|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
01-02-2008, 08:22 PM
|
#1 (permalink) |
|
Registered User
Join Date: Jan 2008
Posts: 8
OS: XP service pack 2
|
Im Stumped
Hey everyone. Ok here is my problem. First of all let me say that I have been very careful with not getting any malware the past few years I have had this laptop. The other day I was on Myspace and I was looking at a friends profile, I then checked some dumb video they posted on Myspace video and left them a comment. I was still on Myspace when all of a sudden I got a pop-up. This was a red flag to me because I never get pop-ups from anywhere, and I know I did not click any advertisements. Then right after that my Symantec AntiVirus Notification popped up and it displayed a blank window. Also another little window popped saying something along the lines of 'searching for symantec updates' or 'installing updates.' I dont remember exactly, but I hit cancel and it tried again so I hit cancel again. Right after that all of my window icons as well as my start menu button and task bar all disapeared. My wallpaper still showed but i could not right click or anything. This has been the on going problem right along for the past few days. After that i believe i Ctrl+Alt+Del and restarted. When it loads up it once again pops up saying the updating thing again as well as showing me the Symantec AntiVirus Notification. Also I noticed a new program showed up call Internet Speed Monitor which I definitely did not install, so I got that un-installed.
What I have tried so far: First off its extremely tough for me to run programs because when everything shows up i have about 10 secs until it disapears. I notice that if i ctrl+alt+del and go to file > run i can still use that, and if i just run a nonsense command an error message pops but then it will also flash the icons and start menu back up for a few secs. It goes back and forth and if im fast enough i can get into things that way. I had to DL programs on my father and roommates computer, burn them to CD and then load it into my pc. So far I have updated and ran my Symantec AntiVirus which tends to find a lot of infected .tmp files, which i clear off. But they keep showing up again. I ran a program which cleaned out all my temp files and cookies, etc. I also installed, updated, and ran AVG free which found 2 different Trojans and cleaned them. But when I restarted my computer and it loaded up it still does the same thing. I am running Windows XP Home with service pack 2. The following is my HijackThis log. Please help me: Logfile of HijackThis v1.99.1 Scan saved at 9:49:51 PM, on 1/2/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16441) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\WINDOWS\system32\msiexec.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\taskmgr.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Hijackthis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) F3 - REG:win.ini: load=C:\WINDOWS\system32\ddcyv.exe O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu11.exe 61A847B5BBF72813338B2B27128065E9C084320161C4661227A755E9C2933154389A O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [QdrModule11] "C:\Program Files\QdrModule\QdrModule11.exe" O4 - HKCU\..\Run: [QdrPack11] "C:\Program Files\QdrPack\QdrPack11.exe" O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: CAISafe - Unknown owner - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing) O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe Last edited by zerojjc; 01-02-2008 at 08:26 PM. |
|
     |
| Important Information |
|
Join the #1 Tech Support Forum Today - It's Totally Free!
TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free. Join TechSupportforum.com Today - Click Here |
|
01-04-2008, 09:32 PM
|
#2 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,601
OS: 2000 Pro; XP Pro; XP Home
|
Re: Im Stumped
Hello and Welcome. Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.
Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence. --------------------------------------------------------------------------------------------- I see you have more than one Anti-Virus program installed, AVG, eTrust EZ Armor and Symantec. While this may seem like greater protection, it can cause problems including slowdowns and system hangs, and they can acutally work counter to each other, thereby providing little actual protection.. Choose one to keep and uninstall the others. Any antivirus program must be removed via add/remove program. For any program that doesn't have an add/remove entry, you will have to do this: re-install the program -> reboot -> uninstall----------------------------------------------------------------------- I need more information before continuing, please. For now, I'd like a more comprehensive set of logs from Deckard's System Scanner. --------------------------------------------------------------------------------------------- You are using an outdated version of HijackThis. Please uninstall from Add/Remove programs, and delete your current version. Next, download HijackThis to your desktop Alternate link Double-click on the file you just downloaded. Click on the "Unzip" button to install. It will by default install to the directory - C:\Program Files\Trend Micro\HijackThis Upon install, HijackThis should open for you. When it does, just close it, please. Next.... --------------------------------------------------------------------------------------------- Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
What DSS will do:
---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you.  Microsoft MVP - Consumer Security 2009
|
|
|
|
|
01-06-2008, 01:42 PM
|
#3 (permalink) |
|
Registered User
Join Date: Jan 2008
Posts: 8
OS: XP service pack 2
|
Re: Im Stumped
Sorry it took me so long but its been a pain with trying to get everything uninstalled and then installing the DSS program. But here it is...
