Yikes! says I'm infected

easyas · 08-07-2008, 08:10 AM

May I begin by applauding the fantastic efforts of all the people associated with this site.
I've been somewhat concerned with the performance of my putey for a while now. As a shared machine I don't really have any control over how it is used and I can't control what is downloaded (can't seem to control what I download either). What I have noticed is;
-slow start up
-no start up
-can't log off/ shut down
- dial up connection box appearing for no reason
-some software issues (quicktime in firefox, pdf loads) struggle
-internet drop outs
-have to repair connection often (5 times or more)
- can't get my hotmail?
-cannot delete files in temp internet folder

As they say in Oz; whatchathink?
here goes;

Deckard's System Scanner v20071014.68
Run by susan on 2008-08-07 10:50:16
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-08-07 10:50:38
Platform: Windows XP Service Pack 3 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ASWLSVC.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Blue Coat K9\k9filter.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4.exe
C:\Program Files\ASUS\ASUS Live Update\ALU.exe
C:\Program Files\ASUS\NB Probe\NBProbe.exe
C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ASUS\WLAN Card Utilities\Center.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe
C:\Program Files\ASUS\Asus ChkMail\ChkMail.exe
C:\Program Files\HDBackup\HDBackup\HDBackup.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Documents and Settings\susan\Desktop\dss.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/yco...search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://evgausperfm1.envirogold.com/...e%2flogin.aspx
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.asus.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [ASUS Live Update] C:\Program Files\ASUS\ASUS Live Update\ALU.exe
O4 - HKLM\..\Run: [NB Probe] C:\Program Files\ASUS\NB Probe\NBProbe.exe
O4 - HKLM\..\Run: [Power_Gear] C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe 1
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Control Center] C:\Program Files\ASUS\WLAN Card Utilities\Center.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [updateMgr] c:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_1_0
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ASUS ChkMail.lnk = ?
O4 - Global Startup: HDBackup.lnk = C:\Program Files\HDBackup\HDBackup\HDBackup.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://office.microsoft.com (HKCU)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub...sh/swflash.cab
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O23 - Service: ASWLSVC - Unknown owner - C:\WINDOWS\system32\ASWLSVC.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\ati2evxx.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: spmgr - Unknown owner - C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe
O23 - Service: Blue Coat K9 Web Protection (WebFilter) - Unknown owner - C:\Program Files\Blue Coat K9\k9filter.exe

--
End of file - 8982 bytes

-- Files created between 2008-07-07 and 2008-08-07 -----------------------------

2008-08-07 08:00:21 0 d-------- C:\WINDOWS\LastGood
2008-08-05 11:37:16 0 d-------- C:\Documents and Settings\susan\Application Data\Get Mail
2008-08-05 11:37:04 0 d-------- C:\Program Files\PaulB
2008-08-04 10:14:41 0 d-------- C:\Documents and Settings\Office\Application Data\Google
2008-07-30 13:59:00 49152 --a------ C:\WINDOWS\system32\ssusbpn.dll <Not Verified; Samsung Electronics; Samsung MFP>
2008-07-30 13:59:00 57344 --a------ C:\WINDOWS\system32\ssdevm.dll <Not Verified; Samsung Electronics; Samsung MFP>
2008-07-30 13:59:00 41984 -ra------ C:\WINDOWS\system32\drivers\DgivEcp.sys <Not Verified; Samsung Electronics Co., Ltd.; Samsung Electronics Co., Ltd. VECP for Windows 2000, XP>
2008-07-24 12:48:58 0 d-------- C:\Documents and Settings\susan\Application Data\LimeWire
2008-07-24 12:48:24 0 d-------- C:\Program Files\LimeWire
2008-07-14 09:40:22 0 d-------- C:\Documents and Settings\Office\Application Data\U3
2008-07-10 12:27:14 0 d-------- C:\ie-spyad_zo
2008-07-10 12:20:45 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-10 12:20:35 0 d-------- C:\Program Files\SpywareBlaster
2008-07-10 07:49:28 0 d-------- C:\Program Files\Panda Security

-- Find3M Report ---------------------------------------------------------------

2008-08-07 10:13:48 0 d-------- C:\Documents and Settings\susan\Application Data\Skype
2008-08-07 08:08:28 0 d-------- C:\Documents and Settings\susan\Application Data\skypePM
2008-08-04 17:02:07 0 d-------- C:\Documents and Settings\susan\Application Data\U3
2008-08-01 00:47:07 0 d-------- C:\Program Files\Blue Coat K9
2008-07-30 18:50:36 0 d-------- C:\Program Files\PartyGaming
2008-07-30 15:18:05 0 d-------- C:\Program Files\Common Files
2008-07-30 13:58:53 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-07-15 22:47:53 1481 --a------ C:\WINDOWS\mozver.dat
2008-07-11 08:07:29 0 d-------- C:\Program Files\DAEMON Tools
2008-07-10 16:15:18 0 d-------- C:\Program Files\Google
2008-07-10 15:32:11 0 d-------- C:\Program Files\Common Files\Logitech
2008-06-28 22:43:48 0 d-------- C:\Program Files\QuickTime
2008-06-28 14:07:26 0 d-------- C:\Program Files\MYOB
2008-06-25 08:53:08 0 d-------- C:\Program Files\Napster
2008-06-24 13:01:20 0 d-------- C:\Program Files\Audacity
2008-06-22 23:01:15 0 d-------- C:\Documents and Settings\susan\Application Data\Yahoo!
2008-06-21 02:32:17 0 d-------- C:\Program Files\FLV Player
2008-06-17 09:05:07 0 d-------- C:\Documents and Settings\susan\Application Data\Google
2008-05-14 17:07:17 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HControl"="C:\WINDOWS\ATK0100\HControl.exe" [07/28/2005 09:29 AM]
"RemoteControl"="C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe" [11/02/2004 08:24 PM]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 11:50 AM]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [10/14/2004 10:11 AM]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [09/23/2004 01:41 PM]
"ASUS Live Update"="C:\Program Files\ASUS\ASUS Live Update\ALU.exe" [09/19/2003 12:54 PM]
"NB Probe"="C:\Program Files\ASUS\NB Probe\NBProbe.exe" [07/27/2005 05:07 PM]
"Power_Gear"="C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe" [06/16/2005 03:48 PM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [05/11/2005 09:03 AM]
"Control Center"="C:\Program Files\ASUS\WLAN Card Utilities\Center.exe" [09/13/2005 09:55 PM]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [05/31/2005 09:05 PM]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [03/13/2008 04:48 PM]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [11/12/2006 06:48 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [05/27/2008 10:50 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [04/13/2008 08:12 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/13/2008 08:12 PM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43 AM]
"updateMgr"="c:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [03/30/2006 04:45 PM]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [04/30/2008 05:17 PM]
"OM2_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [05/28/2007 04:59 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [4/23/2008 3:38:16 AM]
ASUS ChkMail.lnk - C:\Program Files\ASUS\Asus ChkMail\ChkMail.exe [4/21/2006 3:34:51 PM]
HDBackup.lnk - C:\Program Files\HDBackup\HDBackup\HDBackup.exe [5/8/2008 12:32:09 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{40bbb2cf-0d6b-11dd-ac3d-0015f2d86387}]
AutoRun\command- F:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{43a14769-3ecd-11dd-acb9-0015f2d86387}]
Auto\command- G:\Start.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c3f0f166-625c-11dd-ad32-0015f2d86387}]
AutoRun\command- G:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c8c13ab0-0c95-11dd-ac37-0015f2d86387}]
AutoRun\command- G:\LaunchU3.exe -a

-- End of Deckard's System Scanner: finished at 2008-08-07 10:50:58 ------------

NB: after running dss.exe twice I still could not generate an extra.txt.
I have attached the only extra.txt I have which dates fron 7/10/2008 ( a month old)

Thankyou.

easyas · 08-19-2008, 10:05 AM

bump?

easyas · 08-22-2008, 01:49 PM

BUMP please

1972vet · 08-26-2008, 12:00 PM

Greetings easyas and Welcome to the forums,

I'm currently looking over your logs and will have some suggestions for you in a short while. Thanks for your patience!

