2007-04-14 15:10 -------- d-------- C:\DOCUME~1\Owner\APPLIC~1\u3 2007-03-28 17:32 -------- d-------- C:\Program Files\full tilt poker.net 2007-03-24 20:28 -------- d-------- C:\Program Files\partygaming 2007-03-17 08:43 292864 --a------ C:\WINNT\system32\winsrv.dll 2007-03-15 09:08 101438 --a------ C:\WINNT\b122.exe 2007-03-08 10:36 577536 --a------ C:\WINNT\system32\user32.dll 2007-03-08 10:36 40960 --a------ C:\WINNT\system32\mf3216.dll 2007-03-08 10:36 281600 --a------ C:\WINNT\system32\gdi32.dll 2007-03-08 08:47 1843584 --a------ C:\WINNT\system32\win32k.sys 2007-02-05 15:17 185344 --a------ C:\WINNT\system32\upnphost.dll (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx {4A368E80-174F-4872-96B5-0B27DDD11DB2} C:\Program Files\SpywareGuard\dlprotect.dll {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll {AA58ED58-01DD-4d91-8333-CF10577473F7} c:\program files\google\googletoolbar3.dll {BDF3E430-B101-42AD-A544-FADC6B084872} C:\Program Files\Norton AntiVirus\NavShExt.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "Hot Key Kbd 9910 Daemon"="SK9910DM.EXE" "GWMDMMSG"="GWMDMMSG.exe" "IgfxTray"="C:\\WINNT\\System32\\igfxtray.exe" "HotKeysCmds"="C:\\WINNT\\System32\\hkcmd.exe" "Keyboard Preload Check"="C:\\OEMDRVRS\\KEYB\\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:\"Keyboard Preload Check\"" "GWMDMpi"="C:\\WINNT\\GWMDMpi.exe" "ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\"" "ccRegVfy"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe\"" "Microsoft Works Portfolio"="C:\\Program Files\\Microsoft Works\\WksSb.exe /AllUsers" "PopUpKiller"="C:\\Program Files\\PopUp Killer\\PopUpKiller.EXE" "Microsoft Works Update Detection"="C:\\Program Files\\Common Files\\Microsoft Shared\\Works Shared\\WkUFind.exe" "WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe" "Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\"" "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\"" "Dell AIO Printer A920"="\"C:\\Program Files\\Dell AIO Printer A920\\dlbkbmgr.exe\"" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe" HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa Authentication Packages REG_MULTI_SZ msv1_0\0\0 Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0 Notification Packages REG_MULTI_SZ scecli\0\0 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk] "path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\InterVideo WinCinema Manager.lnk" "backup"="C:\\WINNT\\pss\\InterVideo WinCinema Manager.lnkCommon Startup" "location"="Common Startup" "command"="C:\\PROGRA~1\\DVD\\Common\\Bin\\WINCIN~1.EXE " "item"="InterVideo WinCinema Manager" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="DirectCD" "hkey"="HKLM" "command"="\"C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\"" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="aim" "hkey"="HKCU" "command"="C:\\Program Files\\AIM95\\aim.exe -cnetwait.odl" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="Ares" "hkey"="HKCU" "command"="\"C:\\Program Files\\Ares\\Ares.exe\" -h" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Desktop Weather 3] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="The Weather Channel" "hkey"="HKCU" "command"="C:\\PROGRA~1\\THEWEA~1\\The Weather Channel.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iRiver Updater] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="Updater" "hkey"="HKLM" "command"="C:\\Program Files\\iRiver\\iRiver Manager\\Updater\\Updater.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="iTunesHelper" "hkey"="HKLM" "command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\"" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="msnmsgr" "hkey"="HKCU" "command"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebRebates0] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="WebRebates0" "hkey"="HKLM" "command"="\"C:\\Program Files\\Web_Rebates\\WebRebates0.exe\"" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="winampa" "hkey"="HKLM" "command"="C:\\Program Files\\Winamp\\winampa.