Main: Deckard's System Scanner v20071014.68 Run by joshua castro on 2008-01-06 15:27:09 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- System Restore -------------------------------------------------------------- Successfully created a Deckard's System Scanner Restore Point. -- Last 5 Restore Point(s) -- 49: 2008-01-06 20:27:22 UTC - RP587 - Deckard's System Scanner Restore Point 48: 2008-01-06 16:39:40 UTC - RP586 - System Checkpoint 47: 2008-01-05 15:55:34 UTC - RP585 - Removed Symantec AntiVirus 46: 2008-01-05 08:18:14 UTC - RP584 - System Checkpoint 45: 2008-01-04 07:41:30 UTC - RP583 - System Checkpoint -- First Restore Point -- 1: 2007-12-31 15:17:27 UTC - RP539 - System Checkpoint Backed up registry hives. Performed disk cleanup. -- HijackThis (run as joshua castro.exe) --------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 3:29:29 PM, on 1/6/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16441) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Documents and Settings\joshua castro\Local Settings\Temporary Internet Files\Content.IE5\I58PBPHF\dss[1].exe C:\PROGRA~1\TRENDM~1\HIJACK~1\joshua castro.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) F3 - REG:win.ini: load=C:\WINDOWS\system32\ddcyv.exe O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file) O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: (no name) - {8A7FADAC-9093-4916-988C-4D6D3AEDC38A} - C:\WINDOWS\system32\ddcyv.dll O2 - BHO: (no name) - {CA4F0D8D-5F2B-4F16-838A-8D52249EAB21} - C:\WINDOWS\system32\efcyvsq.dll (file missing) O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user') O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000 O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - Winlogon Notify: efcyvsq - efcyvsq.dll (file missing) O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: CAISafe - Unknown owner - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing) O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe -- End of file - 6234 bytes -- File Associations ----------------------------------------------------------- All associations okay. -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------- R1 SSHDRV85 - c:\windows\system32\drivers\sshdrv85.sys <Not Verified; ; ProtectCD> R1 VETFDDNT (VET Floppy Boot Sector Monitor) - c:\windows\system32\drivers\vetfddnt.sys <Not Verified; Computer Associates International, Inc.; CAI Anti-Virus> R1 VET-FILT (VET File System Filter) - c:\windows\system32\drivers\vet-filt.sys R1 VETMONNT (VET File Monitor) - c:\windows\system32\drivers\vetmonnt.sys <Not Verified; Computer Associates International, Inc.; Computer Associates Antivirus> R1 VET-REC (VET File System Recognizer) - c:\windows\system32\drivers\vet-rec.sys R2 CDRPDACC (Arrowkey Device Access) - c:\program files\321studios\shared\cdrpdacc.sys <Not Verified; Arrowkey; CD Device Access> R2 npkcrypt - c:\nexon\maplestory\npkcrypt.sys <Not Verified; INCA Internet Co., Ltd.; nProtect KeyCrypt Driver> R3 dvd43llh - c:\windows\system32\drivers\dvd43llh.sys <Not Verified; RIF; DVD For Free> R3 moufiltr (Mouse Filter Driver) - c:\windows\system32\drivers\moufiltr.sys <Not Verified; Chic Tech.; Chic Tech.> R3 Pcouffin (Low level access layer for CD devices) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine> R3 Pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell> R3 VETEBOOT (VET Boot Scan Engine) - c:\windows\system32\drivers\veteboot.sys <Not Verified; Computer Associates International, Inc.; CAI Anti-Virus> R3 VETEFILE (VET File Scan Engine) - c:\windows\system32\drivers\vetefile.sys <Not Verified; Computer Associates International, Inc.; CAI Anti-Virus> S3 gAGP440p - c:\docume~1\joshua~1\locals~1\temp\gagp440p.sys (file missing) S3 RimUsb (RIM Handheld) - c:\windows\system32\drivers\rimusb.sys (file missing) S3 SDTHOOK - c:\windows\system32\drivers\sdthook.sys <Not Verified; Panda Software; Panda® Antivirus> S3 usbsermpt (Motorola USB Modem Driver for MPT) - c:\windows\system32\drivers\usbsermpt.sys <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) 2000 Operating System> S3 XTrapD12 - c:\windows\system32\xtrapd12.sys (file missing) -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled -------------------- R2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager> S3 AresChatServer (Ares Chatroom server) - c:\program files\ares\chatserver.exe <Not Verified; Ares Development Group; Ares Chat Server> S3 iPodService - c:\program files\ipod\bin\ipodservice.exe (file missing) -- Device Manager: Disabled ---------------------------------------------------- No disabled devices found. -- Files created between 2007-12-06 and 2008-01-06 ----------------------------- 2008-01-06 15:22:56 0 d-------- C:\Program Files\Trend Micro 2008-01-06 15:20:15 3584 --a------ C:\WINDOWS\system32\ddcyv.exe 2008-01-03 23:12:21 