1972vet · 08-26-2008, 12:30 PM

I see a few issues that should be addressed. The p2p program is a security risk as well as the outdated Java. There are also risks associated with online poker web sites.
Read This regarding the risks of playing online poker. Click here for information regarding the risks of using File Sharing software.

First thing we should do is uninstall Deckard's System Scanner...there has been a problem that devoloped and it is recommended, for the time being, that you should remove it...and while we're at it, we need to uninstall these too:
LimeWire
java<--Old version that could cause security issues

Click start-->Control Panel-->Add/Remove Programs...scroll down the list to locate the program names and click Remove for each. Reboot when finished uninstalling.

To replace some of Deckard's System Scanner's functionality, we need to download a few alternative utilities...Click HERE to download HijackThis.

Click the Download button then select Installer.

Double click on the HJTInstall.exe then click "Install". It will be installed by default here:
C:\Program Files\Trend Micro\HijackThis

...and A shortcut to the application will also be placed on your Desktop.

The program will open automatically after installation.
You can double click the icon that was placed on the Desktop to run subsequent hijackthis scans or you can use the icon inside the folder.

The folder HijackThis is where you will find the HJT logs that you save. When you use the application to remove anything, you will also find the backup copies made by HJT inside this folder. For now, close the application...we will use it later. Next, we need to disable your Spybot Search and Destroy's Registry protection feature..."Tea Timer":
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
5) Restart your computer to properly record the changes to the hard disk.

When the system comes back up:
Please download combofix from This Webpage...and read through the instructions there for running the tool.

***Important Note***
Please read through the guidance on that web page carefully and thoroughly...and install the Recovery Console. Using this tool without the Recovery Console installed is NOT RECOMMENDED.

The Windows Recovery Console will allow you to boot into a special recovery (repair) mode that is not otherwise available. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It's a simple procedure that will only take a few moments.

Once installed, a blue screen prompt should appear that reads as follows:

The Recovery Console was successfully installed.

When you see that screen, please continue as follows:

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please post back the following on your next reply:

C:\ComboFix.txt
New HijackThis log.

For the HijackThis log, open HijackThis, click Do a system scan and save a logfile. Copy and paste the contents of that log back here along with the combofix scan log. Thanks!

easyas · 08-26-2008, 06:31 PM

Thankyou so much 1972vet!! I was starting to wonder if I'd fallen between the cracks (so to speak). I'm systematically going through the list 1 step at a time. Here it is as it happens;

- no limewire or dss in add/remove programs. Did a search and removed any remnants found. Limewire is deleted and loaded in a bit of a tug-o'war in the office.
-Only had dss.exe on the desktop.Deleted it.
-I was wondering about partypoker as a source of bad code, so it's gone too. These can be played online- is this still a threat in your opinion?

-HJT installed successfully
- teatimer function in spybot already unchecked.

-combofix and recovery console installed without problem.

Reports as follows;

ComboFix 08-08-26.02 - susan 2008-08-26 20:38:40.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.492 [GMT -4:00]
Running from: C:\Documents and Settings\susan\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-07-27 to 2008-08-27 )))))))))))))))))))))))))))))))
.

2008-08-26 20:09 . 2008-08-26 20:09 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-26 13:41 . 2008-08-26 13:41 250 --a------ C:\WINDOWS\gmer.ini
2008-08-22 20:10 . 2008-08-22 20:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Gtek
2008-08-22 20:10 . 2008-08-22 20:10 5,752 --a------ C:\WINDOWS\system32\OEMINFO.PNF
2008-08-22 20:09 . 2008-08-22 20:09 <DIR> d-------- C:\Documents and Settings\susan\Application Data\GTek
2008-08-15 11:02 . 2008-08-15 15:19 <DIR> d-------- C:\Documents and Settings\Office\Application Data\Skype
2008-08-13 02:31 . 2008-04-11 15:04 691,712 --------- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-13 02:31 . 2008-05-01 10:33 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-07 08:01 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2008-08-05 11:37 . 2008-08-05 11:37 <DIR> d-------- C:\Program Files\PaulB
2008-08-05 11:37 . 2008-08-05 11:37 <DIR> d-------- C:\Documents and Settings\susan\Application Data\Get Mail
2008-07-30 13:59 . 2006-11-30 17:09 57,344 --a------ C:\WINDOWS\system32\ssdevm.dll
2008-07-30 13:59 . 2006-08-15 18:42 49,152 --a------ C:\WINDOWS\system32\ssusbpn.dll
2008-07-30 13:59 . 2004-08-11 15:39 41,984 -ra------ C:\WINDOWS\system32\drivers\DgivEcp.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-27 00:19 --------- d-----w C:\Documents and Settings\susan\Application Data\Skype
2008-08-27 00:05 --------- d-----w C:\Documents and Settings\susan\Application Data\skypePM
2008-08-26 23:49 --------- d-----w C:\Program Files\Common Files\muvee Technologies
2008-08-26 23:41 --------- d-----w C:\Program Files\PartyGaming
2008-08-26 23:39 --------- d-----w C:\Program Files\Java
2008-08-26 04:40 --------- d-----w C:\Program Files\Blue Coat K9
2008-08-23 03:44 --------- d-----w C:\Program Files\Skype
2008-08-22 15:09 --------- d-----w C:\Documents and Settings\Office\Application Data\U3
2008-08-14 03:11 --------- d-----w C:\Documents and Settings\susan\Application Data\U3
2008-08-07 12:00 --------- d-----w C:\Program Files\Panda Security
2008-08-07 11:34 --------- d-----w C:\Program Files\SpywareBlaster
2008-07-31 15:36 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-30 17:58 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-11 12:07 --------- d-----w C:\Program Files\DAEMON Tools
2008-07-10 20:15 --------- d-----w C:\Program Files\Google
2008-07-10 19:32 --------- d-----w C:\Program Files\Common Files\Logitech
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-07 20:26 253,952 ------w C:\WINDOWS\system32\dllcache\es.dll
2008-07-07 12:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-07-01 20:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\MSScanAppDataDir
2008-06-29 02:43 --------- d-----w C:\Program Files\QuickTime
2008-06-28 18:07 --------- d-----w C:\Program Files\MYOB
2008-06-26 08:15 619,520 ------w C:\WINDOWS\system32\dllcache\urlmon.dll
2008-06-26 08:15 1,499,136 ------w C:\WINDOWS\system32\dllcache\shdocvw.dll
2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-24 16:43 74,240 ------w C:\WINDOWS\system32\dllcache\mscms.dll
2008-06-23 15:09 666,112 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-23 15:09 666,112 ------w C:\WINDOWS\system32\dllcache\wininet.dll
2008-06-23 15:09 3,067,392 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:46 245,248 ------w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:46 147,968 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 11:51 361,600 ------w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 11:40 138,496 ------w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 11:08 225,856 ------w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-13 11:05 272,128 ------w C:\WINDOWS\system32\dllcache\bthport.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 20:12 15360]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-08-11 17:46 21741864]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HControl"="C:\WINDOWS\ATK0100\HControl.exe" [2005-07-28 09:29 102400]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 10:11 1388544]
"NB Probe"="C:\Program Files\ASUS\NB Probe\NBProbe.exe" [2005-07-27 17:07 765952]
"Power_Gear"="C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe" [2005-06-16 15:48 86016]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-05-11 09:03 708697]
"Control Center"="C:\Program Files\ASUS\WLAN Card Utilities\Center.exe" [2005-09-13 21:55 1668096]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-05-31 21:05 344064]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-03-13 16:48 1443072]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]
ASUS ChkMail.lnk.disabled [2006-04-21 15:34:54 1578]
HDBackup.lnk.disabled [2008-05-08 12:32:10 850]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.asv2"= asusasv2.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background
"OM2_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe"
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
"updateMgr"=c:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_1_0

