• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
    • Budfred

      PLEASE READ - Reversing upgrade   02/23/2017

      We have found that this new upgrade is somewhat of a disaster.  We are finding lots of glitches in being able to post and administer the forum.  Additionally, there are new costs associated with the upgrade that we simply cannot afford.  As a result, we have decided to reverse course and go back to the previous version of our software.  Since this will involve restoring it from a backup, we will lose posts that have been added since January 30 or possibly even some before that.    If you started a topic during that time, we urge you to make backups of your posts and you will need to start the topics over again after the change.  You can simply paste the copies of your posts that you created at that point.    If you joined the forum this month, you will need to re-register since your membership will be lost along with the posts.  Since you have a concealed password, we cannot simply restore your membership for you.   We are going to backup as much as we can so that it will reduce inconvenience for our members.  Unfortunately we cannot back everything up since much will be incompatible with the old version of our software.  We apologize for the confusion and regret the need to do this even though it is not viable to continue with this version of the software.   We plan to begin the process tomorrow evening and, if it goes smoothly, we shouldn't be offline for very long.  However, since we have not done this before, we are not sure how smoothly it will go.  We ask your patience as we proceed.   EDIT: I have asked our hosting service to do the restore at 9 PM Central time and it looks like it will go forward at that time.  Please prepare whatever you need to prepare so that we can restore your topics when the forum is stable again.
Sign in to follow this  
Followers 0
Bobbo12

Another "Onlinesecurity" malware infection

15 posts in this topic

Hi, I have noticed that there have been a few posts about a very similar problem to that which has occured on our computer. Some sort of malware has installed itself, almost identical to that described in another thread (http://forums.spywareinfo.com/index.php?showtopic=101743). To save time iv just copied and pasted part of his thread:

 

"After running Spysweeper and no adware, it is still there. It has placed three programs on my computer:

 

1.) Spyware & malware Protection

 

2.) Error Cleaner

 

3.) Privacy Protecter

 

In addition it has taken over my computer wallpaper. I have a huge red clickable icon as my wall paper that I can close, but then it just pops back up again after 30 seconds otr so.

 

It runs some sort of a script that continuously tries to take my browser to onlinesecurityworld.com as well as onlinestability.com

 

...heres a cut and paste of the exact redirect "hxxttp://www.onlinestability.com/index.php?sid=0&aid=0&said=0&pid=1"

 

it makes pop ups come up all over the place like every 30 seconds saying that malicios spyware has been found on my computer. I have a flashing red triangle in my system tray with a little white exclamtion point in it. When I click on it nothing happens."

 

Some extra info of my own, which may help:

* The "virus" seemed to be creating 0 byte-sized tmp files about every second into my Local settings/temp folder, with names such as BIT83, BIT84, BIT85, etc etc...This has stopped since i have cleaned with Smitfraud.

* In normal mode, Windows wont let me open Task Manager, saying it has been disabled by the administrator. Safe mode allows me to.

* I have run Spysweeper and Norton but have had no success.

 

SO, to save everyone time, I have gone ahead and run SmitFraud with the intsructions provided in a very similar thread a few threads down (I did a "clean" in safe mode, and said yes to "regitsry clean"). Here is the rapport:

 

SmitFraudFix v2.200

 

Scan done at 18:18:11.14, Fri 06/07/2007

Run from C:\Documents and Settings\Administrator\Desktop\SmitfraudFix

OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT

The filesystem type is NTFS

Fix run in safe mode

 

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix

!!!Attention, following keys are not inevitably infected!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

 

 

»»»»»»»»»»»»»»»»»»»»»»»» hosts

 

 

127.0.0.1 localhost

 

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

 

GenericRenosFix by S!Ri

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

 

C:\WINDOWS\msole.dll Deleted

C:\WINDOWS\msdde.dll Deleted

 

»»»»»»»»»»»»»»»»»»»»»»»» DNS

 

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System

!!!Attention, following keys are not inevitably infected!!!

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"System"=""

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

 

Registry Cleaning done.

 

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix

!!!Attention, following keys are not inevitably infected!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

 

»»»»»»»»»»»»»»»»»»»»»»»» End

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Here is the HJT log, made after the Smitfraud clean:

 

 

 

 

Logfile of HijackThis v1.99.1

Scan saved at 6:42:09 PM, on 6/07/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0011)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\Microsoft Hardware\Keyboard\type32.exe

C:\WINDOWS\ATKKBService.exe

C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe

C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

D:\UTILIT~1\INTERN~1\MUMINT~1\mum.exe

D:\Utilities\DAEMON Tools\daemon.exe

D:\Utilities\WinZip\WZQKPICK.EXE

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\slserv.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\UAService7.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\Program Files\Webroot\Spy Sweeper\SSU.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Java\jre1.5.0_11\bin\jucheck.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\HJT\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005

R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - D:\Utilities\DAP\DAPBHO.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll

O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [GBB36X Configure] "C:\WINDOWS\system32\JMRaidTool.exe" boot

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [intelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"

O4 - HKLM\..\Run: [Easy-PrintToolBox] "C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE" /logon

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install

O4 - HKLM\..\Run: [NvMediaCenter] "RunDLL32.exe" NvMCTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"

O4 - HKLM\..\Run: [H2O] "C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"

O4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [iSUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [spySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [internodeUsage] D:\UTILIT~1\INTERN~1\MUMINT~1\mum.exe

O4 - HKCU\..\Run: [DAEMON Tools] "D:\Utilities\DAEMON Tools\daemon.exe" -lang 1033

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: WinZip Quick Pick.lnk = D:\Utilities\WinZip\WZQKPICK.EXE

O8 - Extra context menu item: &Download with &DAP - D:\UTILIT~1\DAP\dapextie.htm

O8 - Extra context menu item: Download &all with DAP - D:\UTILIT~1\DAP\dapextie2.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html

O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html

O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html

O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - D:\UTILIT~1\DAP\DAP.EXE

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/w...ntrol_en_US.cab

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5.0/jin...ows-i586-jc.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\

O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe

O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h cltCommon (file missing)

O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PDEngine - Raxco Software, Inc. - D:\Utilities\PerfectDisk v7.0.42\PDEngine.exe

O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - D:\Utilities\PerfectDisk v7.0.42\PDSched.exe

O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe

O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

 

 

 

 

Thx so much for your help. This is a truly fantastic site! :)

Share this post


Link to post
Share on other sites

Welcome to SWI. We apologize for the delay; our helpers have been very busy.

