|
Malware Removal Discussion about Trojans, viruses, hoaxes, firewalls, spyware, and general Security issues. If you suspect your PC is infected with a virus, trojan or spyware app please include any supporting documentation or logs |
|
Topic Tools |
#1
|
|||
|
|||
Vundo infection
McAfee has reported the vundo trojan and has been unable to clean, delete or quarantine the files. McAfee has just updated itself and now reports that VirusScan is disabled. I am unable to enable VirusScan now. Can someone please help?
|
#2
|
|||
|
|||
HJT log
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 2:41:32 PM, on 3/15/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) Boot mode: Normal Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\Ati2evxx.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\Ati2evxx.exe C:\WINNT\Explorer.EXE C:\WINNT\system32\spoolsv.exe C:\Program Files\McAfee.com\VSO\mcvsshld.exe C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe C:\Program Files\Saitek\Software\ProfilerU.exe c:\progra~1\mcafee.com\vso\mcvsescn.exe C:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\Program Files\Saitek\Software\SaiMfd.exe C:\WINNT\CTHELPER.EXE C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe C:\Program Files\ATI Multimedia\main\ATIDtct.EXE C:\Program Files\ATI Multimedia\main\ATISched.EXE C:\WINNT\system32\ctfmon.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\WINNT\system32\rundll32.exe C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe C:\PROGRA~1\McAfee\MSC\mclogsrv.exe C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe c:\program files\common files\mcafee\mna\mcnasvc.exe C:\PROGRA~1\McAfee\MSC\mcpromgr.exe c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe C:\PROGRA~1\McAfee\MSC\mctskshd.exe C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe C:\Program Files\McAfee\MPF\MPFSrv.exe C:\WINNT\system32\svchost.exe C:\PROGRA~1\McAfee\MPS\mps.exe C:\Program Files\McAfee\MPS\mpsevh.exe C:\WINNT\System32\svchost.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Documents and Settings\Jason\Desktop\HiJackThis_v2.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/explore.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/explore.html O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {0F01FF26-18F5-4613-BFD6-14DE2FBA24C3} - C:\WINNT\system32\mljkljh.dll (file missing) O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: (no name) - {64073547-D816-495E-B269-D0DEAD8A5A15} - C:\WINNT\system32\ddccd.dll (file missing) O2 - BHO: (no name) - {7275767B-48BC-4AD7-A5E5-DA4AB990C383} - C:\WINNT\system32\mllml.dll (file missing) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O2 - BHO: (no name) - {BFF529B1-2268-41D4-B3B3-031E0101CAAE} - C:\WINNT\system32\ddcya.dll (file missing) O2 - BHO: McAfee Popup Blocker - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - c:\program files\mcafee\mps\mcpopup.dll O2 - BHO: (no name) - {E03C740E-BB24-4d3c-B92A-6F84DE1DD99C} - (no file) O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\ProfilerU.exe O4 - HKLM\..\Run: [SaiMfd] C:\Program Files\Saitek\Software\SaiMfd.exe O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\main\ATISched.EXE O4 - HKCU\..\Run: [Pinnacle Game Profiler] "C:\Program Files\KALiNKOsoft\Pinnacle Game Profiler\pinnacle.exe" -atboottime O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user') O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\dtv\EXPLBAR.DLL O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7} (Microsoft ProgressBar Control, version 5.0 (SP2)) - http://download.mcafee.com/molbin/Sh...2/ComCtl32.cab O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.com/real/player/do...e_Inst_Win.cab O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1149580080171 O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...26/mcgdmgr.cab O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab O16 - DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} (CPlayFirstDinerDashControl Object) - http://comcast.oberon-media.com/onli...h.1.0.0.80.cab O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15023/CTPID.cab O20 - Winlogon Notify: ddccd - C:\WINNT\ O20 - Winlogon Notify: ddcya - C:\WINNT\system32\ddcya.dll (file missing) O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINNT\System32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINNT\System32\browseui.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe O23 - Service: McAfee Log Manager (McLogManagerService) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mclogsrv.exe O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mctskshd.exe O23 - Service: McAfee User Manager (mcusrmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe -- End of file - 10735 bytes |
#3
|
|||
|
|||
Silent Runners part 1 of 2
"Silent Runners.vbs", revision R50, http://www.silentrunners.org/
Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run \ {++} "ATI Remote Control" = "C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe" ["ATI Technologies Inc."] "(Default)" = "(empty string)" [file not found] "ATI Launchpad" = "(empty string)" [file not found] "ATI DeviceDetect" = "C:\Program Files\ATI Multimedia\main\ATIDtct.EXE" ["ATI Technologies Inc."] "ATI Scheduler" = "C:\Program Files\ATI Multimedia\main\ATISched.EXE" ["ATI Technologies Inc."] "Pinnacle Game Profiler" = ""C:\Program Files\KALiNKOsoft\Pinnacle Game Profiler\pinnacle.exe" -atboottime" [file not found] "ctfmon.exe" = "C:\WINNT\system32\ctfmon.exe" [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Run \ {++} "Synchronization Manager" = "mobsync.exe /logon" [MS] "VSOCheckTask" = ""C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask" ["McAfee, Inc."] "VirusScan Online" = "C:\Program Files\McAfee.com\VSO\mcvsshld.exe" ["McAfee, Inc."] "OASClnt" = "C:\Program Files\McAfee.com\VSO\oasclnt.exe" ["McAfee, Inc."] "NWEReboot" = "(empty string)" [file not found] "NeroFilterCheck" = "C:\WINNT\system32\NeroCheck.exe" ["Ahead Software Gmbh"] "SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"" ["Sun Microsystems, Inc."] "Profiler" = "C:\Program Files\Saitek\Software\ProfilerU.exe" ["Saitek"] "SaiMfd" = "C:\Program Files\Saitek\Software\SaiMfd.exe" ["Saitek"] "ATICCC" = ""C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"" [null data] "CTHelper" = "CTHELPER.EXE" ["Creative Technology Ltd"] "CTxfiHlp" = "CTXFIHLP.EXE" ["Creative Technology Ltd"] "CloneCDTray" = ""C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s" ["SlySoft, Inc."] "AVG7_CC" = "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."] "UserFaultCheck" = "C:\WINNT\system32\dumprep 0 -u" HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided) -> {HKLM...CLSID} = "Adobe PDF Reader Link Helper" \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"] {0F01FF26-18F5-4613-BFD6-14DE2FBA24C3}\(Default) = (no title provided) -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\WINNT\system32\mljkljh.dll" [file not found] {53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided) -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"] {64073547-D816-495E-B269-D0DEAD8A5A15}\(Default) = (no title provided) -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\WINNT\system32\ddccd.dll" [file not found] {7275767B-48BC-4AD7-A5E5-DA4AB990C383}\(Default) = (no title provided) -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\WINNT\system32\mllml.dll" [file not found] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided) -> {HKLM...CLSID} = "SSVHelper Class" \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll" ["Sun Microsystems, Inc."] {BFF529B1-2268-41D4-B3B3-031E0101CAAE}\(Default) = (no title provided) -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\WINNT\system32\ddcya.dll" [file not found] {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53}\(Default) = "McAfee Popup Blocker" -> {HKLM...CLSID} = "CPub Object" \InProcServer32\(Default) = "c:\program files\mcafee\mps\mcpopup.dll" ["McAfee, Inc."] HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension" -> {HKLM...CLSID} = "Display Panning CPL Extension" \InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext" -> {HKLM...CLSID} = "HyperTerminal Icon Ext" \InProcServer32\(Default) = "C:\WINNT\System32\hticons.dll" ["Hilgraeve, Inc."] "{5b4dae26-b807-11d0-9815-00c04fd91972}" = "Menu Band" -> {HKLM...CLSID} = "Menu Band" \InProcServer32\(Default) = "C:\WINNT\system32\SHELL32.dll" [MS] "{8278F931-2A3E-11d2-838F-00C04FD918D0}" = "Tracking Shell Menu" -> {HKLM...CLSID} = "Tracking Shell Menu" \InProcServer32\(Default) = "C:\WINNT\system32\SHELL32.dll" [MS] "{E13EF4E4-D2F2-11d0-9816-00C04FD91972}" = "Menu Site" -> {HKLM...CLSID} = "Menu Site" \InProcServer32\(Default) = "C:\WINNT\system32\SHELL32.dll" [MS] "{ECD4FC4F-521C-11D0-B792-00A0C90312E1}" = "Menu Desk Bar" -> {HKLM...CLSID} = "Menu Desk Bar" \InProcServer32\(Default) = "C:\WINNT\system32\SHELL32.dll" [MS] "{D82BE2B0-5764-11D0-A96E-00C04FD705A2}" = "IShellFolderBand" -> {HKLM...CLSID} = "IShellFolderBand" \InProcServer32\(Default) = "C:\WINNT\system32\SHELL32.dll" [MS] "{0E5CBF21-D15F-11d0-8301-00AA005B4383}" = "&Links" -> {HKLM...CLSID} = "&Links" \InProcServer32\(Default) = "C:\WINNT\system32\SHELL32.dll" [MS] "{7487cd30-f71a-11d0-9ea7-00805f714772}" = "Thumbnail Image" -> {HKLM...CLSID} = "Background Thumbnail Generator" \InProcServer32\(Default) = "C:\WINNT\system32\SHELL32.dll" [MS] "{8BEBB290-52D0-11D0-B7F4-00C04FD706EC}" = "Thumbnails" -> {HKLM...CLSID} = "Thumbnails" \InProcServer32\(Default) = "C:\WINNT\System32\thumbvw.dll" [file not found] "{1AEB1360-5AFC-11D0-B806-00C04FD706EC}" = "Office Graphics Filters Thumbnail Extractor" -> {HKLM...CLSID} = "Office Graphics Filters Thumbnail Extractor" \InProcServer32\(Default) = "C:\WINNT\System32\thumbvw.dll" [file not found] "{450D8FBA-AD25-11D0-98A8-0800361B1103}" = "MyDocs Folder" -> {HKLM...CLSID} = "My Documents" \InProcServer32\(Default) = "C:\WINNT\system32\SHELL32.dll" [MS] "{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler" -> {HKLM...CLSID} = "Microsoft Office Outlook" \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS] "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler" -> {HKLM...CLSID} = "Outlook File Icon Extension" \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS] "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS] "{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"] "{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"] "{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"] "{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"] "{BB7DF450-F119-11CD-8465-00AA00425D90}" = "Microsoft Access Custom Icon Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\msaccrt\Access 97\soa800.dll" [MS] "{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler" -> {HKLM...CLSID} = "NeroDigitalIconHandler