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" -atboottime
"RemoteControl"="C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe"
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
"ASUS Live Update"=C:\Program Files\ASUS\ASUS Live Update\ALU.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]
R1 cwmtdi;cwmtdi;C:\WINDOWS\system32\drivers\cwmtdi.sys [2007-05-14 19:04]
R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-03-13 16:52]
R3 ASNDIS5;ASNDIS5 Protocol Driver;C:\WINDOWS\system32\ASNDIS5.SYS [2002-09-09 19:54]
R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2005-05-22 22:30]
S2 SSPORT;SSPORT;C:\WINDOWS\system32\Drivers\SSPORT.sys []
S3 CH341SER;CH341SER;C:\WINDOWS\system32\Drivers\CH341SER.SYS [2006-06-05 00:00]
S3 ipswuio;ipswuio;C:\WINDOWS\system32\DRIVERS\ipswuio.sys [2005-06-08 15:55]
S3 PNDIS5;PNDIS5 NDIS Protocol Driver;E:\PNDIS5.SYS []
S3 PortlUSB;PortlUSB;C:\WINDOWS\system32\DRIVERS\YH-820.sys [2004-09-09 20:42]
S3 Video3D;ASUS Video3D Service;C:\WINDOWS\system32\Drivers\Video3D.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{43a14769-3ecd-11dd-acb9-0015f2d86387}]
\Shell\Auto\command - G:\Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c3f0f166-625c-11dd-ad32-0015f2d86387}]
\Shell\AutoRun\command - G:\setupSNK.exe

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-08-27 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe [2008-01-28 11:43]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\susan\Application Data\Mozilla\Firefox\Profiles\deiisudm.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com.au/
FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-26 20:40:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-26 20:41:50
ComboFix-quarantined-files.txt 2008-08-27 00:41:44

Pre-Run: 33,128,889,344 bytes free
Post-Run: 33,285,111,808 bytes free

146 --- E O F --- 2008-08-13 07:04:48

----------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:22:41 PM, on 8/26/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ASWLSVC.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Blue Coat K9\k9filter.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\ASUS\NB Probe\NBProbe.exe
C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ASUS\WLAN Card Utilities\Center.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://evgausperfm1.envirogold.com/...e%2flogin.aspx
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [NB Probe] C:\Program Files\ASUS\NB Probe\NBProbe.exe
O4 - HKLM\..\Run: [Power_Gear] C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe 1
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Control Center] C:\Program Files\ASUS\WLAN Card Utilities\Center.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ASUS ChkMail.lnk.disabled
O4 - Global Startup: HDBackup.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} -
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs:
O23 - Service: ASWLSVC - Unknown owner - C:\WINDOWS\system32\ASWLSVC.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: spmgr - Unknown owner - C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe
O23 - Service: Blue Coat K9 Web Protection (WebFilter) - Unknown owner - C:\Program Files\Blue Coat K9\k9filter.exe

--
End of file - 5992 bytes

Good luck and thanks again!!

1972vet · 08-26-2008, 08:20 PM

Quote:

I was wondering about partypoker as a source of bad code, so it's gone too. These can be played online- is this still a threat in your opinion?

Yes. Did you read the link I posted about this?

Surprising! I don't see anything in the combofix log that I was expecting to see. As this is a shared machine it may be rather difficult to make any assurances.

Please advise which of these two is the correct start page:
http://www.asus.com
https://evgausperfm1.envirogold.com

You can run HijackThis again and check the box next to these entries:
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
Unknown
O4 - Global Startup: ASUS ChkMail.lnk.disabled
O4 - Global Startup: HDBackup.lnk.disabled
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} -
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -
O20 - AppInit_DLLs:

Close all windows now except for the HijackThis application's window (that includes this browser window), then click the Fix Checked button.

Locate and delete the following folder indicated in Bold Text:
C:\Program Files\PartyGaming

Update your on board antivirus application. Reboot the computer into Safe mode. Once in safe mode, open the on board antivirus application and run a complete system scan. Allow the software to quarantine whatever it complains about. When the scan completes, reboot to your normal windows user mode.

Post a fresh HijackThis log. Please advise how the system behaves now and if you are having any other issues. Thanks!

easyas · 08-27-2008, 06:59 AM

Thanks 72 vet. I will not be able to perform these tasks until tonight as the machine is an office tool today. Thanks for the clarification on the backdoor rootkit coming through partypoker. I thought if the software isn't installed the rootkit can't exploit it, but there's always a way huh.
Expect my new logs around 6pm (-4gmt)
Kev

easyas · 08-27-2008, 11:13 AM

Hi 1972vet, I was able to use the machine earlier than expected. The homepage in the Office user account is
https://evgausperfm1.envirogold.com
the susan/administrator user account uses google.com
Ran HJT and ticked all boxes except "unknown" which didn't exist.
Deleted partygaming but did not find a bold partygaming file. Did a search and deleted any partypoker related detritus.

Booted in safe mode and went for a walk while eset ran a check. No log appeared and no new quarantined items are logged either.
HJT as follows;

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:58:16 PM, on 8/27/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ASWLSVC.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Blue Coat K9\k9filter.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ATK0100\HControl.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\ASUS\NB Probe\NBProbe.exe
C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ASUS\WLAN Card Utilities\Center.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://evgausperfm1.envirogold.com/...e%2flogin.aspx
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [NB Probe] C:\Program Files\ASUS\NB Probe\NBProbe.exe
O4 - HKLM\..\Run: [Power_Gear] C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe 1
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Control Center] C:\Program Files\ASUS\WLAN Card Utilities\Center.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: ASWLSVC - Unknown owner - C:\WINDOWS\system32\ASWLSVC.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: spmgr - Unknown owner - C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe
O23 - Service: Blue Coat K9 Web Protection (WebFilter) - Unknown owner - C:\Program Files\Blue Coat K9\k9filter.exe

--
End of file - 5228 bytes
---------------------------------------------------------------------------------------------

The computer SEEMS to be operating well. Internet connections are still flakey. What I have noticed is that the computer tries to log into an incorrect IP address (sorry- didn't write it down...). Repair the connection a few times and successful IP address 10.0.0.6 appears.
I notice yahoo toolbar is still there;
http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
Can I run HJT and remove this safely? Beyond that all appears well- only time will tell.

Thanks 1972vet
Easyas

1972vet · 08-27-2008, 07:09 PM

Quote:

Internet connections are still flakey.
What I have noticed is that the computer tries to log into an incorrect IP address (sorry- didn't write it down...). Repair the connection a few times and successful IP address 10.0.0.6 appears.
Please explain this in more detail. Example...do you mean, the computer tries on it's own to open an internet connection or when you open Internet explorer, it tries to open a connection using the incorrect IP?
I notice yahoo toolbar is still there;
http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
Can I run HJT and remove this safely? Beyond that all appears well- only time will tell.

If Yahoo Toolbar is something you don't use, please uninstall it via add/remove programs.

You can run HijackThis again and check/fix this entry:
O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com

Don't forget to close all windows before clicking Fix Checked then reboot to properly record the changes to the hard disk.

Post back a fresh HijackThis log. Thanks!

easyas · 08-27-2008, 07:50 PM

Hey 1972vet.
To clarify the internet connection issue- the computer automatically establishes a wireless connection upon startup. When I open my browser Firefox would not find the homepage until the connection had been repaired several times (until the ip address had been changed to 10.0.0.6). Its behaving now so I cannot give you the ip address it was previously connecting to. I remember it beginning with 256.x Any help?