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 HTTPFilter REG_MULTI_SZ HTTPFilter\0\0 DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0 WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0 Contents of the 'Scheduled Tasks' folder C:\WINNT\tasks\AppleSoftwareUpdate.job C:\WINNT\tasks\Norton AntiVirus - Scan my computer.job C:\WINNT\tasks\Symantec NetDetect.job ******************************************************************** catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-04-23 16:27:28 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden services ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 ******************************************************************** Completion time: 07-04-23 16:27:40 C:\ComboFix-quarantined-files.txt ... 07-04-23 16:27 C:\ComboFix2.txt ... 07-04-23 12:33 Logfile of HijackThis v1.99.1 Scan saved at 5:32:04 PM, on 4/23/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\svchost.exe C:\WINNT\Explorer.EXE C:\WINNT\system32\LEXBCES.EXE C:\WINNT\system32\spoolsv.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINNT\system32\LEXPPS.EXE C:\WINNT\system32\SK9910DM.EXE C:\WINNT\GWMDMMSG.exe C:\WINNT\System32\hkcmd.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\PopUp Killer\PopUpKiller.EXE C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\wscntfy.exe C:\Program Files\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check" O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\PopUpKiller.EXE O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe" O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINNT\system32\WPDShServiceObj.dll O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe Last edited by Ried; 04-23-2007 at 09:25 PM. |
|
|
|
|
04-23-2007, 09:47 PM
|
#15 (permalink) | |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 26,792
OS: WinXP and Vista
|
Re: My DSS log
Hello Branden,
We have a bit more to do and check on. Please download Boran Remover from one of the following places and save it to your Desktop:
Delete the following folders: C:\Documents and Settings\Owner\Desktop\ Click to Find and Fix Errors.url C:\Program Files\ Web_Rebates <--If it still exists. -------------------------------------------------------------------- Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. Close the Registry Editor now. Open notepad and copy/paste the entire text in the quotebox below: (don't forget to copy and paste REGEDIT4) Quote:
Save the file as "delete.reg". Make sure to save it with the quotes. Choose to "Save type as - All Files" It should look like this:  Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards. -------------------------------------------------------------------- Clear Mozilla Firefox cookies: Open the Mozilla Browser, (you do not need to be online to do this) Click Tools>Options>Privacy>Cookies>Clear ----------------------------------- Clear Internet Explorer Cookies: (you do not need to be connected to the internet to perform this) Launch Internet Explorer>Tools>Internet Options>Delete Cookies ----------------------------------- Run ComboFix.exe and post the C:\ComboFix.txt along with the boran.log Please post this log as well: C:\ComboFix-quarantined-files.txt |
|
|
|
|
|
04-23-2007, 10:14 PM
|
#16 (permalink) |
|
Registered User
Join Date: Apr 2007
Posts: 29
OS: xp
|
Re: My DSS log
Ried, two things. everytime I try to do boran, it says no infection active/found. and the log is said to be invalid file when I try to upload it. I've attached the two other items you had asked for though. should I do boran in safe mode?