If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

 

Thank you for your patience.

 

[this is an automated reply]

Share this post


Link to post
Share on other sites

Hi Bobbo12,

 

Welcome to SpywareInfo! :wave:

 

I apologize for the delay getting to your log. The helpers here are all volunteers and we have been very busy here lately. If you are still having malware problems, I will be glad to help.

 

OK, let’s do this first.

 

Go to Start -> Control Panel -> Add/Remove Programs and remove any of the following that are listed:

 

DAP (Download Accelerator Plus

 

You may replace it with a more reputable download manager listed as this page:

http://www.safer-networking.org/en/article...d-managers.html

 

 

NEXT:

 

Please run HijackThis and click "Scan". Place a check (tick) next to the following entries (if present):

 

R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - D:\Utilities\DAP\DAPBHO.dll

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O8 - Extra context menu item: &Download with &DAP - D:\UTILIT~1\DAP\dapextie.htm

O8 - Extra context menu item: Download &all with DAP - D:\UTILIT~1\DAP\dapextie2.htm

O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - D:\UTILIT~1\DAP\DAP.EXE

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\

 

 

Close ALL programs and browsers (including this one), leaving ONLY HijackThis open, then click "Fix checked".

 

Then please exit HijackThis.

 

 

NEXT:

 

Using Windows Explorer (right-click your "Start" button and select "Explore"), please navigate to and delete the following FOLDERS (if they exist):

 

D:\Utilities\DAP

 

 

NEXT:

 

Let's run some cleanup and diagnostic scans to make sure we're not leaving anything behind.

 

Please download CCleaner (freeware) and save it to your desktop:

  1. Run the CCleaner installer.
  2. During installation process, please UNCHECK "Add CCleaner Yahoo! Toolbar".
  3. Once installed, run CCleaner and click the "Windows" tab.
  4. Select the following:
    • Check everything under the "Internet Explorer" section.
    • Check everything under the "Windows Explorer" section.
    • Check everything under the "System" section.
    • Check ONLY "Old Prefetch data" under the "Advanced" section.

[*]Then, click the "Applications" tab:

  • CHECK everything there.

[*]Next, click the "Options" button in the left pane, then click the "Advanced" button:

  • UNCHECK : "Only delete files in Windows Temp folders older than 48 hours".

[*]Next, click the "Cleaner" button in the left pane, then click the "Run Cleaner" button (bottom right), click "OK" at the prompt.

[*]When done, please exit CCleaner.

CAUTION: Please do NOT use the "Issues" button in the left pane. This is a built-in registry cleaner. If you don’t know how to use it, you may cause irreparable damage to your system.

 

 

NEXT:

 

Please download ComboFix by sUBs:

 

NOTE: In the event you already have ComboFix, this is a new version that I need you to download.

  • Save it to your desktop.
  • Double-click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION:

Please do NOT mouse-click ComboFix's window while it is running. That may cause it to stall.

Also, please do NOT adjust your time format while ComboFix is running.

 

 

NEXT:

 

Please do an online scan with Kaspersky Online Scanner using Internet Explorer (this online scanner only works with IE):

  1. Click on "Kaspersky Online Scanner".
  2. You will be prompted to install an ActiveX component from Kaspersky, click "Yes".
  3. The program will launch and then begin downloading the latest definition files.
  4. Once the files have been downloaded click on "Next".
  5. Now click on "Scan Settings".
  6. In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
      Extended
    • Scan Options:
      Scan Archives
      Scan Mail Bases

[*]Click "OK".

[*]Now under select a target to scan:

  • Select "My Computer".

[*]This program will start and scan your system.

[*]The scan will take a while so be patient and let it run.

[*]Once the scan is complete it will display if your system has been infected.

  • Now click on the "Save Report As" button.
  • In the "File name:" field, type kavscan.
  • In the "Save as type:" field, select "Text file (*.txt)".

[*]Save the file to your desktop.

[*]Copy and paste that information in your next post.

Note for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.

 

 

NEXT:

 

Please REBOOT your computer normally into Windows and post these logs in your next reply:

  1. The log from the ComboFix scan.
  2. The log from the Kaspersky scan.
  3. A new HijackThis log.

(You might have to paste the logs in multiple posts in the event they are too long and breach the post length restrictions of the forum software).

 

Also, please let me know how things are running now and if you encountered any problems while you were following the directions I posted.

Share this post


Link to post
Share on other sites

Thanks for your help so far. While it may have been good to get rid of DAP, I am certain that this has not been the cause of our recent troubles, as they occured from my Dad visiting some dodgy sites (lol..). I have an old, full version of DAP which doesnt contain anyspyware and has never caused me trouble - but thx, i got rid of it as u said just in case.

 

However, the problem still persists. When I connected the infected pc to the internet, it started to go crazy with creating tiny files in the Local Setting/temp folder...about 1 per second, named BIT12A, BIT12B, BIT12C and other variations etc etc. As soon as i disconect the internet it stops. The problem is that it causes a lot of HD activity, and as such I could only do the Kaspersky scan on the C:/ drive (windows drive), because it took about 4 hours to do 7% of the scan!

 

Thankyou for your heklp so far, I hope that this new information will be able to help us solve this painful problem.