I removed the yahoo toolbar using add/remove programs months ago. Why is it still lurking in the log? I'll check the other user account and see if I can answer that myself.

I ran a secunia software check today which meant downloading the latest java run time.
the results showed that macromedia flash player 6.x was outdated. I downloaded the newer version but subsequent checks continued to show that it hadn't updated. should I remove flash player and start over?

Ran Hjt without fuss, here it is;

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:40:37 PM, on 8/27/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ASWLSVC.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Blue Coat K9\k9filter.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ATK0100\HControl.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\ASUS\NB Probe\NBProbe.exe
C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ASUS\WLAN Card Utilities\Center.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://evgausperfm1.envirogold.com/...e%2flogin.aspx
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [NB Probe] C:\Program Files\ASUS\NB Probe\NBProbe.exe
O4 - HKLM\..\Run: [Power_Gear] C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe 1
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Control Center] C:\Program Files\ASUS\WLAN Card Utilities\Center.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: ASWLSVC - Unknown owner - C:\WINDOWS\system32\ASWLSVC.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: spmgr - Unknown owner - C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe
O23 - Service: Blue Coat K9 Web Protection (WebFilter) - Unknown owner - C:\Program Files\Blue Coat K9\k9filter.exe

--
End of file - 5658 bytes

Thank a million
easyas

easyas · 08-28-2008, 04:49 AM

Furthur to the connection hassles- this morning it was back to repairing the connection(sigh). On initial startup of the computer the wireless connection attempts to link through IP address 192.168.1.68. I think this address has something to do with the linksys equipment we use.

Hope this helps 1972vwt
easyas

easyas · 08-28-2008, 04:52 AM

sorry! the least I can do is spell your name correctly 1972vet!!!!

1972vet · 08-28-2008, 09:21 AM

Quote:

the computer automatically establishes a wireless connection upon startup.

Since this is not a connection that you use, try removing the connection that is set up for it:
Click start-->Connect To-->Show All Connections
...The Network Connections window will open. Listed there should be icons for all connection methods that are set up for your user account.

If you can Identify which of them that you use then you should be able to delete the other(s).

Be careful not to delete anything that windows created... such as "Local Area Connection". You can identify the connection you are currently using by right-clicking on the connection icon in the task bar. Select "Status" . In the Status window that opens, note the name at the top. Your connection icon in the "Network Connections" listing should be named the same.

Click start-->Control Panel-->Internet Options-->Connections
...In the Dial-Up and Virtual Private Network settings section, there should be a list showing the connection names. At least one should be listed as (default).

The connection that you use can be designated as Default. Return now to the Network Connections window. Find the icon for your connection. By right-clicking on the icon for the connection that you use, you will be presented with a menu.

The menu that opens will have the option "Set As Default". If you don't see that option in the menu, then Right-Click on the icon for the connection that IS designated as Default and select "Cancel as Default Connection"...then return to the icon for the connection that you use, right-click on it and select "Set As Default".

Close the Network Connections window. Return to the "Internet Properties" window. Near the middle of that window, select the option for Never dial a connection. Click "Apply" and "OK"...then close the Internet Properties window and reboot the system.

With this option selected, you will have to open your internet connection manually. Since designating your connection as "Default", it would now be listed in the "Show All Connections" listing. To find it, click start-->Connect To...Now the only options should be your connection icon and the "Show All Connections".

To make your connection easier to find, you can selelct "Show All Connections", Right-Click on the icon for your connection and select "Create ShortCut". Answer "Yes" to the question "Do you want to place a ShortCut on the Desktop instead". Next time you want to connect, just double-click on the icon Shortcut you placed on the Desktop.

If, by the Yahoo ToolBar you are referring to this entry:
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
...then I should point out that it has nothing to do with a tool bar. The preference you have for your search engine that you selected in Internet Explorer is reflected by this entry. You can change that to any search engine of your choice from within Internet Explorer. In the Internet Options "Search" section, under the General tab, click the "Settings" button. Find your preference in the list and set it as Default.

For the flash player issue, did you download the uninstaller that Secunia offered you? If so, in the "Insecure" section, look for the flash player in the list. Click on the folder which will take you to the location of the offending file that should be named. Find the file inside that folder and delete it. Allow Secunia to rescan. Post back your results. Thanks!

easyas · 08-28-2008, 04:56 PM

Phew!! Where to start.... I have saved the information above for future reference.
My Asus A6R laptop (this machine) uses its own networking software called
'ASUS WLAN Control Centre'. This software automatically searches and connects to available wireless networks. At the moment I'm connected to host name;
xxmymacaddressxx.verizon.com.do.
we actually run a codotel connection NOT verizon. what the???
Besides that, this software overrides windows connections so all boxes are empty- the info above does not apply. Do you recommend removing this software and using the windows application?
Downloaded secunia PSI. Issues resolved. Thanks for the tip.
I feel a log coming on:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:36:18 PM, on 8/28/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ASWLSVC.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Blue Coat K9\k9filter.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ATK0100\HControl.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\ASUS\NB Probe\NBProbe.exe
C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ASUS\WLAN Card Utilities\Center.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Secunia\PSI (RC3)\psi.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://evgausperfm1.envirogold.com/...e%2flogin.aspx
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [NB Probe] C:\Program Files\ASUS\NB Probe\NBProbe.exe
O4 - HKLM\..\Run: [Power_Gear] C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe 1
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Control Center] C:\Program Files\ASUS\WLAN Card Utilities\Center.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: Secunia PSI (RC3).lnk = C:\Program Files\Secunia\PSI (RC3)\psi.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: ASWLSVC - Unknown owner - C:\WINDOWS\system32\ASWLSVC.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: spmgr - Unknown owner - C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe
O23 - Service: Blue Coat K9 Web Protection (WebFilter) - Unknown owner - C:\Program Files\Blue Coat K9\k9filter.exe

--
End of file - 5756 bytes

Lookin' good ?
easyas

1972vet · 08-28-2008, 07:24 PM

No need to remove ASUS software, it's fine...and your log looks fine too. How's the system running? Having any other issues?

easyas · 08-28-2008, 09:36 PM

Peace-of-mind is the most powerful tool available to humans- apart from the computer.

1972vet, your help has been both reassuring and instructive. The operating system is not at it's peak, but it is not compromised either. That is what I needed to know. I don't want to waste any more of your time as I know the back-log grows larger by the minute. The tools provided by you and the techsupportforum crew have been shared in the office and I believe these simple measures will go far to protecting us in the future.
The selection of preventative programs is to be applauded and the aid provided in their absence is beyond belief. Continue the good work!!
thankyou again,
easyas

1972vet · 08-29-2008, 02:46 AM

Quote:

The operating system is not at it's peak, but it is not compromised either...
That is what I needed to know. I don't want to waste any more of your time as I know the back-log grows larger by the minute.

...OK, then let's try to tidy up a bit and sort things in their proper order. This should help speed things up for you. By the way, it's never a waste of time when folks like you respond as quickly and kindly as you have in earnest pursuit of education. Keeping in mind, we all learn together, there are no teachers here...just students who have much to share. A backlog will exist on every help forum. Those who patiently wait learn to accept their patience as the ideal companion of wisdom.

If you have more than one drive you can follow these instructions below for each drive, substituting the drive letter in each instance:

Delete Cookies
***Note***
Deleting ALL cookies will require you to log back into any web sites you visit that required you to log on with a user ID and password.

You CAN be selective here and keep the good cookies if you think you know which ones they are. I recommend deleting "All" cookies in order to remove any problems that may be present.

Click Start-->Run and Type Cookies then click OK.
Click "Edit" from the menu at the top then scroll to and click on:
Select All

Next, click "File" from the menu at the top. Scroll to and select Delete

Return to your desktop.