44928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS <Not Verified; Panda Software; Panda® Antivirus> 2008-01-01 19:43:28 0 d-------- C:\Documents and Settings\NetworkService\Application Data\AVG7 2008-01-01 19:36:21 0 dr-h----- C:\$VAULT$.AVG 2008-01-01 17:09:13 0 d-------- C:\Documents and Settings\joshua castro\Application Data\AVG7 2008-01-01 17:08:44 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7 2008-01-01 17:08:06 0 d-------- C:\Documents and Settings\All Users\Application Data\avg7 2008-01-01 15:57:55 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-01-01 15:25:36 0 d-------- C:\Documents and Settings\joshua castro\Application Data\Grisoft 2008-01-01 15:24:59 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft 2008-01-01 12:52:37 0 dr-h----- C:\Documents and Settings\Administrator\SendTo 2008-01-01 12:52:37 0 dr-h----- C:\Documents and Settings\Administrator\Recent 2008-01-01 12:52:37 0 d--h----- C:\Documents and Settings\Administrator\PrintHood 2008-01-01 12:52:37 0 d--h----- C:\Documents and Settings\Administrator\NetHood 2008-01-01 12:52:37 0 dr------- C:\Documents and Settings\Administrator\My Documents 2008-01-01 12:52:37 0 d--h----- C:\Documents and Settings\Administrator\Local Settings 2008-01-01 12:52:37 0 dr------- C:\Documents and Settings\Administrator\Favorites 2008-01-01 12:52:37 0 d-------- C:\Documents and Settings\Administrator\Desktop 2008-01-01 12:52:37 0 d--hs---- C:\Documents and Settings\Administrator\Cookies 2008-01-01 12:52:37 0 dr-h----- C:\Documents and Settings\Administrator\Application Data 2008-01-01 12:52:37 0 d-------- C:\Documents and Settings\Administrator\Application Data\Symantec 2008-01-01 12:52:37 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sun 2008-01-01 12:52:37 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sonic 2008-01-01 12:52:37 0 d-------- C:\Documents and Settings\Administrator\Application Data\Share-to-Web Upload Folder 2008-01-01 12:52:37 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft 2008-01-01 12:52:37 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities 2008-01-01 12:52:36 0 d--h----- C:\Documents and Settings\Administrator\Templates 2008-01-01 12:52:36 0 dr------- C:\Documents and Settings\Administrator\Start Menu 2008-01-01 12:52:36 622592 --a------ C:\Documents and Settings\Administrator\NTUSER.DAT 2007-12-30 11:24:39 6234112 --a------ C:\Documents and Settings\joshua castro\ntuser.dat 2007-12-30 11:22:48 3372 --ahs---- C:\WINDOWS\system32\vycdd.ini2 2007-12-30 11:22:43 335872 -----n--- C:\WINDOWS\system32\ddcyv.dll 2007-12-30 11:17:29 0 d-------- C:\Program Files\QdrDrive 2007-12-30 11:17:18 40183 ---hs---- C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe -- Find3M Report --------------------------------------------------------------- 2008-01-05 11:00:51 0 d-------- C:\Program Files\Common Files\Symantec Shared 2008-01-05 11:00:40 0 d-------- C:\Program Files\Symantec 2008-01-04 00:24:46 0 d-------- C:\Program Files\Microsoft AntiSpyware 2008-01-01 19:36:22 0 d-------- C:\Program Files\Common Files 2008-01-01 12:53:06 0 d-------- C:\Program Files\Messenger 2007-12-31 10:17:08 0 d-------- C:\Program Files\QuickTime 2007-12-31 10:17:03 0 d-------- C:\Program Files\dvd43 2007-12-13 20:56:14 0 d-------- C:\Program Files\World of Warcraft 2007-12-10 23:11:17 0 d-------- C:\Program Files\Common Files\AOL 2007-12-10 23:11:17 0 d-------- C:\Program Files\AIM 2007-11-27 21:20:12 0 d-------- C:\Program Files\AIM6 -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8A7FADAC-9093-4916-988C-4D6D3AEDC38A}] 12/30/2007 11:22 AM 335872 --------- C:\WINDOWS\system32\ddcyv.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CA4F0D8D-5F2B-4F16-838A-8D52249EAB21}] C:\WINDOWS\system32\efcyvsq.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ATIModeChange"="Ati2mdxx.exe" [04/02/2004 02:16 AM C:\WINDOWS\system32\Ati2mdxx.exe] "dvd43"="C:\Program Files\dvd43\dvd43_tray.exe" [] "KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" [] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [] "Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [] "Aim6"="" [] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"=0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "LinkResolveIgnoreLinkInfo"=0 (0x0) "NoResolveSearch"=1 (0x1) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{CA4F0D8D-5F2B-4F16-838A-8D52249EAB21}"= C:\WINDOWS\system32\efcyvsq.dll [ ] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcyvsq] efcyvsq.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] "Authentication Packages"= msv1_0 C:\WINDOWS\system32\ddcyv [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}] @="Volume shadow copy" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk backup=C:\WINDOWS\pss\Adobe Gamma Loader.exe.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ymetray.