Class" \InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"] "{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler" -> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class" \InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"] "{8FF88D21-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.65 Context Menu Shell Extension" -> {HKLM...CLSID} = "WinAceContext Menu Extension" \InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"] "{8FF88D25-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.65 DragDrop Shell Extension" -> {HKLM...CLSID} = "WinAceDrag-Drop Extension" \InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"] "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.65 Context Menu Shell Extension" -> {HKLM...CLSID} = "WinAceContext Menu (Add) Extension" \InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"] "{8FF88D23-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.65 Property Sheet Shell Extension" -> {HKLM...CLSID} = "WinAceProperty Sheet Extension" \InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"] "{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universal Plug and Play Devices" -> {HKLM...CLSID} = "Universal Plug and Play Devices" \InProcServer32\(Default) = "C:\WINNT\system32\upnpui.dll" [MS] "{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu" -> {HKLM...CLSID} = "Portable Media Devices Menu" \InProcServer32\(Default) = "C:\WINNT\system32\Audiodev.dll" [MS] "{5E2121EE-0300-11D4-8D3B-444553540000}" = "Catalyst Context Menu extension" -> {HKLM...CLSID} = "SimpleShlExt Class" \InProcServer32\(Default) = "C:\Program Files\ATI Technologies\ATI.ACE\atiacmxx.dll" [empty string] "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension" -> {HKLM...CLSID} = "AVG7 Shell Extension Class" \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."] "{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension" -> {HKLM...CLSID} = "AVG7 Find Extension Class" \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."] HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellExecuteHooks\ <<!>> "{0F01FF26-18F5-4613-BFD6-14DE2FBA24C3}" = "*b" (unwritable string) -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\WINNT\system32\mljkljh.dll" [file not found] HKLM\Software\Microsoft\Windows\CurrentVersion\She llServiceObjectDelayLoad\ "WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}" -> {HKLM...CLSID} = "WPDShServiceObj Class" \InProcServer32\(Default) = "C:\WINNT\system32\WPDShServiceObj.dll" [MS] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."] <<!>> ddcya\DLLName = "C:\WINNT\system32\ddcya.dll" [file not found] HKLM\Software\Classes\PROTOCOLS\Filter\ <<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS] HKLM\Software\Classes\Folder\shellex\ColumnHandler s\ {7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler" -> {HKLM...CLSID} = "NeroDigitalColumnHandler Class" \InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"] {7f9609be-af9a-11d1-83e0-00c04fb6e984}\(Default) = "Fax Tiff Data Column Provider" -> {HKLM...CLSID} = "Fax Tiff Data Column Provider" \InProcServer32\(Default) = "C:\WINNT\system32\faxshell.dll" [file not found] {F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info" -> {HKLM...CLSID} = "PDF Shell Extension" \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."] HKLM\Software\Classes\*\shellex\ContextMenuHandler s\ AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" -> {HKLM...CLSID} = "AVG7 Shell Extension Class" \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."] WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"] ZFAdd\(Default) = "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}" -> {HKLM...CLSID} = "WinAceContext Menu (Add) Extension" \InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"] HKLM\Software\Classes\Directory\shellex\ContextMen uHandlers\ WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"] ZFAdd\(Default) = "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}" -> {HKLM...CLSID} = "WinAceContext Menu (Add) Extension" \InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"] HKLM\Software\Classes\Folder\shellex\ContextMenuHa ndlers\ AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" -> {HKLM...CLSID} = "AVG7 Shell Extension Class" \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."] Library\(Default) = "{54F51408-DD44-4a12-82EF-519AD2A80DE9}" -> {HKLM...CLSID} = "Media Library Shell Extension" \InProcServer32\(Default) = "C:\Program Files\ATI Multimedia\mlibrary\MLShell.dll" ["ATI Technologies Inc."] WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"] |
#4
|
|||
|
|||
Silent Runners part 2 of 2
Group Policies {GPedit.msc branch and setting}:
----------------------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Pol icies\System\ "shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} "undockwithoutlogon" = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ "Wallpaper" = "C:\WINNT\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp" Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ "Wallpaper" = "C:\Documents and Settings\Jason\Local Settings\Application Data\Microsoft\Wallpaper1.bmp" Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ "SCRNSAVE.EXE" = "C:\WINNT\System32\logon.scr" [MS] Enabled Scheduled Tasks: ------------------------ "McDefragTask" -> launches: "c:\program files\mcafee\mqc\QcConsol.exe "C:\WINNT\system32\defrag.exe" C: -f" ["McAfee, Inc."] "McQcTask" -> launches: "c:\program files\mcafee\mqc\QcConsol.exe 14 0" ["McAfee, Inc."] "User_Feed_Synchronization-{1F5CF007-A933-421B-AF4E-787580ADC389}" -> launches: "C:\WINNT\system32\msfeedssync.exe sync" [MS] "XoftSpy" -> launches: "C:\Program Files\XoftSpy\XoftSpy.exe -t" ["ParetoLogic Inc."] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKLM\Software\Microsoft\Internet Explorer\Toolbar\ "{BA52B914-B692-46C4-B683-905236F6F655}" = "McAfee VirusScan" -> {HKLM...CLSID} = "McAfee VirusScan" \InProcServer32\(Default) = "c:\progra~1\mcafee.com\vso\mcvsshl.dll" ["McAfee, Inc."] Explorer Bars HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ HKLM\Software\Classes\CLSID\{44226DFF-747E-4EDC-B30C-78752E50CD0C}\(Default) = "&ATI TV" Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32\(Default) = "C:\Program Files\ATI Multimedia\dtv\EXPLBAR.DLL" ["ATI Technologies Inc."] HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research" Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ "MenuText" = "Sun Java Console" "CLSIDExtension" = "{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBC}" -> {HKCU...CLSID} = "Java Plug-in 1.5.0_11" \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll" ["Sun Microsystems, Inc."] -> {HKLM...CLSID} = "Java Plug-in 1.5.0_11" \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll" ["Sun Microsystems, Inc."] {44226DFF-747E-4EDC-B30C-78752E50CD0C}\ "ButtonText" = "ATI TV" {92780B25-18CC-41C8-B9BE-3C9C571A8263}\ "ButtonText" = "Research" {E2E2DD38-D088-4134-82B7-F2BA38496583}\ "MenuText" = "@xpsp3res.dll,-20001" "Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS] {FB5F1910-F110-11D2-BB9E-00C04F795683}\ "ButtonText" = "Messenger" "MenuText" = "Windows Messenger" "Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Ati HotKey Poller, Ati HotKey Poller, "C:\WINNT\system32\Ati2evxx.exe" ["ATI Technologies Inc."] AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe" ["GRISOFT, s.r.o."] AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe" ["GRISOFT, s.r.o."] McAfee HackerWatch Service, McAfee HackerWatch Service, ""C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe"" ["McAfee, Inc."] McAfee Log Manager, McLogManagerService, "C:\PROGRA~1\McAfee\MSC\mclogsrv.exe" ["McAfee, Inc."] McAfee Network Agent, McNASvc, ""c:\program files\common files\mcafee\mna\mcnasvc.exe"" ["McAfee, Inc."] McAfee Personal Firewall Service, MpfService, ""C:\Program Files\McAfee\MPF\MPFSrv.exe"" ["McAfee, Inc."] McAfee Privacy Service, MPS9, "C:\PROGRA~1\McAfee\MPS\mps.exe" ["McAfee, Inc."] McAfee Protection Manager, mcpromgr, "C:\PROGRA~1\McAfee\MSC\mcpromgr.exe" ["McAfee, Inc."] McAfee Proxy Service, McProxy, "c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.e xe" ["McAfee, Inc."] McAfee Redirector Service, McRedirector, "c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe " ["McAfee, Inc."] McAfee Task Scheduler, McTskshd.exe, "C:\PROGRA~1\McAfee\MSC\mctskshd.exe" ["McAfee, Inc."] McAfee Update Manager, mcmispupdmgr, "C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe" ["McAfee, Inc."] McAfee User Manager, mcusrmgr, "C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe" ["McAfee, Inc."] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monito rs\ Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS] Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS] ---------- <<!>>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer "No" at the first message box and "Yes" at the second message box. ---------- (total run time: 50 seconds, including 6 seconds for message boxes) |
#5
|
||||
|
||||
Howdy redayejones,
Looks like all this posting activity gave the thread the appearance of repairs in progress here. Infection is showing here, so let's start those repairs. You have downloaded the Trend beta version of HijackThis v2, which still has bugs to work out and is not what we will be using here. Please uninstall that, and download HijackThis from Here. Then click on the downloaded file and install HijackThis. Download VundoFix.exe to your desktop. * Double-click VundoFix.exe to run it. * Click the Scan for Vundo button. * Once it's done scanning, click the Remove Vundo button. * You will receive a prompt asking if you want to remove the files, click YES * Once you click yes, your desktop will go blank as it starts removing Vundo. * When completed, it will prompt that it will reboot your computer, click OK. * Please post the contents of C:\vundofix.txt. Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot. After the reboot, Disable your antivirus program and go here and run an online scan with BitDefender (you will need to use Internet Explorer for this scan). When the ActiveX Control has loaded, click on "Click here to scan" and grab a coffee. When BitDefender completes the scan, select the "Detected Problems" tab. Click on "Click here to export scan". Save the file as an HTML to your Desktop. Then click on the saved file and allow it to open with your browser. Go to Edit - Select All. Then copy/paste that log back here. Also Download combofix.exe. Double click combofix.exe & follow the prompts. A window will open with a warning. Type "Y" (and Enter) to start the fix. When the scan completes it will open a text window. Please copy/paste that log back here. A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. And post that, the VundoFix log, the BitDefender log and new HijackThis and Silent Runners logs please. |
#6
|
|||
|
|||
Tom, thanks so much for your reply! I apologize for the delay.