Delete the Contents of the Prefetch Folder
***Note***
It is not necessary to delete the contents of the "Prefetch" folder as a matter of routine. However, if your system has been in use for quite some time and you have installed, then uninstalled many programs, OR if you have recently gone through the removal of malware then deleting the contents of the "Prefetch" folder may be beneficial as it can become quite bloated in time, as well it may contain entries from the malware you have removed.

Click Start-->Run and Type Prefetch then click OK.
Click "Edit" from the menu at the top then scroll to and click on:
Select All
Next, click "File" from the menu at the top. Scroll to and select Delete

Return to your desktop

Delete Windows Temp Files

Click Start-->Run, and Type Temp then click OK.
Click "Edit" from the menu at the top then scroll to and click on:
Select All
Next, click "File" from the menu at the top. Scroll to and select Delete

It is important to pay attention here to what files may remain after you click "Delete". There are some windows temp files that the system will not allow you to delete which is normal as there are a few files (from your most recent log on session) that are in use by the operating system. You should have only two or three files that remain. Please select what files remain (a few at a time) and delete everything that windows will allow you to delete.

Return to your desktop

Delete User Temp Files
Click Start-->Run, and Type %Temp% then click OK.
Click "Edit" from the menu at the top then scroll to and click on:
Select All
Next, click "File" from the menu at the top. Scroll to and select Delete
Return to your desktop

Delete other Unnecessary Files

Click Start-->My Computer-->Right Click on C:/ Drive
Select "Properties" then click the Disk Clean-Up button.
Select everything Except for "Office Set-Up Files" (if present) and "Compress Old Files". Click "OK".

Run CHKDSK

Click the "Tools" Tab. Under Error Checking click the "Check Now" button. Under Check Disk Options put a check in Both boxes then Click Start. Click Yes then Click OK and reboot the system.

This first reboot after you've completed the cleanup session will take a bit longer than usual. Let your system stabilize with no intervention...DO NOTHING WITH YOUR COMPUTER AT THIS TIME

Allow the scan to complete. Upon completion, windows will reboot the system again.

When the system comes back up and has stabilized (watch for the light on your CPU tower to stop blinking or at least slow to a crawl...this may take maybe 3 minutes or so) then continue with these instructions below:

Click Start-->All Programs-->Accessories, and select The Command Prompt again.

Copy and paste the following text at the “C :\...>” Prompt, and press the “ENTER” key.
defrag c:

You should be shown an anlysis of the fragmented files...the cursor should drop down and return to the left side of the screen. It will just blink continuously and may appear to you that nothing is happening but windows is running the defragmentation utility through the system command. Allow the defragmentation to complete. When it completes, your cursor will return to it's normal "Ready" position. It will most probably look like this:
C:\Documents and Settings\Owner>(or your log on user name that you assigned yourself) and the cursor will be blinking again as it is positioned at the end of that file path named above.

When you see that, then the fragmentation utility has finished. Close the Command Prompt window and reboot the computer again to properly record the changes to the disk.

Post back and let us know how the computer is running for you now and if you are having any other issues. Thanks!

easyas · 08-29-2008, 02:02 PM

I think we are nearly there 1972vet! Returning to my original gripes, the only remaining issue is the Ip address log in. Ultimately it doesn't bother me as much as I can recognise and repair the issue as needed. C prompt did not accept the C:\...> command- came back as a syntax error. I ran defrag through tools menu anyway. Here is the log for defrag;
Volume (C:)
Volume size = 43.65 GB
Cluster size = 512 bytes
Used space = 12.17 GB
Free space = 31.48 GB
Percent free space = 72 %

Volume fragmentation
Total fragmentation = 18 %
File fragmentation = 36 %
Free space fragmentation = 0 %

File fragmentation
Total files = 52,768
Average file size = 356 KB
Total fragmented files = 62
Total excess fragments = 34,983
Average fragments per file = 1.66

Pagefile fragmentation
Pagefile size = 576 MB
Total fragments = 2

Folder fragmentation
Total folders = 4,539
Fragmented folders = 1
Excess folder fragments = 0

Master File Table (MFT) fragmentation
Total MFT size = 71 MB
MFT record count = 65,317
Percent MFT in use = 89 %
Total MFT fragments = 3

--------------------------------------------------------------------------------
Fragments File Size Files that cannot be defragmented
None

An interesting development- I have lost E: drive (cd drive). I'll update the drivers and see if that resolves the issue.
Thanks vet
easyas

1972vet · 08-29-2008, 08:07 PM

Your disk was badly fragmented. For future reference, despite any analysis of the windows defrag module which might return the recommendation "You Do Not Need To Defragment This Volume", ignore that and defragment anyway if your analysis results in a fragment count of more than 3%...Microsoft wrote those thresholds to suite a large volume of "usual" corporate user settings. When your system begins to seem slower and performance is questionable then run a system defrag to see what your fragment count is...you can set a "Task" to run "Defragmenter" on schedule. Let us know if you would like to do that and we can post some instructions for you.

When you say you lost the "CD Drive" do you mean that it no longer appears in "My Computer", or are you getting an error message when you try to access the CD Drive? We should resolve this next as we need to use a command prompt that will involve the CD ROM Drive so we can use Windows File Protection to replace any missing or corrupted files. With the syntax error I suspect some corruption...my thought though leans more towards a registry corruption. Have you used any registry cleaning software? DON'T! Just please answer if you have or not. Thanks!

08-19-2008, 10:05 AM	#2 (permalink)
easyas Registered User Join Date: Jul 2008 Posts: 30 OS: windows xp	Re: Yikes! says I'm infected bump?

08-22-2008, 01:49 PM	#3 (permalink)
easyas Registered User Join Date: Jul 2008 Posts: 30 OS: windows xp	Re: Yikes! says I'm infected BUMP please

08-26-2008, 12:00 PM	#4 (permalink)
1972vet Analyst, Security Team Join Date: Jun 2008 Location: Midwest, U.S.A. Posts: 466 OS: Dual Boot Setup, Vista SP2 and XPSP3	Re: Yikes! says I'm infected Greetings easyas and Welcome to the forums, I'm currently looking over your logs and will have some suggestions for you in a short while. Thanks for your patience! __________________ Disabled Veteran, U.S.C.G. 1972 - 1978 Windows XP Performance and Maintenance Windows Vista Performance and Maintenance