thanks, branden "Owner" - 07-04-23 23:01:33 Service Pack 2 ComboFix 07-04-22.6V - Running from: "C:\Documents and Settings\Owner\Desktop\" (((((((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Folders Quarantined: C:\qoobox\purity\C\WINNT\DOBE~1 C:\qoobox\purity\C\WINNT\MCROSO~1.NET C:\qoobox\purity\C\WINNT\YSTEM~1 C:\qoobox\purity\C\WINNT\DOBE~1\dvdplay.exe C:\qoobox\purity\C\WINNT\DOBE~1\?dobe C:\qoobox\purity\C\WINNT\YSTEM~1\n?pdb.exe ((((((((((((((((((((((((((((((( Files Created from 2007-03-23 to 2007-04-23 )))))))))))))))))))))))))))))))))) 2007-04-23 08:57 49,152 --a------ C:\WINNT\nircmd.exe 2007-04-22 22:50 <DIR> d-------- C:\Deckard 2007-04-22 22:26 21,312 --a------ C:\WINNT\choice.exe 2007-04-22 22:26 <DIR> d-------- C:\ie-spyad 2007-04-22 22:21 <DIR> d-------- C:\Program Files\SpywareGuard 2007-04-22 22:13 <DIR> d-------- C:\Program Files\SpywareBlaster 2007-04-22 20:44 <DIR> d-------- C:\WINNT\system32\ActiveScan 2007-04-22 19:59 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Lavasoft 2007-04-22 19:58 <DIR> d-------- C:\Program Files\Lavasoft 2007-04-22 19:57 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2007-04-21 10:17 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP 2007-04-20 07:01 2 --a------ C:\WINNT\system32\wnsapiicomsv32.exe (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-04-23 18:52 -------- d-------- C:\Program Files\popup killer 2007-04-23 17:45 -------- d-------- C:\Program Files\gerge 2007-04-23 17:03 -------- d-------- C:\Program Files\norton antivirus 2007-04-23 16:56 -------- d-------- C:\Program Files\google 2007-04-23 16:55 -------- d-------- C:\Program Files\dell aio printer a920 2007-04-22 21:39 -------- d-------- C:\Program Files\winamp 2007-04-22 21:35 -------- d-------- C:\Program Files\quicktime 2007-04-22 21:27 -------- d-------- C:\Program Files\messenger 2007-04-22 19:19 -------- d-------- C:\Program Files\wildtangent 2007-04-22 19:15 -------- d-------- C:\Program Files\viewpoint 2007-04-21 21:18 -------- d--h----- C:\Program Files\installshield installation information 2007-04-14 15:10 -------- d-------- C:\DOCUME~1\Owner\APPLIC~1\u3 2007-03-28 17:32 -------- d-------- C:\Program Files\full tilt poker.net 2007-03-24 20:28 -------- d-------- C:\Program Files\partygaming 2007-03-17 08:43 292864 --a------ C:\WINNT\system32\winsrv.dll 2007-03-08 10:36 577536 --a------ C:\WINNT\system32\user32.dll 2007-03-08 10:36 40960 --a------ C:\WINNT\system32\mf3216.dll 2007-03-08 10:36 281600 --a------ C:\WINNT\system32\gdi32.dll 2007-03-08 08:47 1843584 --a------ C:\WINNT\system32\win32k.sys 2007-02-05 15:17 185344 --a------ C:\WINNT\system32\upnphost.dll (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx {4A368E80-174F-4872-96B5-0B27DDD11DB2} C:\Program Files\SpywareGuard\dlprotect.dll {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll {AA58ED58-01DD-4d91-8333-CF10577473F7} c:\program files\google\googletoolbar3.dll {BDF3E430-B101-42AD-A544-FADC6B084872} C:\Program Files\Norton AntiVirus\NavShExt.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "Hot Key Kbd 9910 Daemon"="SK9910DM.EXE" "GWMDMMSG"="GWMDMMSG.exe" "IgfxTray"="C:\\WINNT\\System32\\igfxtray.exe" "HotKeysCmds"="C:\\WINNT\\System32\\hkcmd.exe" "Keyboard Preload Check"="C:\\OEMDRVRS\\KEYB\\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:\"Keyboard Preload Check\"" "GWMDMpi"="C:\\WINNT\\GWMDMpi.exe" "ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\"" "ccRegVfy"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe\"" "Microsoft Works Portfolio"="C:\\Program Files\\Microsoft Works\\WksSb.exe /AllUsers" "PopUpKiller"="C:\\Program Files\\PopUp Killer\\PopUpKiller.EXE" "Microsoft Works Update Detection"="C:\\Program Files\\Common Files\\Microsoft Shared\\Works Shared\\WkUFind.exe" "WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe" "Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\"" "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\"" "Dell AIO Printer A920"="\"C:\\Program Files\\Dell AIO Printer A920\\dlbkbmgr.exe\"" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe" HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa Authentication Packages REG_MULTI_SZ msv1_0\0\0 Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0 Notification Packages REG_MULTI_SZ scecli\0\0 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk] "path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\InterVideo WinCinema Manager.lnk" "backup"="C:\\WINNT\\pss\\InterVideo WinCinema Manager.lnkCommon Startup" "location"="Common Startup" "command"="C:\\PROGRA~1\\DVD\\Common\\Bin\\WINCIN~1.EXE " "item"="InterVideo WinCinema Manager" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="DirectCD" "hkey"="HKLM" "command"="\"C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\"" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="aim" "hkey"="HKCU" "command"="C:\\Program Files\\AIM95\\aim.exe -cnetwait.odl" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="Ares" "hkey"="HKCU" "command"="\"C:\\Program Files\\Ares\\Ares.exe\" -h" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Desktop Weather 3] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="The Weather Channel" "hkey"="HKCU" "command"="C:\\PROGRA~1\\THEWEA~1\\The Weather Channel.