Combofix only gave two lines of text. "Jason" - 07-03-18 19:03:37 Service Pack 2 ComboFix 07-03-15.2 - Running from: "C:\Documents and Settings\Jason\Desktop" VundoFix V6.3.16 Checking Java version... Java version is 1.5.0.3 Old versions of java are exploitable and should be removed. Java version is 1.5.0.6 Old versions of java are exploitable and should be removed. Java version is 1.5.0.9 Old versions of java are exploitable and should be removed. Java version is 1.5.0.10 Java version is 1.5.0.11 Scan started at 4:51:30 PM 3/18/2007 Listing files found while scanning.... C:\WINNT\system32\aycdd.ini C:\WINNT\system32\ddcya.dll C:\WINNT\system32\mljkljh.dll C:\WINNT\system32\ndlpxjxh.exe Beginning removal... Attempting to delete C:\WINNT\system32\aycdd.ini C:\WINNT\system32\aycdd.ini Has been deleted! Attempting to delete C:\WINNT\system32\ndlpxjxh.exe C:\WINNT\system32\ndlpxjxh.exe Has been deleted! Performing Repairs to the registry. Done! BitDefender Online Scanner Scan report generated at: Sun, Mar 18, 2007 - 18:55:48 Scan path: C:\;D:\;E:\;F:\;G:\; Statistics Time 01:37:46 Files 422295 Folders 17833 Boot Sectors 4 Archives 1088 Packed Files 1106 Results Identified Viruses 1 Infected Files 4 Suspect Files 1 Warnings 0 Disinfected 0 Deleted Files 5 Engines Info Virus Definitions 27245 Engine build AVCORE v1.0 (build 2397) (i386) (Feb 8 2007 14:24:08) Scan plugins 1 Archive plugins 10 Unpack plugins 1 E-mail plugins 0 System plugins 1 Scan Settings First Action Disinfect Second Action Delete Heuristics Yes Enable Warnings Yes Scanned Extensions *; Exclude Extensions Scan Emails Yes Scan Archives Yes Scan Packed Yes Scan Files Yes Scan Boot Yes Scanned File Status C:\Documents and Settings\Jason\Local Settings\Temp\sta118.exeInfected with: Trojan.FatObfus.Gen C:\Documents and Settings\Jason\Local Settings\Temp\sta118.exe Disinfection failed C:\Documents and Settings\Jason\Local Settings\Temp\sta118.exe Deleted C:\System Volume Information\_restore{3C267F8C-F265-4D0C-9385-1775BD57FB03}\RP436\A0076721.exe Infected with: Trojan.FatObfus.Gen C:\System Volume Information\_restore{3C267F8C-F265-4D0C-9385-1775BD57FB03}\RP436\A0076721.exe Disinfection failed C:\System Volume Information\_restore{3C267F8C-F265-4D0C-9385-1775BD57FB03}\RP436\A0076721.exe Deleted C:\System Volume Information\_restore{3C267F8C-F265-4D0C-9385-1775BD57FB03}\RP436\A0076723.exe Infected with: Trojan.FatObfus.Gen C:\System Volume Information\_restore{3C267F8C-F265-4D0C-9385-1775BD57FB03}\RP436\A0076723.exe Disinfection failed C:\System Volume Information\_restore{3C267F8C-F265-4D0C-9385-1775BD57FB03}\RP436\A0076723.exe Deleted C:\System Volume Information\_restore{3C267F8C-F265-4D0C-9385-1775BD57FB03}\RP436\A0076725.exe Infected with: Trojan.FatObfus.Gen C:\System Volume Information\_restore{3C267F8C-F265-4D0C-9385-1775BD57FB03}\RP436\A0076725.exe Disinfection failed C:\System Volume Information\_restore{3C267F8C-F265-4D0C-9385-1775BD57FB03}\RP436\A0076725.exe Deleted D:\System Volume Information\_restore{554A954A-A21C-4D5F-924D-4B5E56E7C5F0}\RP50\A0062088.exe Suspected of: BehavesLike:Trojan.Downloader D:\System Volume Information\_restore{554A954A-A21C-4D5F-924D-4B5E56E7C5F0}\RP50\A0062088.exe Disinfection failed D:\System Volume Information\_restore{554A954A-A21C-4D5F-924D-4B5E56E7C5F0}\RP50\A0062088.exe Deleted Logfile of HijackThis v1.99.1 Scan saved at 19:21, on 07-03-18 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16414) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\Ati2evxx.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\Ati2evxx.exe C:\WINNT\Explorer.EXE C:\WINNT\system32\spoolsv.exe C:\Program Files\McAfee.com\VSO\mcvsshld.exe C:\Program Files\McAfee.com\VSO\oasclnt.exe C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe C:\Program Files\Saitek\Software\ProfilerU.exe C:\Program Files\Saitek\Software\SaiMfd.exe C:\WINNT\CTHELPER.EXE C:\PROGRA~1\mcafee.com\agent\mcagent.exe c:\progra~1\mcafee.com\vso\mcvsescn.exe C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE C:\Program Files\ATI Multimedia\main\ATIDtct.EXE C:\Program Files\ATI Multimedia\main\ATISched.EXE C:\WINNT\system32\ctfmon.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe C:\PROGRA~1\McAfee\MSC\mclogsrv.exe C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe c:\program files\common files\mcafee\mna\mcnasvc.exe C:\PROGRA~1\McAfee\MSC\mcpromgr.exe c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe c:\PROGRA~1\mcafee.com\vso\mcshield.exe C:\PROGRA~1\McAfee\MSC\mctskshd.exe C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe C:\Program Files\McAfee\MPF\MPFSrv.exe C:\WINNT\system32\svchost.exe C:\PROGRA~1\McAfee\MPS\mps.exe C:\Program Files\McAfee\MPS\mpsevh.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\NOTEPAD.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/explore.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/explore.html O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: (no name) - {64073547-D816-495E-B269-D0DEAD8A5A15} - C:\WINNT\system32\ddccd.dll (file missing) O2 - BHO: (no name) - {7275767B-48BC-4AD7-A5E5-DA4AB990C383} - C:\WINNT\system32\mllml.dll (file missing) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O2 - BHO: (no name) - {BFF529B1-2268-41D4-B3B3-031E0101CAAE} - C:\WINNT\system32\ddcya.dll (file missing) O2 - BHO: McAfee Popup Blocker - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - c:\program files\mcafee\mps\mcpopup.dll O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\ProfilerU.exe O4 - HKLM\..\Run: [SaiMfd] C:\Program Files\Saitek\Software\SaiMfd.exe O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\main\ATISched.EXE O4 - HKCU\..\Run: [Pinnacle Game Profiler] "C:\Program Files\KALiNKOsoft\Pinnacle Game Profiler\pinnacle.exe" -atboottime O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\dtv\EXPLBAR.DLL O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7} (Microsoft ProgressBar Control, version 5.0 (SP2)) - http://download.mcafee.com/molbin/Sh...2/ComCtl32.cab O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.com/real/player/do...e_Inst_Win.cab O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1149580080171 O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...26/mcgdmgr.cab O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab O16 - DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} (CPlayFirstDinerDashControl Object) - http://comcast.oberon-media.com/onli...h.1.0.0.80.cab O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15023/CTPID.cab O20 - Winlogon Notify: ddccd - C:\WINNT\ O20 - Winlogon Notify: ddcya - C:\WINNT\system32\ddcya.dll (file missing) O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINNT\system32\WPDShServiceObj.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe O23 - Service: McAfee Log Manager (McLogManagerService) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mclogsrv.exe O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mctskshd.exe O23 - Service: McAfee User Manager (mcusrmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe |
#7
|
|||
|
|||
Silentrunners 1 of 2
"Silent Runners.vbs", revision R50, http://www.silentrunners.org/
Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run \ {++} "ATI Launchpad" = "(empty string)" [file not found] "ATI DeviceDetect" = "C:\Program Files\ATI Multimedia\main\ATIDtct.EXE" ["ATI Technologies Inc."] "ATI Scheduler" = "C:\Program Files\ATI Multimedia\main\ATISched.EXE" ["ATI Technologies Inc."] "Pinnacle Game Profiler" = ""C:\Program Files\KALiNKOsoft\Pinnacle Game Profiler\pinnacle.exe" -atboottime" [file not found] "ctfmon.exe" = "C:\WINNT\system32\ctfmon.exe" [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Run \ {++} "Synchronization Manager" = "mobsync.exe /logon" [MS] "VSOCheckTask" = ""C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask" ["McAfee, Inc."] "VirusScan Online" = "C:\Program Files\McAfee.com\VSO\mcvsshld.exe" ["McAfee, Inc."] "OASClnt" = "C:\Program Files\McAfee.com\VSO\oasclnt.exe" ["McAfee, Inc."] "NWEReboot" = "(empty string)" [file not found] "NeroFilterCheck" = "C:\WINNT\system32\NeroCheck.exe" ["Ahead Software Gmbh"] "SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"" ["Sun Microsystems, Inc."] "Profiler" = "C:\Program Files\Saitek\Software\ProfilerU.exe" ["Saitek"] "SaiMfd" = "C:\Program Files\Saitek\Software\SaiMfd.exe" ["Saitek"] "ATICCC" = ""C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"" [null data] "CTHelper" = "CTHELPER.EXE" ["Creative Technology Ltd"] "CTxfiHlp" = "CTXFIHLP.EXE" ["Creative Technology Ltd"] "CloneCDTray" = ""C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s" ["SlySoft, Inc."] "AVG7_CC" = "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."] "UserFaultCheck" = "C:\WINNT\system32\dumprep 0 -u" HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided) -> {HKLM...CLSID} = "Adobe PDF Reader Link Helper" \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"] {53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided) -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"] {64073547-D816-495E-B269-D0DEAD8A5A15}\(Default) = (no title provided) -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\WINNT\system32\ddccd.dll" [file not found] {7275767B-48BC-4AD7-A5E5-DA4AB990C383}\(Default) = (no title provided) -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\WINNT\system32\mllml.dll" [file not found] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided) -> {HKLM...CLSID} = "SSVHelper Class" \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll" ["Sun Microsystems, Inc."] {BFF529B1-2268-41D4-B3B3-031E0101CAAE}\(Default) = (no title provided) -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\WINNT\system32\ddcya.dll" [file not found] {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53}\(Default) = "McAfee Popup Blocker" -> {HKLM...CLSID} = "CPub Object" \InProcServer32\(Default) = "c:\program files\mcafee\mps\mcpopup.dll" ["McAfee, Inc."] HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension" -> {HKLM...CLSID} = "Display Panning CPL Extension" \InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext" -> {HKLM...CLSID} = "HyperTerminal Icon Ext" \InProcServer32\(Default) = "C:\WINNT\System32\hticons.dll" ["Hilgraeve, Inc."] "{5b4dae26-b807-11d0-9815-00c04fd91972}" = "Menu Band" -> {HKLM...CLSID} = "Menu Band" \InProcServer32\(Default) = "C:\WINNT\system32\SHELL32.dll" [MS] "{8278F931-2A3E-11d2-838F-00C04FD918D0}" = "Tracking Shell Menu" -> {HKLM...CLSID} = "Tracking Shell Menu" \InProcServer32\(Default) = "C:\WINNT\system32\SHELL32.dll" [MS] "{E13EF4E4-D2F2-11d0-9816-00C04FD91972}" = "Menu Site" -> {HKLM...CLSID} = "Menu Site" \InProcServer32\(Default) = "C:\WINNT\system32\SHELL32.dll" [MS] "{ECD4FC4F-521C-11D0-B792-00A0C90312E1}" = "Menu Desk Bar" -> {HKLM...CLSID} = "Menu Desk Bar" \InProcServer32\(Default) = "C:\WINNT\system32\SHELL32.dll" [MS] "{D82BE2B0-5764-11D0-A96E-00C04FD705A2}" = "IShellFolderBand" -> {HKLM...CLSID} = "IShellFolderBand" \InProcServer32\(Default) = "C:\WINNT\system32\SHELL32.dll" [MS] "{0E5CBF21-D15F-11d0-8301-00AA005B4383}" = "&Links" -> {HKLM...CLSID} = "&Links" \InProcServer32\(Default) = "C:\WINNT\system32\SHELL32.dll" [MS] "{7487cd30-f71a-11d0-9ea7-00805f714772}" = "Thumbnail Image" -> {HKLM...CLSID} = "Background Thumbnail Generator" \InProcServer32\(Default) = "C:\WINNT\system32\SHELL32.dll" [MS] "{8BEBB290-52D0-11D0-B7F4-00C04FD706EC}" = "Thumbnails" -> {HKLM...CLSID} = "Thumbnails" \InProcServer32\(Default) = "C:\WINNT\System32\thumbvw.dll" [file not found] "{1AEB1360-5AFC-11D0-B806-00C04FD706EC}" = "Office Graphics Filters Thumbnail Extractor" -> {HKLM...CLSID} = "Office Graphics Filters Thumbnail Extractor" \InProcServer32\(Default) = "C:\WINNT\System32\thumbvw.dll" [file not found] "{450D8FBA-AD25-11D0-98A8-0800361B1103}" = "MyDocs Folder" -> {HKLM...CLSID} = "My Documents" \InProcServer32\(Default) = "C:\WINNT\system32\SHELL32.dll" [MS] "{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler" -> {HKLM...CLSID} = "Microsoft Office Outlook" \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS] "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler" -> {HKLM...CLSID} = "Outlook