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ymetray.lnk backup=C:\WINDOWS\pss\ymetray.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG] AGRSMMSG.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint] C:\Program Files\Apoint2K\Apoint.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamMonitor] C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FLMOFFICE4DMOUSE] C:\Program Files\Wireless Laser Mouse\MOffice.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] %systemroot%\system32\dumprep 0 -k [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark 3100 Series] "C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LXBRKsk] C:\PROGRA~1\LEXMAR~2\LXBRKsk.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MediaGateway] C:\Program Files\MediaGateway\MediaGateway.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent] "c:\Program Files\Microsoft Money\System\mnyexpr.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RAM Idle Professional] C:\Program Files\RAM Idle LE\RAM_XP.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecordNow!] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon] C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck] %systemroot%\system32\dumprep 0 -u -- End of Deckard's System Scanner: finished at 2008-01-06 15:31:32 ------------ |
|
|
|
|
01-06-2008, 02:29 PM
|
#4 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,601
OS: 2000 Pro; XP Pro; XP Home
|
Re: Im Stumped
Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.
It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence. It doesn't appear as though eTrust EZ Antivirus uninstalled. Is your intention to keep AVG as your AntiVirus solution? You have a nasty variant of the Vundo trojan, which infects legit exe files in your startups. You may end up reinstalling several applications if they're still required. ---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Microsoft MVP - Consumer Security 2009
Last edited by tetonbob; 01-06-2008 at 02:31 PM. |
|
|
|
|
01-06-2008, 06:48 PM
|
#5 (permalink) |
|
Registered User
Join Date: Jan 2008
Posts: 8
OS: XP service pack 2
|
Re: Im Stumped
When my computer loaded up after it had restarted it seems to be fixed now. There are no weird install pop-ups and my icons and start menu and task bar havent been disapearing
 Well here are the two logs:ComboFix: ComboFix 08-01-07.1 - joshua castro 2008-01-06 20:13:03.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.407 [GMT -5:00] Running from: C:\Documents and Settings\joshua castro\Desktop\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe C:\Program Files\QdrDrive C:\WINDOWS\system32\ddcyv.dll C:\WINDOWS\system32\ddcyv.exe C:\WINDOWS\system32\vycdd.ini C:\WINDOWS\system32\vycdd.ini2 . ((((((((((((((((((((((((( Files Created from 2007-12-07 to 2008-01-07 ))))))))))))))))))))))))))))))) . 2008-01-06 20:06 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe 2008-01-06 15:26 . 2008-01-06 15:26 <DIR> d-------- C:\Deckard 2008-01-06 15:22 . 2008-01-06 15:22 <DIR> d-------- C:\Program Files\Trend Micro 2008-01-03 23:12 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS 2008-01-03 22:48 . 2008-01-03 22:48 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico 2008-01-03 22:48 . 2008-01-03 22:48 1,406 --a------ C:\WINDOWS\system32\Help.ico 2008-01-01 19:43 . 2008-01-01 19:43 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\AVG7 2008-01-01 17:09 . 2008-01-06 20:04 <DIR> d-------- C:\Documents and Settings\joshua castro\Application Data\AVG7 2008-01-01 17:08 . 2008-01-01 17:08 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7 2008-01-01 17:08 . 2008-01-06 20:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7 2008-01-01 15:57 . 2008-01-01 15:57 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-01-01 15:25 . 2008-01-01 15:25 <DIR> d-------- C:\Documents and Settings\joshua castro\Application Data\Grisoft 2008-01-01 15:24 . 2008-01-06 20:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft 2008-01-01 12:52 . 2004-05-06 14:38 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec 2008-01-01 12:52 . 2004-05-06 14:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sonic 2008-01-01 12:52 . 2004-05-06 14:47 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Share-to-Web Upload Folder . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-01-05 16:00 --------- d-----w C:\Program Files\Symantec 2008-01-05 16:00 --------- d-----w C:\Program Files\Common Files\Symantec Shared 2008-01-05 15:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-01-04 05:24 --------- d-----w C:\Program Files\Microsoft AntiSpyware 2007-12-31 15:17 --------- d-----w C:\Program Files\QuickTime 2007-12-31 15:17 --------- d-----w C:\Program Files\dvd43 2007-12-14 01:56 --------- d-----w C:\Program Files\World of Warcraft 2007-12-11 04:11 --------- d-----w C:\Program Files\Common Files\AOL 2007-12-11 04:11 --------- d-----w C:\Program Files\AIM 2007-11-28 02:20 --------- d-----w C:\Program Files\AIM6 2007-11-28 02:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads 2007-05-03 02:47 68,832 -c--a-w C:\Documents and Settings\joshua castro\Application Data\GDIPFONTCACHEV1.DAT 2006-08-26 22:26 24,192 ----a-w C:\Documents and Settings\joshua castro\usbsermptxp.sys 2006-08-26 22:26 22,768 ----a-w C:\Documents and Settings\joshua castro\usbsermpt.sys 2003-06-13 15:34 50,176 -c--a-w C:\Documents and Settings\joshua castro\onuninst.