 

--- LOGS ---

 

ComboFIX:

 

"User" - 2007-07-13 17:21:03 - ComboFix 07-07-13.8 - Service Pack 2 NTFS

 

 

((((((((((((((((((((((((( Files Created from 2007-06-13 to 2007-07-13 )))))))))))))))))))))))))))))))

 

 

2007-07-13 17:20 51,200 --a------ C:\WINDOWS\nircmd.exe

2007-07-13 15:57 233,472 --a------ C:\WINDOWS\system32\REX Shared Library.dll

2007-07-13 15:57 225,280 --a------ C:\WINDOWS\system32\ReWire.dll

2007-07-13 15:57 <DIR> d-------- C:\DOCUME~1\User\APPLIC~1\Propellerhead Software

2007-07-13 15:57 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Propellerhead Software

2007-07-12 14:07 <DIR> d-------- C:\Program Files\Microsoft Games

2007-07-06 18:21 <DIR> d-------- C:\HJT

2007-07-06 18:18 4,238 --a------ C:\WINDOWS\system32\tmp.reg

2007-07-05 12:50 <DIR> d-------- C:\DOCUME~1\NETWOR~1\APPLIC~1\Webroot

2007-06-30 16:54 <DIR> d-------- C:\DOCUME~1\User\APPLIC~1\Roni Music

2007-06-25 19:30 1 --a------ C:\DOCUME~1\User\SI.bin

2007-06-23 15:15 <DIR> d-------- C:\WINDOWS\lhsp

2007-06-23 15:09 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\NCH Swift Sound

2007-06-23 15:08 <DIR> d-------- C:\DOCUME~1\User\APPLIC~1\NCH Swift Sound

2007-06-19 13:33 73,216 --a------ C:\WINDOWS\ST6UNST.EXE

2007-06-19 13:33 286,720 --------- C:\WINDOWS\Setup1.exe

 

 

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

 

2007-07-13 06:49:14 -------- d--h--w C:\Program Files\InstallShield Installation Information

2007-07-06 06:42:55 -------- d-----w C:\Program Files\BFG

2007-07-04 23:27:07 -------- d-----w C:\Program Files\Common Files\Symantec Shared

2007-07-04 11:14:01 -------- d-----w C:\DOCUME~1\User\APPLIC~1\Azureus

2007-07-04 00:46:10 21,480 ----a-w C:\WINDOWS\system32\GDIPFONTCACHEV1.DAT

2007-06-28 07:30:02 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll

2007-06-25 10:13:47 -------- d-----w C:\DOCUME~1\User\APPLIC~1\Petroglyph

2007-06-25 09:39:13 -------- d-----w C:\DOCUME~1\User\APPLIC~1\Lionhead Studios

2007-06-08 07:06:07 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard

2007-06-08 07:05:20 -------- d-----w C:\Program Files\AGEIA Technologies

2007-06-08 07:02:29 -------- d-----w C:\DOCUME~1\User\APPLIC~1\InstallShield

2007-06-06 22:07:24 40,667 ----a-w C:\WINDOWS\nsreg.dat

2007-06-06 10:53:27 -------- d-----w C:\Program Files\Common Files\Real

2007-06-05 06:45:15 -------- d-----w C:\Program Files\Real

2007-06-05 06:44:54 -------- d-----w C:\Program Files\Netscape

2007-06-05 06:23:51 -------- d-----w C:\DOCUME~1\User\APPLIC~1\InterTrust

2007-05-28 11:40:42 -------- d-----w C:\Program Files\Common Files\InstallShield

2007-05-27 05:02:44 -------- d-----w C:\Program Files\Ubisoft

2007-05-27 04:11:56 81,920 ----a-w C:\WINDOWS\system32\OpenAL32.dll

2007-05-26 11:23:27 -------- d-----w C:\Program Files\Avid

2007-05-26 11:16:19 -------- d-----w C:\DOCUME~1\User\APPLIC~1\combustion4

2007-05-26 11:10:59 -------- d-----w C:\DOCUME~1\User\APPLIC~1\Apple Computer

2007-05-21 11:42:28 -------- d-----w C:\Program Files\K-Lite Codec Pack

2007-05-20 11:45:15 -------- d-----w C:\DOCUME~1\User\APPLIC~1\DivX

2007-05-20 01:50:08 -------- d-----w C:\Program Files\DivX

2007-05-15 09:06:58 71,208 ----a-w C:\WINDOWS\system32\PhysXLoader.dll

2007-05-11 17:54:15 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe

2007-05-11 04:37:15 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll

2007-05-11 04:37:15 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll

2007-05-11 04:37:15 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll

2007-05-11 04:37:15 740,442 ----a-w C:\WINDOWS\system32\DivX.dll

2007-04-23 00:15:29 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll

2007-04-23 00:15:18 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll

2007-04-23 00:15:18 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll

2007-04-23 00:02:34 73,728 ----a-w C:\WINDOWS\system32\dpl100.dll

2007-04-23 00:02:34 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll

2007-04-23 00:02:33 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll

2007-04-23 00:02:31 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll

2007-04-23 00:02:31 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll

2007-04-23 00:02:31 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll

2007-04-23 00:02:31 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll

2007-04-23 00:02:31 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll

2007-04-23 00:01:47 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll

2007-04-23 00:01:46 124,472 ----a-w C:\WINDOWS\system32\DivXCodecUpdateChecker.exe

2007-04-19 00:21:33 48,776 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL

2007-04-16 12:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll

2007-04-16 12:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll

2007-04-16 12:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll

2007-04-16 12:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll

2007-04-16 12:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll

2007-04-16 12:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll

2007-04-16 12:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe

2007-04-16 12:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll

 

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

2006-10-22 23:08 62080 --a------ C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1E8A6170-7264-4D0F-BEAE-D42A53123C75}]

2007-01-12 17:04 96936 -ra------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]

2006-12-15 02:23 440056 --a------ C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RTHDCPL"="RTHDCPL.EXE" [2006-07-21 18:56 C:\WINDOWS\RTHDCPL.exe]

"SkyTel"="SkyTel.EXE" [2006-05-16 20:04 C:\WINDOWS\SkyTel.exe]

"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 18:42]

"IntelliType"="C:\Program Files\Microsoft Hardware\Keyboard\type32.exe" [2002-03-22 14:41]

"Easy-PrintToolBox"="C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe" [2004-01-14 11:10]

"nwiz"="nwiz.exe" [2006-10-22 11:22 C:\WINDOWS\system32\nwiz.exe]

"NvMediaCenter"="RunDLL32.exe" [2006-02-28 22:00 C:\WINDOWS\system32\rundll32.exe]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 02:23]