File Icon Extension" \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS] "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS] "{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"] "{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"] "{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"] "{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"] "{BB7DF450-F119-11CD-8465-00AA00425D90}" = "Microsoft Access Custom Icon Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\msaccrt\Access 97\soa800.dll" [MS] "{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler" -> {HKLM...CLSID} = "NeroDigitalIconHandler Class" \InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"] "{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler" -> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class" \InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"] "{8FF88D21-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.65 Context Menu Shell Extension" -> {HKLM...CLSID} = "WinAceContext Menu Extension" \InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"] "{8FF88D25-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.65 DragDrop Shell Extension" -> {HKLM...CLSID} = "WinAceDrag-Drop Extension" \InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"] "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.65 Context Menu Shell Extension" -> {HKLM...CLSID} = "WinAceContext Menu (Add) Extension" \InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"] "{8FF88D23-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.65 Property Sheet Shell Extension" -> {HKLM...CLSID} = "WinAceProperty Sheet Extension" \InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"] "{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universal Plug and Play Devices" -> {HKLM...CLSID} = "Universal Plug and Play Devices" \InProcServer32\(Default) = "C:\WINNT\system32\upnpui.dll" [MS] "{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu" -> {HKLM...CLSID} = "Portable Media Devices Menu" \InProcServer32\(Default) = "C:\WINNT\system32\Audiodev.dll" [MS] "{5E2121EE-0300-11D4-8D3B-444553540000}" = "Catalyst Context Menu extension" -> {HKLM...CLSID} = "SimpleShlExt Class" \InProcServer32\(Default) = "C:\Program Files\ATI Technologies\ATI.ACE\atiacmxx.dll" [empty string] "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension" -> {HKLM...CLSID} = "AVG7 Shell Extension Class" \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."] "{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension" -> {HKLM...CLSID} = "AVG7 Find Extension Class" \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."] HKLM\Software\Microsoft\Windows\CurrentVersion\She llServiceObjectDelayLoad\ "WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}" -> {HKLM...CLSID} = "WPDShServiceObj Class" \InProcServer32\(Default) = "C:\WINNT\system32\WPDShServiceObj.dll" [MS] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."] <<!>> ddcya\DLLName = "C:\WINNT\system32\ddcya.dll" [file not found] HKLM\Software\Classes\PROTOCOLS\Filter\ <<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS] HKLM\Software\Classes\Folder\shellex\ColumnHandler s\ {7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler" -> {HKLM...CLSID} = "NeroDigitalColumnHandler Class" \InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"] {7f9609be-af9a-11d1-83e0-00c04fb6e984}\(Default) = "Fax Tiff Data Column Provider" -> {HKLM...CLSID} = "Fax Tiff Data Column Provider" \InProcServer32\(Default) = "C:\WINNT\system32\faxshell.dll" [file not found] {F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info" -> {HKLM...CLSID} = "PDF Shell Extension" \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."] HKLM\Software\Classes\*\shellex\ContextMenuHandler s\ AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" -> {HKLM...CLSID} = "AVG7 Shell Extension Class" \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."] WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"] ZFAdd\(Default) = "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}" -> {HKLM...CLSID} = "WinAceContext Menu (Add) Extension" \InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"] HKLM\Software\Classes\Directory\shellex\ContextMen uHandlers\ WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"] ZFAdd\(Default) = "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}" -> {HKLM...CLSID} = "WinAceContext Menu (Add) Extension" \InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"] HKLM\Software\Classes\Folder\shellex\ContextMenuHa ndlers\ AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" -> {HKLM...CLSID} = "AVG7 Shell Extension Class" \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."] Library\(Default) = "{54F51408-DD44-4a12-82EF-519AD2A80DE9}" -> {HKLM...CLSID} = "Media Library Shell Extension" \InProcServer32\(Default) = "C:\Program Files\ATI Multimedia\mlibrary\MLShell.dll" ["ATI Technologies Inc."] WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"] |
#8
|
|||
|
|||
Silentrunners 2 of 2
Group Policies {GPedit.msc branch and setting}:
----------------------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Pol icies\System\ "shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} "undockwithoutlogon" = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ "Wallpaper" = "C:\WINNT\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp" Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ "Wallpaper" = "C:\Documents and Settings\Jason\Local Settings\Application Data\Microsoft\Wallpaper1.bmp" Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ "SCRNSAVE.EXE" = "C:\WINNT\System32\logon.scr" [MS] Enabled Scheduled Tasks: ------------------------ "McDefragTask" -> launches: "c:\program files\mcafee\mqc\QcConsol.exe "C:\WINNT\system32\defrag.exe" C: -f" ["McAfee, Inc."] "McQcTask" -> launches: "c:\program files\mcafee\mqc\QcConsol.exe 14 0" ["McAfee, Inc."] "User_Feed_Synchronization-{1F5CF007-A933-421B-AF4E-787580ADC389}" -> launches: "C:\WINNT\system32\msfeedssync.exe sync" [MS] "XoftSpy" -> launches: "C:\Program Files\XoftSpy\XoftSpy.exe -t" ["ParetoLogic Inc."] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKLM\Software\Microsoft\Internet Explorer\Toolbar\ "{BA52B914-B692-46C4-B683-905236F6F655}" = "McAfee VirusScan" -> {HKLM...CLSID} = "McAfee VirusScan" \InProcServer32\(Default) = "c:\progra~1\mcafee.com\vso\mcvsshl.dll" ["McAfee, Inc."] Explorer Bars HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ HKLM\Software\Classes\CLSID\{44226DFF-747E-4EDC-B30C-78752E50CD0C}\(Default) = "&ATI TV" Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32\(Default) = "C:\Program Files\ATI Multimedia\dtv\EXPLBAR.DLL" ["ATI Technologies Inc."] HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research" Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ "MenuText" = "Sun Java Console" "CLSIDExtension" = "{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBC}" -> {HKCU...CLSID} = "Java Plug-in 1.5.0_11" \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll" ["Sun Microsystems, Inc."] -> {HKLM...CLSID} = "Java Plug-in 1.5.0_11" \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll" ["Sun Microsystems, Inc."] {44226DFF-747E-4EDC-B30C-78752E50CD0C}\ "ButtonText" = "ATI TV" {85D1F590-48F4-11D9-9669-0800200C9A66}\ "MenuText" = "Uninstall BitDefender Online Scanner v8" "Exec" = "%windir%\bdoscandel.exe" [null data] {92780B25-18CC-41C8-B9BE-3C9C571A8263}\ "ButtonText" = "Research" {E2E2DD38-D088-4134-82B7-F2BA38496583}\ "MenuText" = "@xpsp3res.dll,-20001" "Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS] {FB5F1910-F110-11D2-BB9E-00C04F795683}\ "ButtonText" = "Messenger" "MenuText" = "Windows Messenger" "Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Ati HotKey Poller, Ati HotKey Poller, "C:\WINNT\system32\Ati2evxx.exe" ["ATI Technologies Inc."] AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe" ["GRISOFT, s.r.o."] AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe" ["GRISOFT, s.r.o."] McAfee HackerWatch Service, McAfee HackerWatch Service, ""C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe"" ["McAfee, Inc."] McAfee Log Manager, McLogManagerService, "C:\PROGRA~1\McAfee\MSC\mclogsrv.exe" ["McAfee, Inc."] McAfee Network Agent, McNASvc, ""c:\program files\common files\mcafee\mna\mcnasvc.exe"" ["McAfee, Inc."] McAfee Personal Firewall Service, MpfService, ""C:\Program Files\McAfee\MPF\MPFSrv.exe"" ["McAfee, Inc."] McAfee Privacy Service, MPS9, "C:\PROGRA~1\McAfee\MPS\mps.exe" ["McAfee, Inc."] McAfee Protection Manager, mcpromgr, "C:\PROGRA~1\McAfee\MSC\mcpromgr.exe" ["McAfee, Inc."] McAfee Proxy Service, McProxy, "c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.e xe" ["McAfee, Inc."] McAfee Redirector Service, McRedirector, "c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe " ["McAfee, Inc."] McAfee Task Scheduler, McTskshd.exe, "C:\PROGRA~1\McAfee\MSC\mctskshd.exe" ["McAfee, Inc."] McAfee Update Manager, mcmispupdmgr, "C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe" ["McAfee, Inc."] McAfee User Manager, mcusrmgr, "C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe" ["McAfee, Inc."] McAfee.com McShield, McShield, "c:\PROGRA~1\mcafee.com\vso\mcshield.exe" ["McAfee Inc."] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monito rs\ Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS] Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS] ---------- <<!>>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer "No" at the first message box and "Yes" at the second message box. ---------- (total run time: 43 seconds, including 4 seconds for message boxes) |
#9
|
||||
|
||||
Looks like it got a good bit there. Do me a favor and not switch to bold script like that - difficult to review here and I don't want to miss anything. I have a feeling maybe McAfee was involved in ComboFix's not producing a log, be we'll do more and see. Be sure to completely disable McAfee for these repairs please.
Open Notepad (Start - Programs - Accessories) and copy the following text into a new file: Code:
cd %windir% attrib -s -h -r system32\cmd.com attrib -s -h -r system32\netstat.com attrib -s -h -r system32\ping.com attrib -s -h -r system32\regedit.com attrib -s -h -r system32\taskkill.com attrib -s -h -r system32\tasklist.com attrib -s -h -r system32\tracert.com del system32\cmd.com del system32\netstat.com del system32\ping.com del system32\regedit.com del system32\taskkill.com del system32\tasklist.com del system32\tracert.com Then double-click on remove.bat. A window should open and close fairly quickly --- this is normal. Try ComboFix again, and post the log if produced this time. Close Internet Explorer and all running programs and run a scan in HijackThis. Place a check next to all of the following lines, then select “Fix Checked” and close HijackThis. O2 - BHO: (no name) - {64073547-D816-495E-B269-D0DEAD8A5A15} - C:\WINNT\system32\ddccd.dll (file missing) O2 - BHO: (no name) - {7275767B-48BC-4AD7-A5E5-DA4AB990C383} - C:\WINNT\system32\mllml.dll (file missing) O2 - BHO: (no name) - {BFF529B1-2268-41D4-B3B3-031E0101CAAE} - C:\WINNT\system32\ddcya.dll (file missing) O20 - Winlogon Notify: ddccd - C:\WINNT\ O20 - Winlogon Notify: ddcya - C:\WINNT\system32\ddcya.dll (file missing) Go Here and download ATF cleaner. Click on the downloaded file to run it, and select "Select All", then click Empty Selected (and close ATF). If you have them, also click on Firefox/Opera at the top and repeat the steps (and close ATF). Firefox/Opera will need to be closed first for the cleaning to be effective. Then reboot, and Go here for an online AV scan (requires IE to run). If your AV alerts you while the scan installs ignore this - Panda's Active Scan method is often mistaken for infection activity. Scan "Local Disks" and when finished save the scan log and then post the log here. To save the log first select the See Report button, then select the Save report button, and post that log back here, along with the ComboFix log and a new HijackThis log please. |
#10
|
|||
|
|||
Sorry about that bold type...didnt mean to do it.