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iRiver Updater] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="Updater" "hkey"="HKLM" "command"="C:\\Program Files\\iRiver\\iRiver Manager\\Updater\\Updater.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="iTunesHelper" "hkey"="HKLM" "command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\"" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="msnmsgr" "hkey"="HKCU" "command"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="winampa" "hkey"="HKLM" "command"="C:\\Program Files\\Winamp\\winampa.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 HTTPFilter REG_MULTI_SZ HTTPFilter\0\0 DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0 WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0 Contents of the 'Scheduled Tasks' folder C:\WINNT\tasks\AppleSoftwareUpdate.job C:\WINNT\tasks\Norton AntiVirus - Scan my computer.job C:\WINNT\tasks\Symantec NetDetect.job ******************************************************************** catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-04-23 23 50Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden services ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 ******************************************************************** Completion time: 07-04-23 23:07:09 C:\ComboFix-quarantined-files.txt ... 07-04-23 23:07 C:\ComboFix2.txt ... 07-04-23 16:27 C:\ComboFix3.txt ... 07-04-23 12:33 Last edited by Ried; 04-23-2007 at 11:09 PM. |
|
|
|
|
04-23-2007, 11:15 PM
|
#17 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 26,792
OS: WinXP and Vista
|
Re: My DSS log
Please do not attach the boran.log--copy/paste the log directly into the reply box. It also saves me a lot of time if you copy/paste the requested reports instead of attaching them. (unless otherwise specified)
 I realize these online scans are time consuming, but I'd like you to use a different online scanner in this round. Please perform an online scan with Internet Explorer at Kaspersky Online Scanner Answer Yes, when prompted to install an ActiveX component.
|
|
|
|
|
04-24-2007, 07:29 AM
|
#18 (permalink) |
|
Registered User
Join Date: Apr 2007
Posts: 29
OS: xp
|
Re: My DSS log
This is the boran file it wouldn't let me attach. I will do the new scan later on...I need to get two papers typed up for the end of the semester. I reckon I shouldn't use Word while it scans. THanks.
Boran Remover by Deckard :: 2007-03-10 :: 34 ---------------------------------------------------------------- Run by Owner :: Mon 04/23/2007 @ 23:10:45.14 Infection not active/found. |
|
|
|
|
04-25-2007, 01:08 AM
|
#19 (permalink) |
|
Registered User
Join Date: Apr 2007
Posts: 29
OS: xp
|
Re: My DSS log
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT Wednesday, April 25, 2007 2:07:51 AM Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.83.0 Kaspersky Anti-Virus database last update: 25/04/2007 Kaspersky Anti-Virus database records: 301987 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: C:\ D:\ E:\ F:\ Scan Statistics: Total number of scanned objects: 61874 Number of viruses found: 22 Number of infected objects: 52 / 0 Number of suspicious objects: 0 Duration of the scan process: 01:38:14 Infected Object Name / Virus Name / Last Action C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\archive.jar-6b722b07-5236644e.zip/BlackBox.class Infected: Exploit.Java.ByteVerify skipped C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\archive.jar-6b722b07-5236644e.