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [ ] "Aim6"="" [] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ATIModeChange"="Ati2mdxx.exe" [2004-04-02 02:16 28672 C:\WINDOWS\system32\Ati2mdxx.exe] "dvd43"="C:\Program Files\dvd43\dvd43_tray.exe" [ ] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [ ] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [ ] "Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [ ] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [ ] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoResolveSearch"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcyvsq] efcyvsq.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk backup=C:\WINDOWS\pss\Adobe Gamma Loader.exe.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ymetray.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ymetray.lnk backup=C:\WINDOWS\pss\ymetray.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG] --a--c--- 2003-10-30 08:40 88363 C:\WINDOWS\AGRSMMSG.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint] --a--c--- 2003-10-07 22:40 159744 C:\Program Files\Apoint2K\Apoint.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA] --a------ 2004-03-25 23:00 335872 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CaAvTray] --a--c--- 2005-09-23 13:35 226416 C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamMonitor] --a------ 2002-10-07 02:23 90112 C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CAVRID] --a--c--- 2005-09-23 13:35 189552 C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eabconfg.cpl] --a--c--- 2004-01-13 11:21 245760 C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FLMOFFICE4DMOUSE] --a--c--- 2006-06-10 22:22 958464 C:\Program Files\Wireless Laser Mouse\MOffice.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ] --a--c--- 2005-11-15 12:12 473928 C:\Program Files\Microsoft AntiSpyware\gcasServ.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager] --a--c--- 2005-01-12 13:54 241664 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update] --a--c--- 2005-02-16 22:11 49152 C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark 3100 Series] C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LXBRKsk] C:\PROGRA~1\LEXMAR~2\LXBRKsk.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MediaGateway] C:\Program Files\MediaGateway\MediaGateway.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent] --a--c--- 2003-06-18 14:00 200704 c:\Program Files\Microsoft Money\System\mnyexpr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] C:\Program Files\QuickTime\qttask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RAM Idle Professional] C:\Program Files\RAM Idle LE\RAM_XP.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecordNow!] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon] --a------ 2002-04-17 12:42 69632 C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a--c--- 2005-06-03 02:52 36975 C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck] C:\WINDOWS\system32\dumprep 0 -u R1 SSHDRV85;SSHDRV85;C:\WINDOWS\system32\drivers\SSHDRV85.sys [2006-01-06 16:36] R3 moufiltr;Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\moufiltr.sys [2006-06-11 20:23] S3 gAGP440p;gAGP440p;C:\DOCUME~1\JOSHUA~1\LOCALS~1\Temp\gAGP440p.sys [] S3 RimSerPort;RIM Virtual Serial Port;C:\WINDOWS\system32\DRIVERS\RimSerial.sys [2004-08-06 08:50] . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-01-06 20:28:51 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-01-06 20:31:13 - machine was rebooted ComboFix-quarantined-files.txt 2008-01-07 01:30:58 HiJackThis: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:37:18 PM, on 1/6/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16441) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000 O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - Winlogon Notify: efcyvsq - efcyvsq.dll (file missing) O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: CAISafe - Unknown owner - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing) O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe -- End of file - 4663 bytes |
|
|
|
|
01-06-2008, 07:00 PM
|
#6 (permalink) | ||
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,601
OS: 2000 Pro; XP Pro; XP Home
|
Re: Im Stumped
I see you've uninstalled AVG, and are now down to one AV. Good.