"H2O"="C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe" [2005-10-23 00:00]

"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 15:59]

"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-01-14 17:11]

"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30]

"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]

"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2005-02-16 17:15]

"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 17:15]

"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-03-01 19:55]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 22:00]

"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 02:24]

"InternodeUsage"="D:\UTILIT~1\INTERN~1\MUMINT~1\mum.exe" [2007-01-30 17:00]

"DAEMON Tools"="D:\Utilities\DAEMON Tools\daemon.exe" [2006-11-12 20:48]

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector]

"C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDET]

"C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]

CTHELPER.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]

CTXFIHLP.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RCSystem]

"C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" RCSystem * -Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]

C:\WINDOWS\UpdReg.EXE

 

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]

AutoRun\command- G:\autorun.exe

dinstall\command- G:\Directx\dxsetup.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2085703c-b322-11db-b5cd-806d6172696f}]

AutoRun\command- G:\autorun.exe

dinstall\command- G:\Directx\dxsetup.exe

 

*Newly Created Service* - COMHOST

 

Contents of the 'Scheduled Tasks' folder

2007-07-09 10:00:17 C:\WINDOWS\tasks\Norton Internet Security - Run Full System Scan - User.job

 

**************************************************************************

 

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-07-13 17:22:40

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

Completion time: 2007-07-13 17:23:03

 

--- E O F ---

 

 

 

 

 

 

Kaspersky

 

-------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER REPORT

Friday, July 13, 2007 9:20:10 PM

Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)

Kaspersky Online Scanner version: 5.0.83.0

Kaspersky Anti-Virus database last update: 13/07/2007

Kaspersky Anti-Virus database records: 361928

-------------------------------------------------------------------------------

 

Scan Settings:

Scan using the following antivirus database: extended

Scan Archives: true

Scan Mail Bases: true

 

Scan Target - My Computer:

A:\

C:\

D:\

E:\

F:\

G:\

H:\

 

Scan Statistics:

Total number of scanned objects: 42865

Number of viruses found: 8

Number of infected objects: 16 / 0

Number of suspicious objects: 0

Duration of the scan process: 03:30:20

 

Infected Object Name / Virus Name / Last Action

C:\Documents and Settings\Administrator\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\Administrator\Desktop\SmitfraudFix.zip/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\Administrator\Desktop\SmitfraudFix.zip ZIP: infected - 1 skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2007-07-13_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\27685826.tmp Infected: Trojan.Java.ClassLoader.ao skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3D376610.htm Infected: Trojan-Downloader.JS.Agent.hv skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3DC04979.htm Infected: Constructor.Perl.Msdds.b skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\530B7A08.exe Infected: Virus.Win32.Tenga.a skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\532549EB.exe Infected: Virus.Win32.Tenga.a skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5D1B56F4.tmp Infected: Trojan.Java.ClassLoader.ao skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5D1E00F0.tmp Infected: Trojan.Java.ClassLoader.ao skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\653B3A97.exe Infected: not-a-virus:AdTool.Win32.WhenU.a skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\97D1D32C.TMP Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SubEng\submissions.idx Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Data\settings.dat Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS0344187B-7F85-453B-921F-261AD3F064C5.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS05C71236-9B96-42AC-8383-544D9E2737E2.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS075CB062-13D2-4AF9-B5E5-10796FDC4FDE.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS0909896E-AF9D-4A80-9D05-627151ED26C5.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS096CC32E-A335-47F6-B6FD-C893768115DA.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS103BDAFC-1DC1-450E-ACFF-B4D3AE0CC065.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS173551CD-AC8E-46A3-9F35-50A2D373DBBF.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS1C2135B3-DF7E-450D-A3C0-04369250EDBD.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS2F815A4B-D9FD-442C-BDE5-FA817BEB3F8B.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS32A47221-FF6F-40D8-A1FA-20B6F2B70676.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS38EB527D-97D8-4B18-BFED-E14B6315B6F9.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS3AB17E04-8B96-4BD8-AC0D-5A6CB872432A.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS3DE328AC-9D08-42CC-8D64-705D9B0C226E.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS3F89B292-BA5C-4C6C-A9EF-AC0723173CF5.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS419DC926-3DF1-45B7-9731-F235B017CE6A.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS44457744-8FB1-4457-9652-2341DF21AB5E.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS45622BC2-5C32-439D-BF72-D91D98299E1C.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS47DC4143-C7B6-4243-90D1-7AAA5F1AAA32.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS48A374EF-07A1-41D0-8DC3-835F24B4977D.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS4AEF5C70-D461-400D-8519-EE02D0E04C5B.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS4D801527-5697-478B-9A95-02BD66ED03F3.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS4F7D2707-F18D-42F4-89D2-4B9CDF5EE391.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS515B0957-C0B1-47C6-B4C0-D8C8F25DA37C.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS521C76B5-5307-4430-9236-8EB8D326BF6E.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS54F30362-0D8E-47C9-A59F-8DE3DD488C3D.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS582195A4-41E4-4031-8B81-F7B1BC6F6CEE.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS599CF9D9-9FCF-4C97-9665-DBCF44D5AF31.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS5D9F6D40-43E8-4476-9797-7A2BCA157C05.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS5E307AE2-5B73-4A34-BFF4-C479C0D25DB7.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS5ED2B803-DE80-4390-9AD1-B5DE7F292979.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS606A136B-10A8-4B76-866E-01D9E8A49BC1.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS62768BBD-AF73-4D58-8AE4-2990FBC36892.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS6A01526D-25BB-4D9D-BAC8-6CECD9BE16D3.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS6A6EC35D-9DD6-4E91-9A5F-799D5F7C2DC8.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS6B21D129-5D44-40CB-B4EF-F4812C839031.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS7171FEB1-ED30-4738-B9D7-19E712594F8D.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS71A2FCF3-E792-4BB4-8168-D4DCC65192CC.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS721F7DF9-5902-471D-B764-6B08DA301F15.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS74564573-24CE-443D-95DF-BEB627FEB60B.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS761DF420-4A91-4DAB-A476-E676A8F019A8.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS765A48CC-16D9-4F40-8295-FB9893F30AB1.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS7B85190A-1399-41E3-BAFA-E9018844D71A.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS7D8C8ECA-2A8A-4AB0-BAC5-AC3108D9CFDD.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS851B0CAB-59DA-440B-AF59-B3F75F49B8A0.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS85C9D8BE-4E69-4E9C-B4CA-4649769789D6.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS9710451B-9434-43CA-B69B-565EEB957053.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSA08536AB-4380-4F36-97B9-A67195DDD627.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSA738BCA8-CBD9-4A03-95CA-B772C2DDB5FD.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSA7D529F2-42D2-45B9-8A70-45EFA2A0E987.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSA983EA10-346A-40E1-B2CB-ABE019A23723.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSAB428C12-24BA-4802-A62C-F764721A5E15.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSACF1F862-9522-4E35-A0CF-F07D3ABCA8DC.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSAF68C4C9-7229-4ED0-BDB2-AACE8CA175E8.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSB0F680A8-4E5B-4F4C-9C9E-417822F0EDD7.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSB17471BB-9599-4649-A112-3C6D93BDCDF9.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSB4E6E80E-7522-48E6-9F1A-91F69FCFCDCB.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSB7F07B21-F91F-476C-979F-DBA6B93EDB00.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSBA8DEB4B-702D-4726-B53E-F3D9919BD4DE.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSBC6355B2-1B44-47D1-A0B1-02FD10857D52.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSBDE0CA7F-F7C8-4FFD-BA3B-A6FD15FE61CB.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSBE63327F-76AF-482C-806F-EE4C8F0F0B10.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSC160BC29-A572-4916-A16E-60DC8FD5F7D2.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSC176DEEA-9F4F-4BBE-ADA3-828EA0D42D97.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSC1D58FA4-10CF-4AB7-B423-E005F9F82451.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSC3209A9D-A004-4BED-AFC2-2944AD4F38A7.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSC88A3065-C448-4BC2-B57D-12729D4ECC42.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSC9B64862-D4B0-43BA-A2E2-222DEB92AAD7.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSCC516729-4EC4-4BF5-BA89-FCBF69BF7BCB.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSD1248E24-298B-49A0-AF54-F587168FB826.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSD23B599D-4E4D-443A-9145-AA20FB0AF9BD.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSD446559B-EF2A-4394-8E38-26F0A1128CAD.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSD82B50C5-87FB-443F-A7E4-2D89D3ABEF66.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSD830912F-CA0F-4454-BF38-DBD1E317BD7D.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSD89A5D5E-C757-443C-824C-E490E40F58A7.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSE157859E-8823-4533-B4F9-9AD726E29800.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSE16F2718-2362-4300-BDB3-C7536FBAC312.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSE444BE99-F4AB-40C4-880D-398BEBC3BDDE.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSE50304BC-DF0A-4285-825E-A6CD6D0A721E.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSE6EB7F01-922F-4763-A84C-58E63C69BB98.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSE8171EAD-C6BF-458F-9832-E45377501AC7.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSE894198E-B4C9-4E68-AA33-ABBD81774521.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSEAAFAE48-7BF4-477B-9069-D3E9329A36BD.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSEAE22DA3-3C4C-434B-AB75-A02BBC6C9537.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSEE67BB30-23E9-4A5C-9240-09BBA42F9929.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSF0C92602-6992-41E5-A7AE-00A43D358741.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSF386F97C-9FDA-4B47-A59C-4EC939FB8E58.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSF787AEA8-54D2-4A53-A4DC-706302273905.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSFA497E4B-0707-4C19-9632-1E6B2D8FB4F0.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSFD67676F-EA27-40EE-BD94-000CBAF15947.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSFE70EF72-CD4A-4565-8895-854A77B304C4.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSFEA8D021-A898-4A98-BD4B-AE6D39F2F8C3.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\User\Application Data\Webroot\Spy Sweeper\Logs\070713142234.ses Object is locked skipped