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.d skipped C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\archive.jar-6b722b07-5236644e.zip ZIP: infected - 2 skipped C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ue2f6fwa.Arto\Cache\0A974710d01 Infected: Backdoor.Win32.SdBot.gen skipped C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped C:\Documents and Settings\Owner\Desktop\Software & Drivers\freeripmp3.exe/data0010 Infected: not-a-virus:AdWare.Win32.MyWay.j skipped C:\Documents and Settings\Owner\Desktop\Software & Drivers\freeripmp3.exe Inno: infected - 1 skipped C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\Owner\Local Settings\History\History.IE5\MSHist012007042420070425\index.dat Object is locked skipped C:\Documents and Settings\Owner\Local Settings\Temp\Acr2.tmp Object is locked skipped C:\Documents and Settings\Owner\Local Settings\Temp\~DF1CE0.tmp Object is locked skipped C:\Documents and Settings\Owner\Local Settings\Temp\~DF4DE6.tmp Object is locked skipped C:\Documents and Settings\Owner\Local Settings\Temp\~DFDAF7.tmp Object is locked skipped C:\Documents and Settings\Owner\Local Settings\Temp\~DFE75.tmp Object is locked skipped C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped C:\Program Files\HijackThis\backups\backup-20070423-161915-650.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped C:\Program Files\Norton AntiVirus\AVApp.log Object is locked skipped C:\Program Files\Norton AntiVirus\AVError.log Object is locked skipped C:\Program Files\Norton AntiVirus\AVVirus.log Object is locked skipped C:\Program Files\Norton AntiVirus\Quarantine\767942D6 Infected: Exploit.Java.ByteVerify skipped C:\QooBox\purity\C\WINNT\YSTEM~1\nοpdb.exe Infected: not-a-virus:AdWare.Win32.PurityScan.fn skipped C:\QooBox\Quarantine\C\Program Files\Common Files\Yazzle1281OinAdmin.exe.vir Infected: Trojan-Downloader.Win32.PurityScan.eg skipped C:\QooBox\Quarantine\C\WINNT\system32\a.exe.vir Infected: Trojan-Downloader.Win32.VB.atp skipped C:\QooBox\Quarantine\C\WINNT\system32\cbxyaab.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.il skipped C:\QooBox\Quarantine\C\WINNT\system32\gmnsnyov.dll.vir Infected: Trojan-Spy.Win32.VBStat.h skipped C:\QooBox\Quarantine\C\WINNT\system32\hckbniif.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped C:\QooBox\Quarantine\C\WINNT\system32\lcvijrkg.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped C:\QooBox\Quarantine\C\WINNT\system32\uirlrffw.dll.vir Infected: Trojan.Win32.BHO.g skipped C:\QooBox\Quarantine\C\WINNT\system32\vfntubfv.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped C:\QooBox\Quarantine\C\WINNT\system32\vklnwaim.dll.vir Infected: not-a-virus:AdWare.Win32.BHO.v skipped C:\QooBox\Quarantine\C\WINNT\system32\wieyuvyi.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped C:\QooBox\Quarantine\C\WINNT\updater.exe.vir Infected: Trojan-Downloader.Win32.Agent.bls skipped C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP1014\A0122451.dll Infected: not-a-virus:AdWare.Win32.HotBar.ca skipped C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP1014\A0122454.dll Infected: not-a-virus:AdWare.Win32.HotBar.bz skipped C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP1014\A0122455.dll Infected: not-a-virus:AdWare.Win32.HotBar.ca skipped C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP1038\A0123165.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP1039\A0123192.exe Infected: Trojan-Downloader.Win32.VB.wz skipped C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP1040\A0124225.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Softomate.u skipped C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP1040\A0124225.exe/stream Infected: not-a-virus:AdWare.Win32.Softomate.u skipped C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP1040\A0124225.exe NSIS: infected - 2 skipped C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP1040\A0124241.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP1040\A0124242.exe Infected: not-a-virus:AdWare.Win32.PurityScan.fn skipped C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP1040\A0124294.exe Infected: not-a-virus:AdWare.Win32.WebRebates.c skipped C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP1040\A0124295.exe Infected: not-a-virus:AdWare.Win32.WebRebates.d skipped C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP1040\A0124296.exe Infected: not-a-virus:AdWare.Win32.WebRebates.d skipped C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP1041\A0126487.dll Infected: Trojan-Spy.Win32.BZub.ih skipped C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP1043\A0126563.exe Infected: Trojan-Downloader.Win32.PurityScan.eg skipped C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP1043\A0126565.exe Infected: Trojan-Downloader.Win32.VB.atp skipped C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP1043\A0126566.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP1043\A0126570.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP1043\A0126571.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP1043\A0126572.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP1043\A0126573.