Have a look here: Quote:
ctfmon is a Windows file and should have been replaced by Windows File protection. I'd like to see if there are any copies onboard. Open notepad and copy/paste the text in the quotebox below into it: Quote:
It should look like this:  Double click on peek.bat & allow it to run. This may take a little while, so please be patient. A notepad file will open. Copy that information into your next reply, please. Also please do this: Download RenV.exe to your desktop. Double click to run it. It shall produce a log. Post that log in your next reply.
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Microsoft MVP - Consumer Security 2009
Last edited by tetonbob; 01-06-2008 at 07:04 PM. |
||
|
|
|
|
01-06-2008, 07:33 PM
|
#7 (permalink) |
|
Registered User
Join Date: Jan 2008
Posts: 8
OS: XP service pack 2
|
Re: Im Stumped
ok here is the first one that i ran:
-c----w 13,312 2003-03-31 02:00:00 C:\WINDOWS\$NtServicePackUninstall$\ctfmon.exe -c----w 15,360 2004-08-04 07:56:48 C:\WINDOWS\ServicePackFiles\i386\ctfmon.exe ----a-w 15,360 2004-08-04 07:56:48 C:\WINDOWS\system32\dllcache\ctfmon.exe Entries: 3 (3) Directories: 0 Files: 3 Bytes: 44,032 Blocks: 86 and here is the log from the RenV.exe: Code:
Ran on Sun 01/06/2008 - 21:28:03.20 Entries: 0 (0) Directories: 0 Files: 0 Bytes: 0 Blocks: 0 |
|
|
|
|
01-06-2008, 07:38 PM
|
#8 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,601
OS: 2000 Pro; XP Pro; XP Home
|
Re: Im Stumped
Interesting that Windows File Protection has not replaced ctfmon.exe
A copy of this file should be in System32 Using Windows Explorer, navigate to this file C:\WINDOWS\system32\dllcache\ctfmon.exe Right click on the file, and select Copy. navigate to this location: C:\WINDOWS\system32 Right click on an empty space in that folder, and select paste. Run the batch file, peek.bat once again.
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Microsoft MVP - Consumer Security 2009
|
|
|
|
|
01-06-2008, 08:03 PM
|
#9 (permalink) |
|
Registered User
Join Date: Jan 2008
Posts: 8
OS: XP service pack 2
|
Re: Im Stumped
When I go to C:\WINDOWS\system32 there is not a folder named dllcache. The folders close to where it should be are called dhcp, DirectX, and then drivers. There are two files in the system32 folder which start with dll they are dllhost.exe and dllhst3g.exe. I don't see the folder though.
|
|
|
|
|
01-06-2008, 08:08 PM
|
#10 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,601
OS: 2000 Pro; XP Pro; XP Home
|
Re: Im Stumped
Hidden files/folders should be viewable already.
Have a look at these settings Go to My Computer->Tools->Folder Options->View tab: * Under the Hidden files and folders heading, select Show hidden files and folders. * Uncheck the Hide protected operating system files (recommended) option. * Also make sure there is no checkmark beside Hide file extensions for known file types * Click Yes to confirm and then click OK.
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Microsoft MVP - Consumer Security 2009
|
|
|
|
|
01-06-2008, 08:25 PM
|
#11 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,601
OS: 2000 Pro; XP Pro; XP Home
|
Re: Im Stumped
Also, if you open System32, and go to View > Arrange Icons By > Type you should have something which looks like this:
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Microsoft MVP - Consumer Security 2009
|
|
|
|
|
01-06-2008, 08:27 PM
|
#12 (permalink) |
|
Registered User
Join Date: Jan 2008
Posts: 8
OS: XP service pack 2
|
Re: Im Stumped
That worked. The show hidden files and hide file extensions were checked, but i unchecked the "Hide protected operating system files (recommended)" option and that allowed me to see the dllcache folder. Here is the new log:
-c----w 13,312 2003-03-31 02:00:00 C:\WINDOWS\$NtServicePackUninstall$\ctfmon.exe -c----w 15,360 2004-08-04 07:56:48 C:\WINDOWS\ServicePackFiles\i386\ctfmon.exe ----a-w 15,360 2004-08-04 07:56:48 C:\WINDOWS\system32\ctfmon.exe ----a-w 15,360 2004-08-04 07:56:48 C:\WINDOWS\system32\dllcache\ctfmon.exe Entries: 4 (4) Directories: 0 Files: 4 Bytes: 59,392 Blocks: 116 |
|
|
|
|
01-06-2008, 08:32 PM
|
#13 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,601
OS: 2000 Pro; XP Pro; XP Home
|
Re: Im Stumped
OK, good job.