Incident Status Location Potentially unwanted tool:Application/VSToolbar Not disinfected C:\VundoFix Backups\ndlpxjxh.exe.bad Virus:Trj/Multidropper.BAN Disinfected D:\System Volume Information\_restore{A234EB93-3152-4415-B61C-351903E790EB}\RP618\A0108429.exe "Jason" - 07-03-19 1:59:43 Service Pack 2 ComboFix 07-03-15.2 - Running from: "C:\Documents and Settings\Jason\Desktop" ((((((((((((((((((((((((((((((( Files Created from 2007-02-19 to 2007-03-19 )))))))))))))))))))))))))))))))))) 2007-03-18 23:47 <DIR> d-------- C:\WINNT\system32\ActiveScan 2007-03-18 23:47 <DIR> d-------- C:\WINNT\LastGood 2007-03-18 19:02 <DIR> d-------- C:\rename_this_folder_back_to_ComboFix_ 2007-03-18 17:15 <DIR> d-------- C:\WINNT\BDOSCAN8 2007-03-18 16:51 <DIR> d-------- C:\VundoFix Backups 2007-03-16 17:08 <DIR> d-------- C:\Program Files\AOL Games 2007-03-16 09:08 <DIR> d-------- C:\Program Files\Gamenext 2007-03-14 10:45 1,136,149 ---hs---- C:\WINNT\system32\lmllm.bak2 2007-03-12 10:45 1,144,847 ---hs---- C:\WINNT\system32\lmllm.bak1 2007-03-09 12:24 <DIR> d-------- C:\DOCUME~1\Jason\APPLIC~1\Google 2007-03-09 12:22 <DIR> d-------- C:\Program Files\Google 2007-03-05 15:11 <DIR> d-------- C:\Program Files\Virtual Villagers - The Lost Children 2007-03-03 06:42 <DIR> d-------- C:\WINNT\Dream Day Wedding 2007-03-03 06:37 <DIR> d-------- C:\Program Files\Oberon Media 2007-02-26 21:58 <DIR> d-------- C:\Program Files\XoftSpy 2007-02-24 23:30 <DIR> d-------- C:\WINNT\Prefetch 2007-02-22 20:47 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Friends Games 2007-02-19 17:20 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\PureAmenLies (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))) 2007-03-19 00:07 -------- d-------- C:\Program Files\ati multimedia 2007-03-16 20:41 -------- d-------- C:\Program Files\emule 2007-03-16 09:57 -------- d--h----- C:\Program Files\installshield installation information 2007-03-02 05:08 -------- d-------- C:\Program Files\java 2007-02-22 08:20 -------- d-------- C:\Program Files\intellicast 2007-02-18 09:11 -------- d-------- C:\Program Files\thq 2007-02-12 19:17 21840 --a----t- C:\WINNT\system32\sintfnt.dll 2007-02-12 19:17 17212 --a----t- C:\WINNT\system32\sintf32.dll 2007-02-12 19:17 12067 --a----t- C:\WINNT\system32\sintf16.dll 2007-02-12 13:12 -------- d-------- C:\Program Files\ubisoft 2007-02-10 21:39 -------- d-------- C:\Program Files\slysoft 2007-02-04 16:24 -------- d-------- C:\Program Files\virtual villagers 2007-02-01 04:28 -------- d-------- C:\Program Files\pc wizard 2007 2007-02-01 03:07 -------- d-------- C:\Program Files\creative 2007-02-01 03:05 86016 --a------ C:\WINNT\system32\openal32.dll 2007-02-01 03:05 409600 --a------ C:\WINNT\system32\wrap_oal.dll 2007-02-01 02:10 -------- d-------- C:\Program Files\Common Files\systemrequirementslab 2007-01-08 20:01 17408 --a------ C:\WINNT\system32\corpol.dll 2007-01-01 12:24 14 --a------ C:\WINNT\popcinfo.dat 2006-12-20 22:05 520192 --a------ C:\WINNT\system32\ati2sgag.exe (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\run] "ATI Launchpad"="" "ATI DeviceDetect"="C:\\Program Files\\ATI Multimedia\\main\\ATIDtct.EXE" "ATI Scheduler"="C:\\Program Files\\ATI Multimedia\\main\\ATISched.EXE" "Pinnacle Game Profiler"="\"C:\\Program Files\\KALiNKOsoft\\Pinnacle Game Profiler\\pinnacle.exe\" -atboottime" "ctfmon.exe"="C:\\WINNT\\system32\\ctfmon.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run] "Synchronization Manager"="mobsync.exe /logon" "VSOCheckTask"="\"C:\\PROGRA~1\\McAfee.com\\VSO\\m cmnhdlr.exe\" /checktask" "VirusScan Online"="C:\\Program Files\\McAfee.com\\VSO\\mcvsshld.exe" "OASClnt"="C:\\Program Files\\McAfee.com\\VSO\\oasclnt.exe" "NWEReboot"="" "NeroFilterCheck"="C:\\WINNT\\system32\\NeroCheck. exe" "SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\"" "Profiler"="C:\\Program Files\\Saitek\\Software\\ProfilerU.exe" "SaiMfd"="C:\\Program Files\\Saitek\\Software\\SaiMfd.exe" "ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\CLIStart.exe\"" "CTHelper"="CTHELPER.EXE" "CTxfiHlp"="CTXFIHLP.EXE" "CloneCDTray"="\"C:\\Program Files\\SlySoft\\CloneCD\\CloneCDTray.exe\" /s" "AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc. exe /STARTUP" "UserFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f ,6f,74,25,5c,73,79,73,74,65,\ 6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,75,00 "CleanUp"="C:\\PROGRA~1\\McAfee.com\\Shared\\mcapp ins.exe /v=3 /cleanup" [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\OptionalComponents] [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\OptionalComponents\MAPI] "Installed"="1" "NoChange"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\OptionalComponents\MSFS] "Installed"="1" [HKEY_USERS\.default\software\microsoft\windows\cur rentversion\runonce] "^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop" "tscuninstall"=hex(2):25,73,79,73,74,65,6d,72,6f,6 f,74,25,5c,73,79,73,74,65,6d,\ 33,32,5c,74,73,63,75,70,67,72,64,2e,65,78,65,00 [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\shellserviceobjectdelayload] "UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}" "WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}" [HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\securityproviders] "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] rpcss REG_MULTI_SZ RpcSs\0\0 LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnph ost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 HTTPFilter REG_MULTI_SZ HTTPFilter\0\0 DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0 WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0 [HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\MountPoints2\{27cc465d-f675-11da-ba1f-000d6191598e}] Shell\AutoRun\command H:\JDSecure\Windows\JDSecure20.exe Contents of the 'Scheduled Tasks' folder C:\WINNT\tasks\McDefragTask.job C:\WINNT\tasks\McQcTask.job C:\WINNT\tasks\User_Feed_Synchronization-{1F5CF007-A933-421B-AF4E-787580ADC389}.job C:\WINNT\tasks\XoftSpy.job ************************************************** ****************** catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006 http://www.gmer.net scanning hidden processes ... scanning hidden services ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 ************************************************** ****************** Completion time: 07-03-19 2:06:56 C:\ComboFix2.txt ... 07-03-18 23:27 C:\ComboFix3.txt ... 07-03-18 19:03 Logfile of HijackThis v1.99.1 Scan saved at 2:08:32 AM, on 3/19/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16414) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\Ati2evxx.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\Ati2evxx.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\Explorer.EXE C:\Program Files\McAfee.com\VSO\mcvsshld.exe C:\Program Files\McAfee.com\VSO\oasclnt.exe C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe C:\Program Files\Saitek\Software\ProfilerU.exe C:\Program Files\Saitek\Software\SaiMfd.exe c:\progra~1\mcafee.com\vso\mcvsescn.exe C:\WINNT\CTHELPER.EXE C:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE C:\Program Files\ATI Multimedia\main\ATIDtct.EXE C:\Program Files\ATI Multimedia\main\ATISched.EXE C:\WINNT\system32\ctfmon.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe C:\PROGRA~1\McAfee\MSC\mclogsrv.exe C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe c:\program files\common files\mcafee\mna\mcnasvc.exe C:\PROGRA~1\McAfee\MSC\mcpromgr.exe c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe c:\PROGRA~1\mcafee.com\vso\mcshield.exe C:\PROGRA~1\McAfee\MSC\mctskshd.exe C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe C:\Program Files\McAfee\MPF\MPFSrv.exe C:\WINNT\system32\svchost.exe C:\PROGRA~1\McAfee\MPS\mps.exe C:\Program Files\McAfee\MPS\mpsevh.exe C:\WINNT\System32\svchost.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINNT\system32\NOTEPAD.EXE C:\Program Files\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/explore.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O2 - BHO: McAfee Popup Blocker - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - c:\program files\mcafee\mps\mcpopup.dll O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\ProfilerU.exe O4 - HKLM\..\Run: [SaiMfd] C:\Program Files\Saitek\Software\SaiMfd.exe O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u O4 - HKLM\..\Run: [CleanUp] C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\main\ATISched.EXE O4 - HKCU\..\Run: [Pinnacle Game Profiler] "C:\Program Files\KALiNKOsoft\Pinnacle Game Profiler\pinnacle.exe" -atboottime O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\dtv\EXPLBAR.DLL O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7} (Microsoft ProgressBar Control, version 5.0 (SP2)) - http://download.mcafee.com/molbin/Sh...2/ComCtl32.cab O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.com/real/player/do...e_Inst_Win.cab O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1149580080171 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...26/mcgdmgr.cab O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab O16 - DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} (CPlayFirstDinerDashControl Object) - http://comcast.oberon-media.com/onli...h.1.0.0.80.cab O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15023/CTPID.cab O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINNT\system32\WPDShServiceObj.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe O23 - Service: McAfee Log Manager (McLogManagerService) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mclogsrv.exe O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mctskshd.exe O23 - Service: McAfee User Manager (mcusrmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe |
#11
|
||||
|
||||
Looking improved, though I am not sure why you are getting that fault check showing here. Are you getting any error alerts at startup?
Your system shows Xoft as being loaded here. As a software that has been listed here in the past this is not one that I recommend keeping, especially with all the good free software available. You can just uninstall anything related to ParetoLogic and XoftSpy through Add/Remove Programs, then delete the XoftSpy folder. Make sure you can View Hidden Files. Also uncheck "Hide Extensions for Known File Types" Do a search ( Start - Search/Find - Files or Folders) for the following hilighted files/folders (shown in Bold), and if found, delete them. C:\WINNT\system32\lmllm.bak2 C:\WINNT\system32\lmllm.bak1 Run ATF Cleaner again, then Go here and run the Kaspersky online scan, and post back the log it creates (it requires IE). To use the scan, once the download has completed click Scan Settings, then make sure the "extended option" is checked (leave all others as they are) and click OK. Then click My Computer to begin the scan. Save the Report as a text file and post that back here. |
#12
|
|||
|
|||
No error alerts at startup.