08-26-2008, 12:30 PM	#5 (permalink)
1972vet Analyst, Security Team Join Date: Jun 2008 Location: Midwest, U.S.A. Posts: 466 OS: Dual Boot Setup, Vista SP2 and XPSP3	Re: Yikes! says I'm infected I see a few issues that should be addressed. The p2p program is a security risk as well as the outdated Java. There are also risks associated with online poker web sites. Read This regarding the risks of playing online poker. Click here for information regarding the risks of using File Sharing software. First thing we should do is uninstall Deckard's System Scanner...there has been a problem that devoloped and it is recommended, for the time being, that you should remove it...and while we're at it, we need to uninstall these too: LimeWire java<--Old version that could cause security issues Click start-->Control Panel-->Add/Remove Programs...scroll down the list to locate the program names and click Remove for each. Reboot when finished uninstalling. To replace some of Deckard's System Scanner's functionality, we need to download a few alternative utilities...Click HERE to download HijackThis. Click the Download button then select Installer. Double click on the HJTInstall.exe then click "Install". It will be installed by default here: C:\Program Files\Trend Micro\HijackThis ...and A shortcut to the application will also be placed on your Desktop. The program will open automatically after installation. You can double click the icon that was placed on the Desktop to run subsequent hijackthis scans or you can use the icon inside the folder. The folder HijackThis is where you will find the HJT logs that you save. When you use the application to remove anything, you will also find the backup copies made by HJT inside this folder. For now, close the application...we will use it later. Next, we need to disable your Spybot Search and Destroy's Registry protection feature..."Tea Timer": 1) Run Spybot-S&D 2) Go to the Mode menu, and make sure "Advanced Mode" is selected 3) On the left hand side, choose Tools -> Resident 4) Uncheck "Resident TeaTimer" and OK any prompts 5) Restart your computer to properly record the changes to the hard disk. When the system comes back up: Please download combofix from This Webpage...and read through the instructions there for running the tool. *Important Note* Please read through the guidance on that web page carefully and thoroughly...and install the Recovery Console. Using this tool without the Recovery Console installed is NOT RECOMMENDED. The Windows Recovery Console will allow you to boot into a special recovery (repair) mode that is not otherwise available. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It's a simple procedure that will only take a few moments. Once installed, a blue screen prompt should appear that reads as follows: The Recovery Console was successfully installed. When you see that screen, please continue as follows: Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Click Yes to allow ComboFix to continue scanning for malware. When the tool is finished, it will produce a report for you. Please post back the following on your next reply: C:\ComboFix.txt New HijackThis log. For the HijackThis log, open HijackThis, click Do a system scan and save a logfile. Copy and paste the contents of that log back here along with the combofix scan log. Thanks! __________________ Disabled Veteran, U.S.C.G. 1972 - 1978 Windows XP Performance and Maintenance Windows Vista Performance and Maintenance

08-26-2008, 06:31 PM	#6 (permalink)
easyas Registered User Join Date: Jul 2008 Posts: 30 OS: windows xp	Re: Yikes! says I'm infected Thankyou so much 1972vet!! I was starting to wonder if I'd fallen between the cracks (so to speak). I'm systematically going through the list 1 step at a time. Here it is as it happens; - no limewire or dss in add/remove programs. Did a search and removed any remnants found. Limewire is deleted and loaded in a bit of a tug-o'war in the office. -Only had dss.exe on the desktop.Deleted it. -I was wondering about partypoker as a source of bad code, so it's gone too. These can be played online- is this still a threat in your opinion? -HJT installed successfully - teatimer function in spybot already unchecked. -combofix and recovery console installed without problem. Reports as follows; ComboFix 08-08-26.02 - susan 2008-08-26 20:38:40.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.492 [GMT -4:00] Running from: C:\Documents and Settings\susan\Desktop\ComboFix.exe . ((((((((((((((((((((((((( Files Created from 2008-07-27 to 2008-08-27 ))))))))))))))))))))))))))))))) . 2008-08-26 20:09 . 2008-08-26 20:09 <DIR> d-------- C:\Program Files\Trend Micro 2008-08-26 13:41 . 2008-08-26 13:41 250 --a------ C:\WINDOWS\gmer.ini 2008-08-22 20:10 . 2008-08-22 20:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Gtek 2008-08-22 20:10 . 2008-08-22 20:10 5,752 --a------ C:\WINDOWS\system32\OEMINFO.PNF 2008-08-22 20:09 . 2008-08-22 20:09 <DIR> d-------- C:\Documents and Settings\susan\Application Data\GTek 2008-08-15 11:02 . 2008-08-15 15:19 <DIR> d-------- C:\Documents and Settings\Office\Application Data\Skype 2008-08-13 02:31 . 2008-04-11 15:04 691,712 --------- C:\WINDOWS\system32\dllcache\inetcomm.dll 2008-08-13 02:31 . 2008-05-01 10:33 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll 2008-08-07 08:01 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys 2008-08-05 11:37 . 2008-08-05 11:37 <DIR> d-------- C:\Program Files\PaulB 2008-08-05 11:37 . 2008-08-05 11:37 <DIR> d-------- C:\Documents and Settings\susan\Application Data\Get Mail 2008-07-30 13:59 . 2006-11-30 17:09 57,344 --a------ C:\WINDOWS\system32\ssdevm.dll 2008-07-30 13:59 . 2006-08-15 18:42 49,152 --a------ C:\WINDOWS\system32\ssusbpn.dll 2008-07-30 13:59 . 2004-08-11 15:39 41,984 -ra------ C:\WINDOWS\system32\drivers\DgivEcp.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-08-27 00:19 --------- d-----w C:\Documents and Settings\susan\Application Data\Skype 2008-08-27 00:05 --------- d-----w C:\Documents and Settings\susan\Application Data\skypePM 2008-08-26 23:49 --------- d-----w C:\Program Files\Common Files\muvee Technologies 2008-08-26 23:41 --------- d-----w C:\Program Files\PartyGaming 2008-08-26 23:39 --------- d-----w C:\Program Files\Java 2008-08-26 04:40 --------- d-----w C:\Program Files\Blue Coat K9 2008-08-23 03:44 --------- d-----w C:\Program Files\Skype 2008-08-22 15:09 --------- d-----w C:\Documents and Settings\Office\Application Data\U3 2008-08-14 03:11 --------- d-----w C:\Documents and Settings\susan\Application Data\U3 2008-08-07 12:00 --------- d-----w C:\Program Files\Panda Security 2008-08-07 11:34 --------- d-----w C:\Program Files\SpywareBlaster 2008-07-31 15:36 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP 2008-07-30 17:58 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-07-11 12:07 --------- d-----w C:\Program Files\DAEMON Tools 2008-07-10 20:15 --------- d-----w C:\Program Files\Google 2008-07-10 19:32 --------- d-----w C:\Program Files\Common Files\Logitech 2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll 2008-07-07 20:26 253,952 ------w C:\WINDOWS\system32\dllcache\es.dll 2008-07-07 12:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer 2008-07-01 20:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\MSScanAppDataDir 2008-06-29 02:43 --------- d-----w C:\Program Files\QuickTime 2008-06-28 18:07 --------- d-----w C:\Program Files\MYOB 2008-06-26 08:15 619,520 ------w C:\WINDOWS\system32\dllcache\urlmon.dll 2008-06-26 08:15 1,499,136 ------w C:\WINDOWS\system32\dllcache\shdocvw.dll 2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll 2008-06-24 16:43 74,240 ------w C:\WINDOWS\system32\dllcache\mscms.dll 2008-06-23 15:09 666,112 ----a-w C:\WINDOWS\system32\wininet.dll 2008-06-23 15:09 666,112 ------w C:\WINDOWS\system32\dllcache\wininet.dll 2008-06-23 15:09 3,067,392 ------w C:\WINDOWS\system32\dllcache\mshtml.dll 2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll 2008-06-20 17:46 245,248 ------w C:\WINDOWS\system32\dllcache\mswsock.dll 2008-06-20 17:46 147,968 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll 2008-06-20 11:51 361,600 ------w C:\WINDOWS\system32\dllcache\tcpip.sys 2008-06-20 11:40 138,496 ------w C:\WINDOWS\system32\dllcache\afd.sys 2008-06-20 11:08 225,856 ------w C:\WINDOWS\system32\dllcache\tcpip6.sys 2008-06-13 11:05 272,128 ------w C:\WINDOWS\system32\dllcache\bthport.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 20:12 15360] "Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-08-11 17:46 21741864] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "HControl"="C:\WINDOWS\ATK0100\HControl.exe" [2005-07-28 09:29 102400] "SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 10:11 1388544] "NB Probe"="C:\Program Files\ASUS\NB Probe\NBProbe.exe" [2005-07-27 17:07 765952] "Power_Gear"="C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe" [2005-06-16 15:48 86016] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-05-11 09:03 708697] "Control Center"="C:\Program Files\ASUS\WLAN Card Utilities\Center.exe" [2005-09-13 21:55 1668096] "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-05-31 21:05 344064] "egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-03-13 16:48 1443072] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696] ASUS ChkMail.lnk.disabled [2006-04-21 15:34:54 1578] HDBackup.lnk.disabled [2008-05-08 12:32:10 850] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"= [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.asv2"= asusasv2.dll [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background "OM2_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" "SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe "updateMgr"=c:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_1_0 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 "NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" -atboottime "RemoteControl"="C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe" "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" "ASUS Live Update"=C:\Program Files\ASUS\ASUS Live Update\ALU.exe [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\Skype\\Phone\\Skype.exe"= R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24] R1 cwmtdi;cwmtdi;C:\WINDOWS\system32\drivers\cwmtdi.sys [2007-05-14 19:04] R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-03-13 16:52] R3 ASNDIS5;ASNDIS5 Protocol Driver;C:\WINDOWS\system32\ASNDIS5.SYS [2002-09-09 19:54] R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2005-05-22 22:30] S2 SSPORT;SSPORT;C:\WINDOWS\system32\Drivers\SSPORT.sys [] S3 CH341SER;CH341SER;C:\WINDOWS\system32\Drivers\CH341SER.SYS [2006-06-05 00:00] S3 ipswuio;ipswuio;C:\WINDOWS\system32\DRIVERS\ipswuio.sys [2005-06-08 15:55] S3 PNDIS5;PNDIS5 NDIS Protocol Driver;E:\PNDIS5.SYS [] S3 PortlUSB;PortlUSB;C:\WINDOWS\system32\DRIVERS\YH-820.sys [2004-09-09 20:42] S3 Video3D;ASUS Video3D Service;C:\WINDOWS\system32\Drivers\Video3D.sys [] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{43a14769-3ecd-11dd-acb9-0015f2d86387}] \Shell\Auto\command - G:\Start.exe \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c3f0f166-625c-11dd-ad32-0015f2d86387}] \Shell\AutoRun\command - G:\setupSNK.exe Newly Created Service - CATCHME Newly Created Service - PROCEXP90 . Contents of the 'Scheduled Tasks' folder 2008-08-27 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job - C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe [2008-01-28 11:43] . . ------- Supplementary Scan ------- . FireFox -: Profile - C:\Documents and Settings\susan\Application Data\Mozilla\Firefox\Profiles\deiisudm.default\ FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com.au/ FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll . ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-26 20:40:29 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . Completion time: 2008-08-26 20:41:50 ComboFix-quarantined-files.txt 2008-08-27 00:41:44 Pre-Run: 33,128,889,344 bytes free Post-Run: 33,285,111,808 bytes free 146 --- E O F --- 2008-08-13 07:04:48 ---------------------------------------------------------------------------------------- --------------------------------------------------------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:22:41 PM, on 8/26/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\ASWLSVC.exe C:\WINDOWS\ATKKBService.exe C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Blue Coat K9\k9filter.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\ATK0100\HControl.exe C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe C:\Program Files\Analog Devices\SoundMAX\Smax4.exe C:\Program Files\ASUS\NB Probe\NBProbe.exe C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\ASUS\WLAN Card Utilities\Center.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Skype\Phone\Skype.exe C:\WINDOWS\ATK0100\ATKOSD.exe C:\Program Files\Skype\Plugin Manager\skypePM.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\explorer.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://evgausperfm1.envirogold.com/...e%2flogin.aspx R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file) O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe O4 - HKLM\..\Run: [NB Probe] C:\Program Files\ASUS\NB Probe\NBProbe.exe O4 - HKLM\..\Run: [Power_Gear] C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe 1 O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [Control Center] C:\Program Files\ASUS\WLAN Card Utilities\Center.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: ASUS ChkMail.lnk.disabled O4 - Global Startup: HDBackup.lnk.disabled O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing) O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing) O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813 O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - AppInit_DLLs: O23 - Service: ASWLSVC - Unknown owner - C:\WINDOWS\system32\ASWLSVC.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: spmgr - Unknown owner - C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe O23 - Service: Blue Coat K9 Web Protection (WebFilter) - Unknown owner - C:\Program Files\Blue Coat K9\k9filter.exe -- End of file - 5992 bytes Good luck and thanks again!!