We have some more work to do. Regarding the items I referred to in Post #6, you'll have to reinstall those applications. Don't do so until after these next steps, though. Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked O20 - Winlogon Notify: efcyvsq - efcyvsq.dll (file missing) Close HijackThis now. --------------------------------------------------------------------------------------------- Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update. Updating Java:
--------------------------------------------------------------------------------------------- Please run this online scan to help look for remnants. First, Go to Start>Control Panel>Add/Remove Programs and remove Kaspersky online scanner if present prior to downloading the most up-to-date one. Next, establish an internet connection & perform an online scan using Internet Explorer at Kaspersky Online Scanner http://www.kaspersky.com/kos/eng/par...avwebscan.html Answer Yes, when prompted to install an ActiveX component.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%. --------------------------------------------------------------------------------------------- Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here. ---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Microsoft MVP - Consumer Security 2009
|
|
|
|
|
01-06-2008, 11:21 PM
|
#14 (permalink) |
|
Registered User
Join Date: Jan 2008
Posts: 8
OS: XP service pack 2
|
Re: Im Stumped
The Kaspersky scan did find some viruses. I am not sure if this helps but when I uninstalled my anti-viruses they asked if I wanted to delete any quarentine files and I did not.
Here is its scan log: ------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER REPORT Monday, January 07, 2008 1:13:53 AM Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.98.0 Kaspersky Anti-Virus database last update: 7/01/2008 Kaspersky Anti-Virus database records: 503324 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: C:\ D:\ Scan Statistics: Total number of scanned objects: 124036 Number of viruses found: 3 Number of infected objects: 7 Number of suspicious objects: 0 Duration of the scan process: 02:04:48 Infected Object Name / Virus Name / Last Action C:\Documents and Settings\All Users\Application Data\muvee Technologies\030410\0102\0102\values Object is locked skipped C:\Documents and Settings\joshua castro\Cookies\index.dat Object is locked skipped C:\Documents and Settings\joshua castro\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\joshua castro\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\joshua castro\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\joshua castro\Local Settings\Temp\~DFD366.tmp Object is locked skipped C:\Documents and Settings\joshua castro\Local Settings\Temp\~DFD374.tmp Object is locked skipped C:\Documents and Settings\joshua castro\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped C:\Documents and Settings\joshua castro\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\joshua castro\ntuser.dat Object is locked skipped C:\Documents and Settings\joshua castro\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\Program Files\DVDCopyONE\xpconf.dat Infected: not-a-virus:PSWTool.Win32.RAS.a skipped C:\QooBox\Quarantine\C\WINDOWS\system32\ddcyv.exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped C:\System Volume Information\_restore{970BF179-4538-46F7-A171-F13CFC09440B}\RP581\A0108486.exe Infected: not-a-virus:AdWare.Win32.Agent.vv skipped C:\System Volume Information\_restore{970BF179-4538-46F7-A171-F13CFC09440B}\RP585\A0108959.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped C:\System Volume Information\_restore{970BF179-4538-46F7-A171-F13CFC09440B}\RP589\A0109052.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped C:\System Volume Information\_restore{970BF179-4538-46F7-A171-F13CFC09440B}\RP590\A0109055.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped C:\System Volume Information\_restore{970BF179-4538-46F7-A171-F13CFC09440B}\RP591\A0109058.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped C:\System Volume Information\_restore{970BF179-4538-46F7-A171-F13CFC09440B}\RP598\change.log Object is locked skipped C:\WINDOWS\$NtUninstallKB824141$\user32.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB824141$\win32k.sys Object is locked skipped C:\WINDOWS\$NtUninstallKB826939$\accwiz.exe Object is locked skipped C:\WINDOWS\$NtUninstallKB826939$\crypt32.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB826939$\cryptsvc.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB826939$\hh.exe Object is locked skipped C:\WINDOWS\$NtUninstallKB826939$\hhctrl.ocx Object is locked skipped C:\WINDOWS\$NtUninstallKB826939$\hhsetup.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB826939$\html32.cnv Object is locked skipped C:\WINDOWS\$NtUninstallKB826939$\itss.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB826939$\locator.exe Object is locked skipped C:\WINDOWS\$NtUninstallKB826939$\magnify.exe Object is locked skipped C:\WINDOWS\$NtUninstallKB826939$\migwiz.exe Object is locked skipped C:\WINDOWS\$NtUninstallKB826939$\mrxsmb.sys Object is locked skipped C:\WINDOWS\$NtUninstallKB826939$\msconv97.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB826939$\narrator.exe Object is locked skipped C:\WINDOWS\$NtUninstallKB826939$\newdev.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB826939$\ntdll.