C:\Documents and Settings\User\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped

C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\User\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\User\Local Settings\History\History.IE5\MSHist012007071320070714\index.dat Object is locked skipped

C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\User\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\User\ntuser.dat.LOG Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\NFWEVT.LOG Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped

C:\Program Files\Norton Internet Security\Norton AntiVirus\AVApp.log Object is locked skipped

C:\Program Files\Norton Internet Security\Norton AntiVirus\AVError.log Object is locked skipped

C:\Program Files\Norton Internet Security\Norton AntiVirus\AVVirus.log Object is locked skipped

C:\Program Files\Webroot\Spy Sweeper\Masters\masters.bak Object is locked skipped

C:\Program Files\Webroot\Spy Sweeper\Masters\Masters.const Object is locked skipped

C:\Program Files\Webroot\Spy Sweeper\Masters\masters.mst Object is locked skipped

C:\Program Files\Webroot\Spy Sweeper\Masters.base Object is locked skipped

C:\RECYCLER\S-1-5-21-448539723-1035525444-725345543-500\Dc5.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{9A96DBDD-3ACA-4397-9A69-1EB36E0BABBC}\RP349\A0085400.exe Infected: not-a-virus:Downloader.Win32.WinFixer.t skipped

C:\System Volume Information\_restore{9A96DBDD-3ACA-4397-9A69-1EB36E0BABBC}\RP349\A0085459.dll Infected: not-a-virus:AdWare.Win32.Agent.bn skipped

C:\System Volume Information\_restore{9A96DBDD-3ACA-4397-9A69-1EB36E0BABBC}\RP349\A0085460.exe Infected: not-a-virus:AdWare.Win32.Agent.bn skipped

C:\System Volume Information\_restore{9A96DBDD-3ACA-4397-9A69-1EB36E0BABBC}\RP349\A0085500.dll Infected: not-a-virus:AdWare.Win32.Agent.bn skipped

C:\System Volume Information\_restore{9A96DBDD-3ACA-4397-9A69-1EB36E0BABBC}\RP357\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

 

Scan was interrupted by user!