08-27-2008, 06:59 AM	#8 (permalink)
easyas Registered User Join Date: Jul 2008 Posts: 30 OS: windows xp	Re: Yikes! says I'm infected Thanks 72 vet. I will not be able to perform these tasks until tonight as the machine is an office tool today. Thanks for the clarification on the backdoor rootkit coming through partypoker. I thought if the software isn't installed the rootkit can't exploit it, but there's always a way huh. Expect my new logs around 6pm (-4gmt) Kev

08-27-2008, 11:13 AM	#9 (permalink)
easyas Registered User Join Date: Jul 2008 Posts: 30 OS: windows xp	Re: Yikes! says I'm infected Hi 1972vet, I was able to use the machine earlier than expected. The homepage in the Office user account is https://evgausperfm1.envirogold.com the susan/administrator user account uses google.com Ran HJT and ticked all boxes except "unknown" which didn't exist. Deleted partygaming but did not find a bold partygaming file. Did a search and deleted any partypoker related detritus. Booted in safe mode and went for a walk while eset ran a check. No log appeared and no new quarantined items are logged either. HJT as follows; Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1:58:16 PM, on 8/27/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\ASWLSVC.exe C:\WINDOWS\ATKKBService.exe C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Blue Coat K9\k9filter.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\ATK0100\HControl.exe C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe C:\Program Files\ASUS\NB Probe\NBProbe.exe C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\ASUS\WLAN Card Utilities\Center.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Skype\Phone\Skype.exe C:\WINDOWS\ATK0100\ATKOSD.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\Program Files\Skype\Plugin Manager\skypePM.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://evgausperfm1.envirogold.com/...e%2flogin.aspx R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe O4 - HKLM\..\Run: [NB Probe] C:\Program Files\ASUS\NB Probe\NBProbe.exe O4 - HKLM\..\Run: [Power_Gear] C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe 1 O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [Control Center] C:\Program Files\ASUS\WLAN Card Utilities\Center.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813 O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: ASWLSVC - Unknown owner - C:\WINDOWS\system32\ASWLSVC.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: spmgr - Unknown owner - C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe O23 - Service: Blue Coat K9 Web Protection (WebFilter) - Unknown owner - C:\Program Files\Blue Coat K9\k9filter.exe -- End of file - 5228 bytes --------------------------------------------------------------------------------------------- The computer SEEMS to be operating well. Internet connections are still flakey. What I have noticed is that the computer tries to log into an incorrect IP address (sorry- didn't write it down...). Repair the connection a few times and successful IP address 10.0.0.6 appears. I notice yahoo toolbar is still there; http://us.rd.yahoo.com/customize/yco.../www.yahoo.com Can I run HJT and remove this safely? Beyond that all appears well- only time will tell. Thanks 1972vet Easyas

08-27-2008, 07:50 PM	#11 (permalink)
easyas Registered User Join Date: Jul 2008 Posts: 30 OS: windows xp	Re: Yikes! says I'm infected Hey 1972vet. To clarify the internet connection issue- the computer automatically establishes a wireless connection upon startup. When I open my browser Firefox would not find the homepage until the connection had been repaired several times (until the ip address had been changed to 10.0.0.6). Its behaving now so I cannot give you the ip address it was previously connecting to. I remember it beginning with 256.x Any help? I removed the yahoo toolbar using add/remove programs months ago. Why is it still lurking in the log? I'll check the other user account and see if I can answer that myself. I ran a secunia software check today which meant downloading the latest java run time. the results showed that macromedia flash player 6.x was outdated. I downloaded the newer version but subsequent checks continued to show that it hadn't updated. should I remove flash player and start over? Ran Hjt without fuss, here it is; Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:40:37 PM, on 8/27/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\ASWLSVC.exe C:\WINDOWS\ATKKBService.exe C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Blue Coat K9\k9filter.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\ATK0100\HControl.exe C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe C:\Program Files\ASUS\NB Probe\NBProbe.exe C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\ASUS\WLAN Card Utilities\Center.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Skype\Phone\Skype.exe C:\WINDOWS\ATK0100\ATKOSD.exe C:\Program Files\Skype\Plugin Manager\skypePM.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://evgausperfm1.envirogold.com/...e%2flogin.aspx R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe O4 - HKLM\..\Run: [NB Probe] C:\Program Files\ASUS\NB Probe\NBProbe.exe O4 - HKLM\..\Run: [Power_Gear] C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe 1 O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [Control Center] C:\Program Files\ASUS\WLAN Card Utilities\Center.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813 O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: ASWLSVC - Unknown owner - C:\WINDOWS\system32\ASWLSVC.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: spmgr - Unknown owner - C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe O23 - Service: Blue Coat K9 Web Protection (WebFilter) - Unknown owner - C:\Program Files\Blue Coat K9\k9filter.exe -- End of file - 5658 bytes Thank a million easyas