Xoftspy has been uninstalled and deleted. Hidden files are showing. The two files you mentioned were found and deleted. ATF Cleaner has been run. Kaspersky has been run. It took 4 1/2 hrs...? Here is that log. Thanks again for your time. ------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER REPORT Monday, March 19, 2007 5:24:02 PM Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.93.0 Kaspersky Anti-Virus database last update: 19/03/2007 Kaspersky Anti-Virus database records: 283341 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: C:\ D:\ E:\ F:\ G:\ Scan Statistics: Total number of scanned objects: 236285 Number of viruses found: 13 Number of infected objects: 31 Number of suspicious objects: 0 Duration of the scan process: 04:37:35 Infected Object Name / Virus Name / Last Action C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped C:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\log.edb Object is locked skipped C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\Events.dat Object is locked skipped C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{586693BA-76C0-4BCC-A6CB-3DA1D94D1CD1}.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped C:\Documents and Settings\All Users\Application Data\McAfee.com\VSO\OASLogs\OAS.log Object is locked skipped C:\Documents and Settings\Jason\Application Data\Microsoft\Outlook\Outlook.srs Object is locked skipped C:\Documents and Settings\Jason\Cookies\index.dat Object is locked skipped C:\Documents and Settings\Jason\Local Settings\Application Data\ApplicationHistory\CLI.EXE.c88dbd71.ini.inuse Object is locked skipped C:\Documents and Settings\Jason\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Object is locked skipped C:\Documents and Settings\Jason\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\Jason\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\Jason\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\Jason\Local Settings\Temp\Perflib_Perfdata_728.dat Object is locked skipped C:\Documents and Settings\Jason\Local Settings\Temp\Perflib_Perfdata_8a8.dat Object is locked skipped C:\Documents and Settings\Jason\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped C:\Documents and Settings\Jason\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\Jason\NTUSER.DAT Object is locked skipped C:\Documents and Settings\Jason\NTUSER.DAT.LOG Object is locked skipped C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped C:\System Volume Information\_restore{3C267F8C-F265-4D0C-9385-1775BD57FB03}\RP413\A0067842.exe Infected: not-a-virus:AdWare.Win32.Casino.d skipped C:\System Volume Information\_restore{3C267F8C-F265-4D0C-9385-1775BD57FB03}\RP430\A0074722.exe Object is locked skipped C:\System Volume Information\_restore{3C267F8C-F265-4D0C-9385-1775BD57FB03}\RP430\A0074723.exe Object is locked skipped C:\System Volume Information\_restore{3C267F8C-F265-4D0C-9385-1775BD57FB03}\RP452\A0080919.exe Infected: not-a-virus:AdWare.Win32.Agent.at skipped C:\System Volume Information\_restore{3C267F8C-F265-4D0C-9385-1775BD57FB03}\RP452\change.log Object is locked skipped C:\VundoFix Backups\ndlpxjxh.exe.bad Infected: not-a-virus:AdWare.Win32.Agent.at skipped C:\WINNT\Debug\PASSWD.LOG Object is locked skipped C:\WINNT\SchedLgU.Txt Object is locked skipped C:\WINNT\SoftwareDistribution\EventCache\{3A78750F-611D-4816-A2D9-29CC7FF9D637}.bin Object is locked skipped C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINNT\system32\CatRoot2\edb.log Object is locked skipped C:\WINNT\system32\CatRoot2\tmp.edb Object is locked skipped C:\WINNT\system32\config\ACEEvent.evt Object is locked skipped C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped C:\WINNT\system32\config\default Object is locked skipped C:\WINNT\system32\config\default.LOG Object is locked skipped C:\WINNT\system32\config\Internet.evt Object is locked skipped C:\WINNT\system32\config\SAM Object is locked skipped C:\WINNT\system32\config\SAM.LOG Object is locked skipped C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped C:\WINNT\system32\config\SECURITY Object is locked skipped C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped C:\WINNT\system32\config\software Object is locked skipped C:\WINNT\system32\config\software.LOG Object is locked skipped C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped C:\WINNT\system32\config\system Object is locked skipped C:\WINNT\system32\config\system.LOG Object is locked skipped C:\WINNT\system32\drivers\dtscsi.sys Object is locked skipped C:\WINNT\system32\drivers\sptd.sys Object is locked skipped C:\WINNT\system32\drivers\sptd2781.sys Object is locked skipped C:\WINNT\system32\h323log.txt Object is locked skipped C:\WINNT\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINNT\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped C:\WINNT\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped C:\WINNT\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINNT\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINNT\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINNT\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINNT\Temp\sqlite_3XK9cQJduxUtX0c Object is locked skipped C:\WINNT\Temp\sqlite_6doKp7OUIKxaME0 Object is locked skipped C:\WINNT\Temp\sqlite_8Gl1bMAixEiF7Kv Object is locked skipped C:\WINNT\Temp\sqlite_CTQi9lhLcJrZsn0 Object is locked skipped C:\WINNT\Temp\sqlite_QIyaQsKomyvgk1u Object is locked skipped C:\WINNT\WindowsUpdate.log Object is locked skipped C:\WINNT\{00000000-00000000-0000000D-00001102-00000004-00511102}.CDF Object is locked skipped D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped D:\System Volume Information\_restore{3C267F8C-F265-4D0C-9385-1775BD57FB03}\RP361\A0062573.exe/crack.exe Infected: P2P-Worm.Win32.HappyNewYear.a skipped D:\System Volume Information\_restore{3C267F8C-F265-4D0C-9385-1775BD57FB03}\RP361\A0062573.exe/run.exe Infected: P2P-Worm.Win32.HappyNewYear.a skipped D:\System Volume Information\_restore{3C267F8C-F265-4D0C-9385-1775BD57FB03}\RP361\A0062573.exe/path.exe Infected: Trojan-Downloader.Win32.Agent.bdr skipped D:\System Volume Information\_restore{3C267F8C-F265-4D0C-9385-1775BD57FB03}\RP361\A0062573.exe ZIP: infected - 3 skipped D:\System Volume Information\_restore{3C267F8C-F265-4D0C-9385-1775BD57FB03}\RP414\A0068052.exe/data0007 Infected: not-a-virus:AdWare.Win32.Lop.bn skipped D:\System Volume Information\_restore{3C267F8C-F265-4D0C-9385-1775BD57FB03}\RP414\A0068052.exe NSIS: infected - 1 skipped D:\System Volume Information\_restore{3C267F8C-F265-4D0C-9385-1775BD57FB03}\RP414\A0068053.exe/data0007 Infected: not-a-virus:AdWare.Win32.Lop.bn skipped D:\System Volume Information\_restore{3C267F8C-F265-4D0C-9385-1775BD57FB03}\RP414\A0068053.exe NSIS: infected - 1 skipped D:\System Volume Information\_restore{3C267F8C-F265-4D0C-9385-1775BD57FB03}\RP417\A0068348.exe Object is locked skipped D:\System Volume Information\_restore{3C267F8C-F265-4D0C-9385-1775BD57FB03}\RP417\A0068376.exe/data0007 Infected: not-a-virus:AdWare.Win32.Lop.bn skipped D:\System Volume Information\_restore{3C267F8C-F265-4D0C-9385-1775BD57FB03}\RP417\A0068376.exe NSIS: infected - 1 skipped D:\System Volume Information\_restore{3C267F8C-F265-4D0C-9385-1775BD57FB03}\RP422\A0069622.exe/data0007 Infected: not-a-virus:AdWare.Win32.Lop.bn skipped D:\System Volume Information\_restore{3C267F8C-F265-4D0C-9385-1775BD57FB03}\RP422\A0069622.exe NSIS: infected - 1 skipped D:\System Volume Information\_restore{3C267F8C-F265-4D0C-9385-1775BD57FB03}\RP424\A0073550.exe/data0007 Infected: not-a-virus:AdWare.Win32.Lop.bn skipped D:\System Volume Information\_restore{3C267F8C-F265-4D0C-9385-1775BD57FB03}\RP424\A0073550.exe NSIS: infected - 1 skipped D:\System Volume Information\_restore{3C267F8C-F265-4D0C-9385-1775BD57FB03}\RP425\A0073577.exe/data0007 Infected: not-a-virus:AdWare.Win32.Lop.bn skipped D:\System Volume Information\_restore{3C267F8C-F265-4D0C-9385-1775BD57FB03}\RP425\A0073577.exe NSIS: infected - 1 skipped D:\System Volume Information\_restore{3C267F8C-F265-4D0C-9385-1775BD57FB03}\RP426\A0073586.exe/data0007 Infected: not-a-virus:AdWare.Win32.Lop.bn skipped D:\System Volume Information\_restore{3C267F8C-F265-4D0C-9385-1775BD57FB03}\RP426\A0073586.exe NSIS: infected - 1 skipped D:\System Volume Information\_restore{3C267F8C-F265-4D0C-9385-1775BD57FB03}\RP426\A0073587.exe Object is locked skipped D:\System Volume Information\_restore{3C267F8C-F265-4D0C-9385-1775BD57FB03}\RP452\change.log Object is locked skipped D:\System Volume Information\_restore{A234EB93-3152-4415-B61C-351903E790EB}\RP604\A0106933.exe/irsetup.dat Infected: P2P-Worm.Win32.Insta.a skipped D:\System Volume Information\_restore{A234EB93-3152-4415-B61C-351903E790EB}\RP604\A0106933.exe/upd.exe Infected: not-a-virus:RiskTool.Win32.PsKill.1101 skipped D:\System Volume Information\_restore{A234EB93-3152-4415-B61C-351903E790EB}\RP604\A0106933.exe/cmdo.exe Infected: not-a-virus:RiskTool.Win32.HideWindows skipped D:\System Volume Information\_restore{A234EB93-3152-4415-B61C-351903E790EB}\RP604\A0106933.exe/username.exe Infected: not-a-virus:AdWare.Win32.EliteBar.ba skipped D:\System Volume Information\_restore{A234EB93-3152-4415-B61C-351903E790EB}\RP604\A0106933.exe/smmss.exe Infected: not-a-virus:AdWare.Win32.EZula.bg skipped D:\System Volume Information\_restore{A234EB93-3152-4415-B61C-351903E790EB}\RP604\A0106933.exe/cheat_plugin.exe/data0001 Infected: Trojan-Downloader.Win32.IstBar.ja skipped D:\System Volume Information\_restore{A234EB93-3152-4415-B61C-351903E790EB}\RP604\A0106933.exe/cheat_plugin.exe/data0003 Infected: Trojan-Downloader.Win32.IstBar.ny skipped D:\System Volume Information\_restore{A234EB93-3152-4415-B61C-351903E790EB}\RP604\A0106933.exe/cheat_plugin.exe Infected: Trojan-Downloader.Win32.IstBar.ny skipped D:\System Volume Information\_restore{A234EB93-3152-4415-B61C-351903E790EB}\RP604\A0106933.exe/expIorer.exe Infected: Trojan-Dropper.Win32.Pakes skipped D:\System Volume Information\_restore{A234EB93-3152-4415-B61C-351903E790EB}\RP604\A0106933.exe SetupFactory: infected - 9 skipped Scan process completed. |
#13
|
||||
|
||||
Looking good - normally locked functions, files we deleted already and System Restore infection we are about to clear out. Could you give me info on some "sqlite" activity showing in your temp folders? Some part of SQL server activity I am sensing, but I would like to be sure on things showing here. But not necessarily infection or some bad activity that i can tell.
Please go here and download ComboScan to your Desktop. Close all open programs and windows and doubleclick on ComboScan.exe to run it and follow the prompts. When the scan is complete, a file will open (C:\ComboScan.txt). A folder (C:\ComboScan) will also open. Inside it will be two text files, ComboScan.txt and Supplementary.txt. Please copy the contents of each file in your next reply to this topic. Note: some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe access. What ComboScan will do: * create a new System Restore point in Windows XP and Vista. * clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives. * check some important areas of your system and produce a report for your Helper to review. ComboScan automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed. And Go here for an online AV scan (requires IE to run). If your AV alerts you while the scan installs ignore this - Panda's Active Scan method is often mistaken for infection activity. Scan "Local Disks" and when finished save the scan log and then post the log here. To save the log first select the See Report button, then select the Save report button, and post that log back here. |
#14
|
|||
|
|||
ComboScan 1 of 2
You lost me at "sqlite" activity. Im not sure what that is as I dont recall ever hearing about or seeing it before. If you care to elaborate Ill do my best to tell you what you want to know.