 

 

 

 

 

HJT

 

 

 

Logfile of HijackThis v1.99.1

Scan saved at 9:35:44 PM, on 13/07/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0011)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\ATKKBService.exe

C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\Microsoft Hardware\Keyboard\type32.exe

C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe

C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

D:\UTILIT~1\INTERN~1\MUMINT~1\mum.exe

D:\Utilities\DAEMON Tools\daemon.exe

D:\Utilities\WinZip\WZQKPICK.EXE

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\slserv.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\UAService7.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Java\jre1.5.0_11\bin\jucheck.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Webroot\Spy Sweeper\SSU.EXE

C:\HJT\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll

O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [intelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"

O4 - HKLM\..\Run: [Easy-PrintToolBox] "C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE" /logon

O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install

O4 - HKLM\..\Run: [NvMediaCenter] "RunDLL32.exe" NvMCTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"

O4 - HKLM\..\Run: [H2O] "C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"

O4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [iSUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [spySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [internodeUsage] D:\UTILIT~1\INTERN~1\MUMINT~1\mum.exe

O4 - HKCU\..\Run: [DAEMON Tools] "D:\Utilities\DAEMON Tools\daemon.exe" -lang 1033

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: WinZip Quick Pick.lnk = D:\Utilities\WinZip\WZQKPICK.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html

O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html

O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html

O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/w...ntrol_en_US.cab

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5.0/jin...ows-i586-jc.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe

O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h cltCommon (file missing)

O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PDEngine - Raxco Software, Inc. - D:\Utilities\PerfectDisk v7.0.42\PDEngine.exe

O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - D:\Utilities\PerfectDisk v7.0.42\PDSched.exe

O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe

O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

 

 

 

MANY THANKS :)

Share this post


Link to post
Share on other sites

Hi Bobbo12, :wave:

 

You’re most welcome, Bobbo12. :)

 

OK, let’s do this next. Please install a firewall.

 

Firewall (a must!)

It is definitely a must have. Some good FREE versions are Comodo, Outpost, or ZoneAlarm.

 

Test your Firewall and make sure it is working properly.

 

Note: You must only use 1 (one) firewall at a time because if you have 2 or more firewalls running at the same time, they will conflict with each other and make your security less reliable. Please also remember to turn off Windows Firewall once you have installed a new firewall.

 

 

NEXT:

 

Please go to: VirusTotal

  • At the top of the page you'll find a "Browse" button. Click the "Browse" button and browse to next file:
     
    C:\WINDOWS\system32\ReWire.dll
     
     
  • Click "Open".
  • Then click the "Send File" button.
  • This will scan the file (the progress bar will show "Current status: scanning"). Please be patient.
  • Once scanned (the status box will display "Current status: finished"), copy and paste the results in your next reply.

Then please do the same as above for the following files:

 

C:\WINDOWS\system32\PhysXLoader.dll

 

 

NEXT:

 

Please download SREng (System Repair Engineer) by Smallfrogs and save it to your desktop:

  • Right-click sreng2.zip, select "Extract All", and extract it to its own folder.
  • Double-click SREng.exe to run it.
     
     
    SRENG.gif
     
     
     
  • Select "Smart Scan" and check (tick) "Verify the digital signatures of process modules".
  • Click on the "Scan" button.
  • When the scan is complete, click on the "Save Reports" button and save the log to your desktop.
  • Please attach the log in your next reply. Don’t post it.

Note: You would have to rename SREngLog.log to SREngLog.txt before attaching it. If you cannot attach the log, then please copy and paste its contents into your next reply.

 

 

NEXT:

 

Please REBOOT your computer normally into Windows and post these logs in your next reply:

  1. The reports from VirusTotal.
  2. The log from the SREng scan.
  3. A new HijackThis log.

(You might have to paste the logs in multiple posts in the event they are too long and breach the post length restrictions of the forum software).

Share this post


Link to post
Share on other sites

Hi, thanks again for the help so far. A few things:

* I did not install a firewall, because I actually already have Norton Internet Security 2007, with an active firewall. I checked its trusted programs list and there was nothing dodgy allowed, as far as i could tell.

* As for the two .dlls, I scanned them both with Virus Total, and neither contained ANY viruses, so I have not posted the logs.

* Unfortuately, it does not look like attachments have been enabled on my account, so i uploaded the .txt here

 

http://rapidshare.com/files/42823558/LOG.txt.log.html

 

 

Here is my new HTJ log:

 

Logfile of HijackThis v1.99.1

Scan saved at 5:59:02 PM, on 14/07/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0011)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\Microsoft Hardware\Keyboard\type32.exe

C:\WINDOWS\ATKKBService.exe

C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe

C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe

C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

D:\UTILIT~1\INTERN~1\MUMINT~1\mum.exe

D:\Utilities\DAEMON Tools\daemon.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

D:\Utilities\WinZip\WZQKPICK.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\slserv.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\UAService7.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Webroot\Spy Sweeper\SSU.EXE

C:\HJT\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll

O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [intelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"

O4 - HKLM\..\Run: [Easy-PrintToolBox] "C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE" /logon

O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install

O4 - HKLM\..\Run: [NvMediaCenter] "RunDLL32.exe" NvMCTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"

O4 - HKLM\..\Run: [H2O] "C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"

O4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [iSUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray

O4 - HKLM\..\Run: [CTDVDDET] ; "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"

O4 - HKLM\..\Run: [CTHelper] ; CTHELPER.EXE

O4 - HKLM\..\Run: [CTxfiHlp] ; CTXFIHLP.EXE

O4 - HKLM\..\Run: [RCSystem] ; "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" RCSystem * -Startup

O4 - HKLM\..\Run: [updReg] ; C:\WINDOWS\UpdReg.EXE

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [internodeUsage] D:\UTILIT~1\INTERN~1\MUMINT~1\mum.exe

O4 - HKCU\..\Run: [DAEMON Tools] "D:\Utilities\DAEMON Tools\daemon.exe" -lang 1033

O4 - HKCU\..\Run: [Creative Detector] ; "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: WinZip Quick Pick.lnk = D:\Utilities\WinZip\WZQKPICK.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html

O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html

O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html

O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/w...ntrol_en_US.cab

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5.0/jin...ows-i586-jc.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe

O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h cltCommon (file missing)

O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PDEngine - Raxco Software, Inc. - D:\Utilities\PerfectDisk v7.0.42\PDEngine.exe

O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - D:\Utilities\PerfectDisk v7.0.42\PDSched.exe

O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe

O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

 

 

 

I also thought i should mention that in the task manager, AppSvc32.exe seems to be often quite active (30-40%) and sometimes svchost is pretty active too.