08-28-2008, 04:49 AM	#12 (permalink)
easyas Registered User Join Date: Jul 2008 Posts: 30 OS: windows xp	Re: Yikes! says I'm infected Furthur to the connection hassles- this morning it was back to repairing the connection(sigh). On initial startup of the computer the wireless connection attempts to link through IP address 192.168.1.68. I think this address has something to do with the linksys equipment we use. Hope this helps 1972vwt easyas

08-28-2008, 04:52 AM	#13 (permalink)
easyas Registered User Join Date: Jul 2008 Posts: 30 OS: windows xp	Re: Yikes! says I'm infected sorry! the least I can do is spell your name correctly 1972vet!!!!

08-28-2008, 04:56 PM	#15 (permalink)
easyas Registered User Join Date: Jul 2008 Posts: 30 OS: windows xp	Re: Yikes! says I'm infected Phew!! Where to start.... I have saved the information above for future reference. My Asus A6R laptop (this machine) uses its own networking software called 'ASUS WLAN Control Centre'. This software automatically searches and connects to available wireless networks. At the moment I'm connected to host name; xxmymacaddressxx.verizon.com.do. we actually run a codotel connection NOT verizon. what the??? Besides that, this software overrides windows connections so all boxes are empty- the info above does not apply. Do you recommend removing this software and using the windows application? Downloaded secunia PSI. Issues resolved. Thanks for the tip. I feel a log coming on: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 7:36:18 PM, on 8/28/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\ASWLSVC.exe C:\WINDOWS\ATKKBService.exe C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Blue Coat K9\k9filter.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\ATK0100\HControl.exe C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe C:\Program Files\ASUS\NB Probe\NBProbe.exe C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\ASUS\WLAN Card Utilities\Center.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Skype\Phone\Skype.exe C:\WINDOWS\ATK0100\ATKOSD.exe C:\Program Files\Skype\Plugin Manager\skypePM.exe C:\Program Files\Secunia\PSI (RC3)\psi.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://evgausperfm1.envirogold.com/...e%2flogin.aspx R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe O4 - HKLM\..\Run: [NB Probe] C:\Program Files\ASUS\NB Probe\NBProbe.exe O4 - HKLM\..\Run: [Power_Gear] C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe 1 O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [Control Center] C:\Program Files\ASUS\WLAN Card Utilities\Center.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized O4 - Startup: Secunia PSI (RC3).lnk = C:\Program Files\Secunia\PSI (RC3)\psi.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813 O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: ASWLSVC - Unknown owner - C:\WINDOWS\system32\ASWLSVC.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: spmgr - Unknown owner - C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe O23 - Service: Blue Coat K9 Web Protection (WebFilter) - Unknown owner - C:\Program Files\Blue Coat K9\k9filter.exe -- End of file - 5756 bytes Lookin' good ? easyas

08-28-2008, 07:24 PM	#16 (permalink)
1972vet Analyst, Security Team Join Date: Jun 2008 Location: Midwest, U.S.A. Posts: 466 OS: Dual Boot Setup, Vista SP2 and XPSP3	Re: Yikes! says I'm infected No need to remove ASUS software, it's fine...and your log looks fine too. How's the system running? Having any other issues? __________________ Disabled Veteran, U.S.C.G. 1972 - 1978 Windows XP Performance and Maintenance Windows Vista Performance and Maintenance

08-28-2008, 09:36 PM	#17 (permalink)
easyas Registered User Join Date: Jul 2008 Posts: 30 OS: windows xp	Re: Yikes! says I'm infected Peace-of-mind is the most powerful tool available to humans- apart from the computer. 1972vet, your help has been both reassuring and instructive. The operating system is not at it's peak, but it is not compromised either. That is what I needed to know. I don't want to waste any more of your time as I know the back-log grows larger by the minute. The tools provided by you and the techsupportforum crew have been shared in the office and I believe these simple measures will go far to protecting us in the future. The selection of preventative programs is to be applauded and the aid provided in their absence is beyond belief. Continue the good work!! thankyou again, easyas

08-29-2008, 02:02 PM	#19 (permalink)
easyas Registered User Join Date: Jul 2008 Posts: 30 OS: windows xp	Re: Yikes! says I'm infected I think we are nearly there 1972vet! Returning to my original gripes, the only remaining issue is the Ip address log in. Ultimately it doesn't bother me as much as I can recognise and repair the issue as needed. C prompt did not accept the C:\...> command- came back as a syntax error. I ran defrag through tools menu anyway. Here is the log for defrag; Volume (C:) Volume size = 43.65 GB Cluster size = 512 bytes Used space = 12.17 GB Free space = 31.48 GB Percent free space = 72 % Volume fragmentation Total fragmentation = 18 % File fragmentation = 36 % Free space fragmentation = 0 % File fragmentation Total files = 52,768 Average file size = 356 KB Total fragmented files = 62 Total excess fragments = 34,983 Average fragments per file = 1.66 Pagefile fragmentation Pagefile size = 576 MB Total fragments = 2 Folder fragmentation Total folders = 4,539 Fragmented folders = 1 Excess folder fragments = 0 Master File Table (MFT) fragmentation Total MFT size = 71 MB MFT record count = 65,317 Percent MFT in use = 89 % Total MFT fragments = 3 -------------------------------------------------------------------------------- Fragments File Size Files that cannot be defragmented None An interesting development- I have lost E: drive (cd drive). I'll update the drivers and see if that resolves the issue. Thanks vet easyas

08-29-2008, 08:07 PM	#20 (permalink)
1972vet Analyst, Security Team Join Date: Jun 2008 Location: Midwest, U.S.A. Posts: 466 OS: Dual Boot Setup, Vista SP2 and XPSP3	Re: Yikes! says I'm infected Your disk was badly fragmented. For future reference, despite any analysis of the windows defrag module which might return the recommendation "You Do Not Need To Defragment This Volume", ignore that and defragment anyway if your analysis results in a fragment count of more than 3%...Microsoft wrote those thresholds to suite a large volume of "usual" corporate user settings. When your system begins to seem slower and performance is questionable then run a system defrag to see what your fragment count is...you can set a "Task" to run "Defragmenter" on schedule. Let us know if you would like to do that and we can post some instructions for you. When you say you lost the "CD Drive" do you mean that it no longer appears in "My Computer", or are you getting an error message when you try to access the CD Drive? We should resolve this next as we need to use a command prompt that will involve the CD ROM Drive so we can use Windows File Protection to replace any missing or corrupted files. With the syntax error I suspect some corruption...my thought though leans more towards a registry corruption. Have you used any registry cleaning software? DON'T! Just please answer if you have or not. Thanks! __________________ Disabled Veteran, U.S.C.G. 1972 - 1978 Windows XP Performance and Maintenance Windows Vista Performance and Maintenance