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB826939$\ntkrnlpa.exe Object is locked skipped C:\WINDOWS\$NtUninstallKB826939$\ntoskrnl.exe Object is locked skipped C:\WINDOWS\$NtUninstallKB826939$\ole32.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB826939$\osk.exe Object is locked skipped C:\WINDOWS\$NtUninstallKB826939$\pchshell.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB826939$\raspptp.sys Object is locked skipped C:\WINDOWS\$NtUninstallKB826939$\rpcrt4.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB826939$\rpcss.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB826939$\shell32.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB826939$\shmedia.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB826939$\srrstr.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB826939$\srv.sys Object is locked skipped C:\WINDOWS\$NtUninstallKB826939$\winsrv.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB826939$\zipfldr.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB826942$\dhcpcsvc.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB826942$\ndis.sys Object is locked skipped C:\WINDOWS\$NtUninstallKB826942$\ndisuio.sys Object is locked skipped C:\WINDOWS\$NtUninstallKB826942$\netshell.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB826942$\nwlnkipx.sys Object is locked skipped C:\WINDOWS\$NtUninstallKB826942$\wzcdlg.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB826942$\wzcsapi.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB826942$\wzcsvc.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB828028$\msasn1.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB828035$\msgsvc.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB828035$\wkssvc.dll Object is locked skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb Object is locked skipped C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log Object is locked skipped C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\Sti_Trace.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\default Object is locked skipped C:\WINDOWS\system32\config\default.LOG Object is locked skipped C:\WINDOWS\system32\config\Internet.evt Object is locked skipped C:\WINDOWS\system32\config\SAM Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SECURITY Object is locked skipped C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\software Object is locked skipped C:\WINDOWS\system32\config\software.LOG Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\system Object is locked skipped C:\WINDOWS\system32\config\system.LOG Object is locked skipped C:\WINDOWS\system32\h323log.txt Object is locked skipped C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\wiadebug.log Object is locked skipped C:\WINDOWS\wiaservc.log Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped Scan process completed. And here is another HiJackThis log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1:15:08 AM, on 1/7/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16441) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: CAISafe - Unknown owner - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing) O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe -- End of file - 5292 bytes Last edited by zerojjc; 01-06-2008 at 11:23 PM. |
|
|
|
|
01-07-2008, 12:13 AM
|
#15 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,601
OS: 2000 Pro; XP Pro; XP Home
|
Re: Im Stumped
Items are in System Restore, and ComboFix quarantine. Those will be deleted when we uninstall ComboFix using the method outlined below.
This item is often found at serial sites, and has been flagged as a password tool C:\Program Files\DVDCopyONE\xpconf.dat --> PSWTool.Win32.RAS.a You should delete it, unless you're certain of it's authenticity. You'll need to reinstall those applications I indicated earlier, but other than that, you should be in good shape. Your logs appear clean.You should be good to go. We still have a few items to address. Go to  -> Run -> copy/paste in the following single line command & click OKcombofix /u  This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points. Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and use the following free programs:
Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer Here are some additional utilities that will further enhance your safety.
In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it. Please respond to this thread one more time so we can mark this thread as resolved.
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Microsoft MVP - Consumer Security 2009
|
|
|
|
|
01-07-2008, 10:02 AM
|
#16 (permalink) |
|
Registered User
Join Date: Jan 2008
Posts: 8
OS: XP service pack 2
|
Re: Im Stumped
Wow great! I uninstalled ComboFix as you said, and I deleted the file xpconf.dat which contained that password tool just to be safe. And I am now going to go ahead and run some of these programs you have recommended. I was actually going to ask you what you recommended but you wrote them already. Thank you very much you are an awesome person. I was going crazy trying to clean my pc for days until I stumbled upon this forum. I very much appreciate your time and effort you spent on helping me.
your the best!
|
|
|
|
|
01-07-2008, 11:33 AM
|
#17 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,601
OS: 2000 Pro; XP Pro; XP Home
|
Re: Im Stumped
You're quite welcome, and thanks for the kind words.
Surf Safely! 
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Microsoft MVP - Consumer Security 2009
|
|
|
|
| Thread Tools | |
|
|