 

 

Many thanks once again. Can you see a positive end in sight, or is this looking like I will have to wipe everything and reinstall windows??

 

Your help is greatly appreciated,

 

Bobbo

Edited by Bobbo12

Share this post


Link to post
Share on other sites

Hi Bobbo12, :wave:

 

You’re most welcome. :)

 

No worries, we’re almost done here. Just one more cleanup scan and some rootkit scans to do.

 

OK, let’s do this next.

 

BEFORE BEGINNING, Please read completely through the instructions below. Please also print these instructions or copy them to Notepad (or another word processor), and save it for easier reference. This is because we will be in Safe Mode during the fix and you won’t be able to access the Internet to view these instructions.

 

Please download SDFix by AndyManchesta and save it to your desktop.

 

Double-click SDFix.exe and it will extract the files to %systemdrive%

(Drive that contains the Windows Directory, typically C:\SDFix).

 

Please then reboot your computer into Safe Mode by doing the following:

  • Restart your computer.
  • After hearing your computer beep once during startup, but just before the Windows icon appears, tap the F8 key continually.
  • Instead of Windows loading as normal, a menu with options should appear.
  • Select the first option, to run Windows in "Safe Mode", then press "Enter".
  • Choose your usual account.

Once in Safe Mode, please do the following:

  • Open the extracted C:\SDFix folder and double-click on RunThis.bat to start the script.
  • Type "Y" to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found, then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process, then display "Finished", press any key to end the script and load your desktop icons.
  • Once the desktop icons load, the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally, copy and paste the contents of the results file Report.txt back onto the forum.

 

NEXT:

 

Please download and save F-Secure BlackLight to your desktop.

  • Click the "I Accept" button at the bottom of the page.
  • Download the "Blacklight Beta graphical user interface version".
  • Double-click the fsbl.exe program that you downloaded to run BlackLight.
  • Click Scan -> Next.
  • After the scan you'll see a list of all items found. Please click "Next" and then "Exit". Do NOT choose rename for any items yet! I need to see the log first, because legitimate items can also be present there...
  • A log will be created on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx are numbers)
  • Please post the contents of the log in your next reply.

 

NEXT:

 

Please download GMER and save it to your desktop:

  • Unzip it to your desktop (right-click on the file and select "Extract All".
  • Disconnect from Internet and close all running programs.
  • There is a small chance this application may crash your computer so save any work you have open.
  • Double-click gmer.exe to run it.
  • Let the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan... click "NO".
  • Click the "Rootkit" tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for "Show All".
  • Then click the "Scan" button. Wait for the scan to finish.
  • Once done, click the "Copy" button.
  • This will copy the results to the clipboard. Open Notepad and press CTRL + V to paste the log, and save it to your desktop. Paste the results in your next reply.

If you're having problems with running gmer.exe, try it in Safe Mode.

This tool works in Safe Mode… other rootkit revealers don't.

 

 

NEXT:

 

Please REBOOT your computer normally into Windows and post these logs in your next reply:

  1. The log from the SDFix scan.
  2. The log from the BlackLight scan.
  3. The log from the GMER scan.
  4. A new ComboFix log.
  5. A new HijackThis log.

(You might have to paste the logs in multiple posts in the event they are too long and breach the post length restrictions of the forum software).

 

How are things running now?

Share this post


Link to post
Share on other sites

Hi, thanks again. Unfortunately, even after these new things you asked me to do there has been no improvement. I also unistalled Norton and installed Kaspersky instead, so I could run the complete scan offline. Nothing was found other than some items which were in Nortons quaratine but i deleted these and the problem persists :(

 

Backlight did not find any problematic files so I will not post the log. Here are the others:

 

SDFIX log:

 

 

SDFix: Version 1.91

 

Run by Administrator on Mon 16/07/2007 at 02:56 PM

 

Microsoft Windows XP [Version 5.1.2600]

 

Running From: C:\SDFix\SDFix

 

Safe Mode:

Checking Services:

 

 

Restoring Windows Registry Values

Restoring Windows Default Hosts File

Restoring Missing SharedAccess Service

 

Rebooting...

 

 

Normal Mode:

Checking Files:

 

No Trojan Files Found

 

 

 

 

Removing Temp Files...

 

ADS Check:

 

C:\WINDOWS

No streams found.

 

C:\WINDOWS\system32

No streams found.

 

C:\WINDOWS\system32\svchost.exe

No streams found.

 

C:\WINDOWS\system32\ntoskrnl.exe

No streams found.

 

 

 

Final Check:

 

Remaining Services:

------------------

 

 

 

Authorized Application Key Export:

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

 

Remaining Files:

---------------

 

 

Files with Hidden Attributes:

 

C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp

C:\Documents and Settings\User\Local Settings\Temp\BIT173.tmp

C:\Documents and Settings\User\Local Settings\Temp\BIT174.tmp

C:\Documents and Settings\User\Local Settings\Temp\BIT175.tmp

C:\Documents and Settings\User\Local Settings\Temp\BIT176.tmp

 

Finished

 

 

 

 

 

 

 

 

 

 

 

GMER log:

 

GMER 1.0.13.12551 - http://www.gmer.net

Rootkit scan 2007-07-16 15:23:46

Windows 5.1.2600 Service Pack 2

 

 

---- System - GMER 1.0.13 ----

 