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP1043\A0126574.dll Infected: Trojan-Spy.Win32.VBStat.h skipped C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP1043\A0126575.dll Infected: Trojan.Win32.BHO.g skipped C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP1043\A0126576.dll Infected: not-a-virus:AdWare.Win32.BHO.v skipped C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP1043\A0126582.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.il skipped C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP1043\A0126587.exe Infected: not-a-virus:AdWare.Win32.PurityScan.fn skipped C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP1043\A0126783.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP1043\A0126829.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Softomate.u skipped C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP1043\A0126829.exe/stream Infected: not-a-virus:AdWare.Win32.Softomate.u skipped C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP1043\A0126829.exe NSIS: infected - 2 skipped C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP1043\change.log Object is locked skipped C:\WINNT\Debug\PASSWD.LOG Object is locked skipped C:\WINNT\SchedLgU.Txt Object is locked skipped C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINNT\Sti_Trace.log Object is locked skipped C:\WINNT\system32\CatRoot2\edb.log Object is locked skipped C:\WINNT\system32\CatRoot2\tmp.edb Object is locked skipped C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped C:\WINNT\system32\config\DEFAULT Object is locked skipped C:\WINNT\system32\config\default.LOG Object is locked skipped C:\WINNT\system32\config\SAM Object is locked skipped C:\WINNT\system32\config\SAM.LOG Object is locked skipped C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped C:\WINNT\system32\config\SECURITY Object is locked skipped C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped C:\WINNT\system32\config\SOFTWARE Object is locked skipped C:\WINNT\system32\config\software.LOG Object is locked skipped C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped C:\WINNT\system32\config\SYSTEM Object is locked skipped C:\WINNT\system32\config\system.LOG Object is locked skipped C:\WINNT\system32\config\systemprofile\Cookies\index.dat Object is locked skipped C:\WINNT\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\WINNT\system32\dllcache\cryptnet32.dll Infected: Trojan-Proxy.Win32.Agent.mn skipped C:\WINNT\system32\h323log.txt Object is locked skipped C:\WINNT\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped C:\WINNT\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINNT\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped C:\WINNT\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped C:\WINNT\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINNT\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINNT\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINNT\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINNT\updater.exe.tmp Infected: Trojan-Downloader.Win32.Agent.bls skipped C:\WINNT\wiadebug.log Object is locked skipped C:\WINNT\wiaservc.log Object is locked skipped C:\WINNT\WindowsUpdate.log Object is locked skipped Scan process completed. |
|
|
|
|
04-25-2007, 08:35 AM
|
#20 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 26,792
OS: WinXP and Vista
|
Re: My DSS log
Hello Branden,
Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions. ****************************************************** The following program should take care of some of what Kaspersky is reporting: Download AVG Anti Spyware Use the link at the bottom of the page under "AVG Anti-Spyware Free for Windows" 
-------------------------------------------------------------------- Next, please reboot your computer in Safe Mode by doing the following: 1) Restart your computer 2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8. 3) Instead of Windows loading as normal, a menu should appear 4) Use the up arrow key to highlight Safe Mode and press Enter. 5) Login with your usual account. Make sure to close any open browsers. -------------------------------------------------------------------- IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess: Run AVG Anti-Spyware with it's updated definitions:(...it's important that all windows must be closed)
-------------------------------------------------------------------- Reboot into Normal Mode. -------------------------------------------------------------------- BitDefender should take care of anything that may be left: Go here and do the BitDefender online virus scan.
Please include the following in your next reply: AVG A-S results BitDefender report (don't worry about the format--copy/paste it as .txt file) |
|
|
|
| Thread Tools | |
|
|
located at the bottom of the page.
then click 