Here are the three logs. ComboScan v20070306.20 run by Jason on 2007-03-19 at 22:31:09 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- System Restore -------------------------------------------------------------- Successfully created ComboScan Restore Point. -- Last 5 Restore Point(s) -- 107: 2007-03-20 03:31:14 UTC - RP454 - ComboScan Restore Point 106: 2007-03-20 01:48:41 UTC - RP453 - System Checkpoint 105: 2007-03-18 21:20:22 UTC - RP452 - System Checkpoint 104: 2007-03-17 19:48:34 UTC - RP451 - System Checkpoint 103: 2007-03-16 17:54:06 UTC - RP450 - Installé Rise Of Legends -- First Restore Point -- 1: 2006-12-20 23:27:30 UTC - RP348 - System Checkpoint Performed disk cleanup. -- HijackThis (run as Jason.exe) ----------------------------------------------- Logfile of HijackThis v1.99.1 Scan saved at 10:31:26 PM, on 3/19/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16414) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\Ati2evxx.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\Ati2evxx.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\Explorer.EXE C:\Program Files\McAfee.com\VSO\mcvsshld.exe C:\Program Files\McAfee.com\VSO\oasclnt.exe C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe C:\Program Files\Saitek\Software\ProfilerU.exe C:\Program Files\Saitek\Software\SaiMfd.exe c:\progra~1\mcafee.com\vso\mcvsescn.exe C:\WINNT\CTHELPER.EXE C:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE C:\Program Files\ATI Multimedia\main\ATIDtct.EXE C:\Program Files\ATI Multimedia\main\ATISched.EXE C:\WINNT\system32\ctfmon.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe C:\PROGRA~1\McAfee\MSC\mclogsrv.exe C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe c:\program files\common files\mcafee\mna\mcnasvc.exe C:\PROGRA~1\McAfee\MSC\mcpromgr.exe c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe c:\PROGRA~1\mcafee.com\vso\mcshield.exe C:\PROGRA~1\McAfee\MSC\mctskshd.exe C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe C:\Program Files\McAfee\MPF\MPFSrv.exe C:\WINNT\system32\svchost.exe C:\PROGRA~1\McAfee\MPS\mps.exe C:\Program Files\McAfee\MPS\mpsevh.exe C:\WINNT\System32\svchost.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Documents and Settings\Jason\Desktop\comboscan.exe C:\PROGRA~1\HIJACK~1\Jason.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/explore.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O2 - BHO: McAfee Popup Blocker - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - c:\program files\mcafee\mps\mcpopup.dll O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\ProfilerU.exe O4 - HKLM\..\Run: [SaiMfd] C:\Program Files\Saitek\Software\SaiMfd.exe O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u O4 - HKLM\..\Run: [CleanUp] C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\main\ATISched.EXE O4 - HKCU\..\Run: [Pinnacle Game Profiler] "C:\Program Files\KALiNKOsoft\Pinnacle Game Profiler\pinnacle.exe" -atboottime O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\dtv\EXPLBAR.DLL O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7} (Microsoft ProgressBar Control, version 5.0 (SP2)) - http://download.mcafee.com/molbin/Sh...2/ComCtl32.cab O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.com/real/player/do...e_Inst_Win.cab O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1149580080171 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...26/mcgdmgr.cab O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab O16 - DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} (CPlayFirstDinerDashControl Object) - http://comcast.oberon-media.com/onli...h.1.0.0.80.cab O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15023/CTPID.cab O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINNT\system32\WPDShServiceObj.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe O23 - Service: McAfee Log Manager (McLogManagerService) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mclogsrv.exe O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mctskshd.exe O23 - Service: McAfee User Manager (mcusrmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe -- HijackThis Fixed Entries (C:\PROGRA~1\HIJACK~1\backups\) -------------------- backup-20070318-233441-549 O2 - BHO: (no name) - {BFF529B1-2268-41D4-B3B3-031E0101CAAE} - C:\WINNT\system32\ddcya.dll (file missing) backup-20070318-233441-602 O20 - Winlogon Notify: ddcya - C:\WINNT\system32\ddcya.dll (file missing) backup-20070318-233441-770 O2 - BHO: (no name) - {7275767B-48BC-4AD7-A5E5-DA4AB990C383} - C:\WINNT\system32\mllml.dll (file missing) backup-20070318-233441-852 O2 - BHO: (no name) - {64073547-D816-495E-B269-D0DEAD8A5A15} - C:\WINNT\system32\ddccd.dll (file missing) backup-20070318-233441-945 O20 - Winlogon Notify: ddccd - C:\WINNT\ -- File Associations ----------------------------------------------------------- .bat - batfile - "%1" %* .chm - chm.file - "C:\WINNT\hh.exe" %1 .cmd - cmdfile - "%1" %* .com - comfile - "%1" %* .exe - exefile - "%1" %* .hlp - hlpfile - %SystemRoot%\System32\winhlp32.exe %1 .inf - inffile - %SystemRoot%\System32\NOTEPAD.EXE %1 .ini - inifile - %SystemRoot%\System32\NOTEPAD.EXE %1 .js - JSFile - %SystemRoot%\System32\WScript.exe "%1" %* .lnk - lnkfile - {00021401-0000-0000-C000-000000000046} .pif - piffile - "%1" %* .reg - regfile - regedit.exe "%1" .scr - scrfile - "%1" /S .txt - txtfile - %SystemRoot%\system32\NOTEPAD.EXE %1 .vbs - VBSFile - %SystemRoot%\System32\WScript.exe "%1" %* -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------- 2R ACEDRV05 - C:\WINNT\system32\drivers\ACEDRV05.sys 1R AmdK7 (AMD K7 Processor Driver) - C:\WINNT\system32\drivers\amdk7.sys 3R AnyDVD - C:\WINNT\system32\drivers\AnyDVD.sys 3R Arp1394 (1394 ARP Client Protocol) - C:\WINNT\system32\drivers\arp1394.sys 3S ATI Remote Wonder II - C:\WINNT\system32\drivers\ATIRWVD.SYS (not found) 3R ati2mtag - C:\WINNT\system32\drivers\ati2mtag.sys 3R ATIAVAIW (ATI T200 Unified AVStream service) - C:\WINNT\system32\drivers\atinavt2.sys 3S atinevxx (ATI WDM Rage Theater Video NSP) - C:\WINNT\system32\drivers\atinevxx.sys 3S atinrvxx (ATI WDM Rage Theater Video (Microsoft Corporation)) - C:\WINNT\system32\drivers\atinrvxx.sys 3S ATITUNEP (ATI WDM TV Tuner) - C:\WINNT\system32\drivers\atineuxx.sys 3S ativraxx (ATI WDM Rage Theater Audio) - C:\WINNT\system32\drivers\atinraxx.sys 3S ATIXSAudio (ATI WDM TV Audio Crossbar) - C:\WINNT\system32\drivers\atinesxx.sys 1R Avg7Core (AVG7 Kernel) - C:\WINNT\system32\drivers\avg7core.sys 1R Avg7RsW (AVG7 Wrap Driver) - C:\WINNT\system32\drivers\avg7rsw.sys 1R Avg7RsXP (AVG7 Resident Driver XP) - C:\WINNT\system32\drivers\avg7rsxp.sys 1R AvgClean (AVG7 Clean Driver) - C:\WINNT\system32\drivers\avgclean.sys 3S CCDECODE (Closed Caption Decoder) - C:\WINNT\system32\drivers\CCDECODE.sys 3R ctac32k (Creative AC3 Software Decoder) - C:\WINNT\system32\drivers\ctac32k.sys 3R ctaud2k (Creative Audio Driver (WDM)) - C:\WINNT\system32\drivers\ctaud2k.sys 3S ctdvda2k (Creative DVD-Audio Device Driver) - C:\WINNT\system32\drivers\ctdvda2k.sys 3R ctprxy2k (Creative Proxy Driver) - C:\WINNT\system32\drivers\ctprxy2k.sys 3R ctsfm2k (Creative SoundFont Management Device Driver) - C:\WINNT\system32\drivers\ctsfm2k.sys 3R dtscsi - C:\WINNT\system32\drivers\dtscsi.sys 3R ElbyCDFL - C:\WINNT\system32\drivers\ElbyCDFL.sys 2R ElbyCDIO (ElbyCDIO Driver) - C:\WINNT\system32\drivers\ElbyCDIO.sys 3R ElbyDelay - C:\WINNT\system32\drivers\ElbyDelay.sys 3R emupia (E-mu Plug-in Architecture Driver) - C:\WINNT\system32\drivers\emupia2k.sys 3R FETND5BV (VIA Rhine-Family Fast Ethernet Adapter Driver Service) - C:\WINNT\system32\drivers\fetnd5bv.sys 3S FETNDIS (VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver) - C:\WINNT\system32\drivers\fetnd5.sys 3R ha10kx2k (Creative Hardware Abstract Layer Driver) - C:\WINNT\system32\drivers\ha10kx2k.sys 3S hap16v2k (Creative P16V HAL Driver) - C:\WINNT\system32\drivers\haP16v2k.sys 3S hap17v2k (Creative P17V HAL Driver) - C:\WINNT\system32\drivers\haP17v2k.sys 3R HidUsb (Microsoft HID Class Driver) - C:\WINNT\system32\drivers\hidusb.sys 1R kbdhid (Keyboard HID Driver) - C:\WINNT\system32\drivers\kbdhid.sys 3S lgatbus (LG USB Composite Device driver (WDM)) - C:\WINNT\system32\drivers\lgatbus.sys 3S lgatmdm (LG CDMA USB Modem Drivers) - C:\WINNT\system32\drivers\lgatmdm.sys 3S lgatserd (LG CDMA USB Modem Diagnostic Serial Port Drivers (WDM)) - C:\WINNT\system32\drivers\lgatserd.sys 2R MCSTRM - C:\WINNT\system32\drivers\mcstrm.sys 3R mouhid (Mouse HID Driver) - C:\WINNT\system32\drivers\mouhid.sys 3S MPE (BDA MPE Filter) - C:\WINNT\system32\drivers\MPE.sys 1R MPFP - C:\WINNT\system32\drivers\Mpfp.sys 3S MSTEE (Microsoft Streaming Tee/Sink-to-Sink Converter) - C:\WINNT\system32\drivers\MSTEE.sys 3S MVDCODEC (ATI WDM Specialized MVD Codec) - C:\WINNT\system32\drivers\atinmdxx.sys 3S NABTSFEC (NABTS/FEC VBI Codec) - C:\WINNT\system32\drivers\NABTSFEC.sys 3R NaiAvFilter1 - C:\WINNT\system32\drivers\naiavf5x.sys 3S NdisIP (Microsoft TV/Video Connection) - C:\WINNT\system32\drivers\NdisIP.sys 3R NIC1394 (1394 Net Driver) - C:\WINNT\system32\drivers\nic1394.sys 0R ohci1394 (OHCI Compliant IEEE 1394 Host Controller) - C:\WINNT\system32\drivers\ohci1394.sys 3R ossrv (Creative OS Services Driver) - C:\WINNT\system32\drivers\ctoss2k.sys 4S Parallel (Parallel class driver) - C:\WINNT\system32\DRIVERS\parallel.sys (not found) 3S PCDCODEC (ATI WDM Specialized PCD Codec) - C:\WINNT\system32\drivers\atinpdxx.sys 3R Pcouffin (Low level access layer for CD devices) - C:\WINNT\system32\drivers\Pcouffin.sys 3S Point32 (Microsoft IntelliPoint Filter Driver) - C:\WINNT\system32\drivers\point32.sys 0R PxHelp20 - C:\WINNT\system32\drivers\pxhelp20.sys 3S SaiH075C - C:\WINNT\system32\drivers\SaiH075C.sys 3R SaiMini - C:\WINNT\system32\drivers\SaiMini.sys 3R SaiNtBus - C:\WINNT\system32\drivers\SaiBus.sys 3S SLIP (BDA Slip De-Framer) - C:\WINNT\system32\drivers\SLIP.sys 0R sptd - C:\WINNT\system32\drivers\sptd.sys 3S streamip (BDA IPSink) - C:\WINNT\system32\drivers\StreamIP.sys 0R uagp35 (Microsoft AGPv3.5 Filter) - C:\WINNT\system32\drivers\uagp35.sys 3R usbehci (Microsoft USB 2.0 Enhanced Host Controller Miniport Driver) - C:\WINNT\system32\drivers\usbehci.sys 3R usbohci (Microsoft USB Open Host Controller Miniport Driver) - C:\WINNT\system32\drivers\usbohci.sys 3S USBSTOR (USB Mass Storage Driver) - C:\WINNT\system32\drivers\USBSTOR.SYS 3S WpdUsb - C:\WINNT\system32\drivers\wpdusb.sys 4S WS2IFSL (Windows Socket 2.0 Non-IFS Service Provider Support Environment) - C:\WINNT\system32\drivers\ws2ifsl.sys 3S WSTCODEC (World Standard Teletext Codec) - C:\WINNT\system32\drivers\WSTCODEC.SYS 3S WudfPf (Windows Driver Foundation - User-mode Driver Framework Platform Driver) - C:\WINNT\system32\drivers\WudfPf.sys 3S WudfRd (Windows Driver Foundation - User-mode Driver Framework Reflector) - C:\WINNT\system32\drivers\WudfRd.sys |
#15
|
|||
|
|||
ComboScan 2 of 2
-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------
3S aspnet_state (ASP.NET State Service) - C:\WINNT\Microsoft.NET\Framework\v2.0.50727\aspnet _state.exe 2R Ati HotKey Poller - C:\WINNT\system32\Ati2evxx.exe 2S ATI Smart - C:\WINNT\system32\ati2sgag.exe 2R Avg7Alrt (AVG7 Alert Manager Server) - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe 2R Avg7UpdSvc (AVG7 Update Service) - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe 3S clr_optimization_v2.0.50727_32 (.NET Runtime Optimization Service v2.0.50727_X86) - C:\WINNT\Microsoft.NET\Framework\v2.0.50727\mscors vw.exe 2S Fax - C:\WINNT\system32\fxssvc.exe 3S IDriverT (InstallDriver Table Manager) - "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe" 2R McAfee HackerWatch Service - "C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe" 2R McLogManagerService (McAfee Log Manager) - C:\PROGRA~1\McAfee\MSC\mclogsrv.exe 2R mcmispupdmgr (McAfee Update Manager) - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe 2R McNASvc (McAfee Network Agent) - "c:\program files\common files\mcafee\mna\mcnasvc.exe" 2R mcpromgr (McAfee Protection Manager) - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe 2R McProxy (McAfee Proxy Service) - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe 2R McRedirector (McAfee Redirector Service) - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe 2P McShield (McAfee.com McShield) - c:\PROGRA~1\mcafee.com\vso\mcshield.exe 2R McTskshd.exe (McAfee Task Scheduler) - C:\PROGRA~1\McAfee\MSC\mctskshd.exe 2R mcusrmgr (McAfee User Manager) - C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe 2R MpfService (McAfee Personal Firewall Service) - "C:\Program Files\McAfee\MPF\MPFSrv.exe" 2R MPS9 (McAfee Privacy Service) - C:\PROGRA~1\McAfee\MPS\mps.exe 3S ose (Office Source Engine) - "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE" 3S UtilMan (Utility Manager) - C:\WINNT\System32\UtilMan.exe -- Scheduled Tasks ------------------------------------------------------------- 2007-03-19 16:34:35 418 --ah----- C:\WINNT\Tasks\User_Feed_Synchronization-{1F5CF007-A933-421B-AF4E-787580ADC389}.job<USER_F~1.JOB> 2007-03-15 01:49:34 346 --a------ C:\WINNT\Tasks\McDefragTask.job<MCDEFR~1.JOB> 2007-03-01 02:39:20 352 --a------ C:\WINNT\Tasks\McQcTask.job 2007-02-26 22:09:57 300 --a------ C:\WINNT\Tasks\XoftSpy.job -- Files created between 2007-02-19 and 2007-03-19 ----------------------------- 2007-03-19 12:39:43 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab<KASPER~1> 2007-03-19 12:39:41 0 d-------- C:\WINNT\system32\Kaspersky Lab<KASPER~1> 2007-03-18 23:47:10 0 d-------- C:\WINNT\system32\ActiveScan<ACTIVE~1> 2007-03-18 23:47:09 0 d-------- C:\WINNT\LastGood 2007-03-18 19:02:15 0 d-------- C:\combofix 2007-03-18 17:15:34 0 d-------- C:\WINNT\BDOSCAN8 2007-03-18 16:51:30 0 d-------- C:\VundoFix Backups<VUNDOF~1> 2007-03-16 17:08:48 0 d-------- C:\Program Files\AOL Games<AOLGAM~1> 2007-03-16 09:08:34 0 d-------- C:\Program Files\Gamenext 2007-03-09 12:24:14 0 d-------- C:\Documents and Settings\Jason\Application Data\Google 2007-03-09 12:22:57 0 d-------- C:\Program Files\Google 2007-03-05 15:11:19 0 d-------- C:\Program Files\Virtual Villagers - The Lost Children<VIRTUA~2> 2007-03-03 06:42:31 0 d-------- C:\WINNT\Dream Day Wedding<DREAMD~1> 2007-03-03 06:37:57 0 d-------- C:\Program Files\Oberon Media<OBERON~1> 2007-02-25 00:21:51 0 dr-h----- C:\$VAULT$.AVG 2007-02-25 00:21:22 0 d-------- C:\Documents and Settings\Jason\Application Data\AVG7 2007-02-25 00:20:50 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7 2007-02-25 00:20:36 19392 --a------ C:\WINNT\system32\drivers\avgmfx86.sys 2007-02-25 00:20:36 3968 --a------ C:\WINNT\system32\drivers\avgclean.sys 2007-02-25 00:20:35 27776 --a------ C:\WINNT\system32\drivers\avg7rsxp.sys 2007-02-25 00:20:35 4224 --a------ C:\WINNT\system32\drivers\avg7rsw.sys 2007-02-25 00:20:31 775680 --a------ C:\WINNT\system32\drivers\avg7core.sys 2007-02-25 00:20:24 0 d-------- C:\Program Files\Grisoft 2007-02-25 00:20:24 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft 2007-02-25 00:20:24 0 d-------- C:\Documents and Settings\All Users\Application Data\avg7 2007-02-24 23:30:45 0 d-------- C:\WINNT\Prefetch 2007-02-22 20:47:01 0 d-------- C:\Documents and Settings\All Users\Application Data\Friends Games<FRIEND~1> 2007-02-19 17:20:13 0 d-------- C:\Documents and Settings\LocalService\Application Data\PureAmenLies<PUREAM~1> -- Find3M Report --------------------------------------------------------------- 2007-03-19 00:07:35 0 d-------- C:\Program Files\ATI Multimedia<ATIMUL~1> 2007-03-16 20:41:38 0 d-------- C:\Program Files\eMule 2007-03-16 09:57:58 0 d--h----- C:\Program Files\InstallShield Installation Information<INSTAL~1> 2007-03-16 09:57:52 0 d-------- C:\Program Files\Common Files\ATI 2007-03-02 05:08:00 0 d-------- C:\Program Files\Java 2007-02-25 03:34:57 0 d-------- C:\Documents and Settings\Jason\Application Data\Adobe 2007-02-22 08:20:30 0 d-------- C:\Program Files\Intellicast<INTELL~1> 2007-02-18 09:11:57 0 d-------- C:\Program Files\THQ 2007-02-12 19:17:16 21840 --a-----t C:\WINNT\system32\SIntfNT.dll 2007-02-12 19:17:16 17212 --a-----t C:\WINNT\system32\SIntf32.dll 2007-02-12 19:17:16 12067 --a-----t C:\WINNT\system32\SIntf16.dll 2007-02-12 13:12:26 0 d-------- C:\Program Files\Ubisoft 2007-02-11 22:21:24 0 d-------- C:\Documents and Settings\Jason\Application Data\Gaijin Ent<GAIJIN~1> 2007-02-10 21:39:16 0 d-------- C:\Program Files\SlySoft 2007-02-04 16:24:43 0 d-------- C:\Program Files\Virtual Villagers<VIRTUA~1> 2007-02-01 04:28:45 0 d-------- C:\Program Files\PC Wizard 2007<PCWIZA~2> 2007-02-01 03:07:12 0 d-------- C:\Program Files\Creative 2007-02-01 03:05:03 409600 --a------ C:\WINNT\system32\wrap_oal.dll 2007-02-01 03:05:02 86016 --a------ C:\WINNT\system32\OpenAL32.dll 2007-02-01 03:04:55 0 d-------- C:\Documents and Settings\Jason\Application Data\Creative 2007-02-01 02:10:41 0 d-------- C:\Program Files\Common Files\SystemRequirementsLab<SYSTEM~1> 2007-01-29 03:58:06 60416 --a------ C:\WINNT\system32\tzchange.exe 2007-01-24 16:52:11 0 d-------- C:\Program Files\Common Files\Adobe 2007-01-24 16:50:36 0 d-------- C:\Documents and Settings\Jason\Application Data\AdobeUM 2007-01-12 10:27:42 232960 --a------ C:\WINNT\system32\webcheck.dll 2007-01-12 10:27:42 51712 --a------ C:\WINNT\system32\msfeedsbs.dll<MSFEED~1.DLL> 2007-01-12 10:27:42 458752 --a------ C:\WINNT\system32\msfeeds.dll 2007-01-12 10:27:42 6054400 --a------ C:\WINNT\system32\ieframe.dll 2007-01-08 20:04:54 105984 --a------ C:\WINNT\system32\url.dll 2007-01-08 20:04:08 102400 --a------ C:\WINNT\system32\occache.dll 2007-01-08 20:02:04 266752 --a------ C:\WINNT\system32\iertutil.dll 2007-01-08 20:02:04 44544 --a------ C:\WINNT\system32\iernonce.dll 2007-01-08 20:02:02 384000 --a------ C:\WINNT\system32\iedkcs32.dll 2007-01-08 20:02:02 383488 --a------ C:\WINNT\system32\ieapfltr.dll 2007-01-08 20:02:02 161792 --a------ C:\WINNT\system32\ieakui.dll 2007-01-08 20:02:02 230400 --a------ C:\WINNT\system32\ieaksie.dll 2007-01-08 20:02:02 153088 --a------ C:\WINNT\system32\ieakeng.dll 2007-01-08 20:01:14 17408 --a------ C:\WINNT\system32\corpol.dll 2007-01-08 20:00:48 124928 --a------ C:\WINNT\system32\advpack.dll 2007-01-08 19:08:14 56832 --a------ C:\WINNT\system32\ie4uinit.exe 2007-01-08 19:08:10 13824 --a------ C:\WINNT\system32\ieudinit.exe 2007-01-01 12:24:28 14 --a------ C:\WINNT\popcinfo.dat 2006-12-20 22:05:00 520192 --a------ C:\WINNT\system32\ati2sgag.exe 2006-12-19 16:52:18 134656 --a------ C:\WINNT\system32\shsvcs.dll 2006-12-19 13:16:47 333824 --a------ C:\WINNT\system32\wiaservc.dll -- Registry Dump --------------------------------------------------------------- [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\run] "ATI Launchpad"="" "ATI DeviceDetect"="C:\\Program Files\\ATI Multimedia\\main\\ATIDtct.EXE" "ATI Scheduler"="C:\\Program Files\\ATI Multimedia\\main\\ATISched.EXE" "Pinnacle Game Profiler"="\"C:\\Program Files\\KALiNKOsoft\\Pinnacle Game Profiler\\pinnacle.exe\" -atboottime" "ctfmon.exe"="C:\\WINNT\\system32\\ctfmon.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run] "Synchronization Manager"="mobsync.exe /logon" "VSOCheckTask"="\"C:\\PROGRA~1\\McAfee.com\\VSO\\m cmnhdlr.exe\" /checktask" "VirusScan Online"="C:\\Program Files\\McAfee.com\\VSO\\mcvsshld.exe" "OASClnt"="C:\\Program Files\\McAfee.com\\VSO\\oasclnt.exe" "NWEReboot"="" "NeroFilterCheck"="C:\\WINNT\\system32\\NeroCheck. exe" "SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\"" "Profiler"="C:\\Program Files\\Saitek\\Software\\ProfilerU.exe" "SaiMfd"="C:\\Program Files\\Saitek\\Software\\SaiMfd.exe" "ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\CLIStart.exe\"" "CTHelper"="CTHELPER.EXE" "CTxfiHlp"="CTXFIHLP.EXE" "CloneCDTray"="\"C:\\Program Files\\SlySoft\\CloneCD\\CloneCDTray.exe\" /s" "AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc. exe /STARTUP" "UserFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f ,6f,74,25,5c,73,79,73,74,65,\ 6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,75,00 "CleanUp"="C:\\PROGRA~1\\McAfee.com\\Shared\\mcapp ins.exe /v=3 /cleanup" [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\OptionalComponents] [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\OptionalComponents\MAPI] "Installed"="1" "NoChange"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\OptionalComponents\MSFS] "Installed"="1" [HKEY_USERS\.default\software\microsoft\windows\cur rentversion\runonce] "^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop" "tscuninstall"=hex(2):25,73,79,73,74,65,6d,72,6f,6 f,74,25,5c,73,79,73,74,65,6d,\ 33,32,5c,74,73,63,75,70,67,72,64,2e,65,78,65,00 [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runon ce] "^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop" "tscuninstall"=hex(2):25,73,79,73,74,65,6d,72,6f,6 f,74,25,5c,73,79,73,74,65,6d,\ 33,32,5c,74,73,63,75,70,67,72,64,2e,65,78,65,00 [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\shellserviceobjectdelayload] "UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}" "WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}" [HKEY_USERS\.default\software\microsoft\windows\cur rentversion\run] "AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw. exe /RUNONCE" [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run] "AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw. exe /RUNONCE" [HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\securityproviders] "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] rpcss REG_MULTI_SZ RpcSs\0\0 LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnph ost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 HTTPFilter REG_MULTI_SZ HTTPFilter\0\0 DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0 WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0 [HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\MountPoints2\{15dc5478-f4f2-11da-a7bd-806d6172696f}] Shell\AutoRun\command F:\_AUTORUN\AUTORUN.EXE [HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\MountPoints2\{27cc465d-f675-11da-ba1f-000d6191598e}] Shell\AutoRun\command H:\JDSecure\Windows\JDSecure20.exe -- End of ComboScan: finished at 2007-03-19 at 22:31:52 ------------------------ |
Bookmarks |
«
Previous Topic
|
Next Topic
»
|
|
Similar Topics | ||||
Topic | Topic Starter | Forum | Replies | Last Post |
Vundo / BJo infection(Hi Jack Log included) | Tibbywon | Malware Removal | 37 | May 8th, 2009 02:41 AM |
Vundo infection | handleyopt | Malware Removal | 5 | April 25th, 2008 06:23 AM |
Trojan.Vundo.DZK infection on Vista | jakemachine | Malware Removal | 21 | March 10th, 2008 11:58 PM |
Vundo.gen.a infection | sharlock@telstr | Malware Removal | 19 | January 24th, 2008 05:21 AM |
All times are GMT +1. The time now is 08:28 AM.