SSDT 86536090 ZwAlertResumeThread

SSDT 8653CB78 ZwAlertThread

SSDT 86575C68 ZwAllocateVirtualMemory

SSDT 868A7B70 ZwConnectPort

SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS ZwCreateKey

SSDT 865DC308 ZwCreateMutant

SSDT 86B35CA0 ZwCreateProcess

SSDT 86B35C28 ZwCreateProcessEx

SSDT 8656AD98 ZwCreateThread

SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS ZwDeleteKey

SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS ZwDeleteValueKey

SSDT sptd.sys ZwEnumerateKey

SSDT sptd.sys ZwEnumerateValueKey

SSDT 8670EB30 ZwFreeVirtualMemory

SSDT 86547090 ZwImpersonateAnonymousToken

SSDT 865BF3F8 ZwImpersonateThread

SSDT 86616278 ZwMapViewOfSection

SSDT 86577360 ZwOpenEvent

SSDT sptd.sys ZwOpenKey

SSDT 865E9288 ZwOpenProcessToken

SSDT 868A7008 ZwOpenThreadToken

SSDT sptd.sys ZwQueryKey

SSDT sptd.sys ZwQueryValueKey

SSDT 86B357F0 ZwQueueApcThread

SSDT 86B35688 ZwReadVirtualMemory

SSDT 86B0B0A8 ZwRenameKey

SSDT 866046D0 ZwResumeThread

SSDT 86718708 ZwSetContextThread

SSDT 86AD9240 ZwSetInformationKey

SSDT 8657E088 ZwSetInformationProcess

SSDT 8670A390 ZwSetInformationThread

SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS ZwSetValueKey

SSDT 8664B668 ZwSuspendProcess

SSDT 865A2458 ZwSuspendThread

SSDT 8664C0B8 ZwTerminateProcess

SSDT 86523088 ZwTerminateThread

SSDT 8662C0B8 ZwUnmapViewOfSection

SSDT 865AAD98 ZwWriteVirtualMemory

 

---- Kernel code sections - GMER 1.0.13 ----

 

.text ntkrnlpa.exe!ZwCallbackReturn + 2D20 80503920 2 Bytes [ 88, 92 ]

? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.

.text USBPORT.SYS!DllUnload F5D0762C 5 Bytes JMP 86677758

? System32\Drivers\a5p4j8jp.SYS The system cannot find the file specified.

 

---- User code sections - GMER 1.0.13 ----

 

.text C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe[628] kernel32.dll!CreateThread + 1A 7C810651 4 Bytes [ AB, FA, C3, 83 ]

 

---- Kernel IAT/EAT - GMER 1.0.13 ----

 

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F734EAB4] sptd.sys

IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F734EBFA] sptd.sys

IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F734EB7C] sptd.sys

IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F734F728] sptd.sys

IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F734F5FE] sptd.sys

IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F7361C5A] sptd.sys

IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] 86B35518

IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] 86B35610

IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] 86B35610

IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] 86B35518

IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] 86B35518

IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] 86B35610

IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] 86B35610

IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] 86B35518

IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] 86B35610

IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] 86B35518

IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] 86B35610

IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisDeregisterProtocol] 86B35518

IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisRegisterProtocol] 86B35610

IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] 86B35610

IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] 86B35518

 

Device \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE 86BCC1E8

Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE 86BCC1E8

Device \FileSystem\Ntfs \Ntfs IRP_MJ_READ 86BCC1E8

Device \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE 86BCC1E8

Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION 86BCC1E8

Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION 86BCC1E8

Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA 86BCC1E8

Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA 86BCC1E8

Device \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS 86BCC1E8

Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION 86BCC1E8

Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION 86BCC1E8

Device \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL 86BCC1E8

Device \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL 86BCC1E8

Device \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL 86BCC1E8

Device \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN 86BCC1E8

Device \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL 86BCC1E8

Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP 86BCC1E8

Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY 86BCC1E8

Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY 86BCC1E8

Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA 86BCC1E8

Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA 86BCC1E8

Device \FileSystem\Ntfs \Ntfs IRP_MJ_PNP 86BCC1E8

 

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [F756AE00] SSFS0509.SYS

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_NAMED_PIPE [F756AE00] SSFS0509.SYS

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE [F756AE00] SSFS0509.SYS

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_READ [F756AE00] SSFS0509.SYS

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE [F756AE00] SSFS0509.SYS

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION [F756AE00] SSFS0509.SYS

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [F756AE00] SSFS0509.SYS

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA [F756AE00] SSFS0509.SYS

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA [F756AE00] SSFS0509.SYS

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS [F756AE00] SSFS0509.SYS

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [F756AE00] SSFS0509.SYS

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [F756AE00] SSFS0509.SYS

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL [F756AE00] SSFS0509.SYS

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [F756AE00] SSFS0509.SYS

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL [F756AE00] SSFS0509.SYS

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [F756AE00] SSFS0509.SYS

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN [F756AE00] SSFS0509.SYS

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL [F756AE00] SSFS0509.SYS

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP [F756AE00] SSFS0509.SYS

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_MAILSLOT [F756AE00] SSFS0509.SYS

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY [F756AE00] SSFS0509.SYS

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY [F756AE00] SSFS0509.SYS

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_POWER [F756AE00] SSFS0509.SYS

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SYSTEM_CONTROL [F756AE00] SSFS0509.SYS

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CHANGE [F756AE00] SSFS0509.SYS

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA [F756AE00] SSFS0509.SYS

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA [F756AE00] SSFS0509.SYS

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [F725B1DE] fltMgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_NAMED_PIPE [F725B1DE] fltMgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE [F724EF4C] fltMgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_READ [F724EF4C] fltMgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE [F724EF4C] fltMgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION [F724EF4C] fltMgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [F724EF4C] fltMgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA [F724EF4C] fltMgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA [F724EF4C] fltMgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS [F724EF4C] fltMgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [F724EF4C] fltMgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [F724EF4C] fltMgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL [F724EF4C] fltMgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [F725B454] fltMgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL [F724EF4C] fltMgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [F724EF4C] fltMgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN [F724EF4C] fltMgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL [F724EF4C] fltMgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP [F724EF4C] fltMgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_MAILSLOT [F725B1DE] fltMgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY [F724EF4C] fltMgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY [F724EF4C] fltMgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_POWER [F724EF4C] fltMgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SYSTEM_CONTROL [F724EF4C] fltMgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CHANGE [F724EF4C] fltMgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA [F724EF4C] fltMgr.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA [F724EF4C] fltMgr.sys

 

Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE 865F5158

Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_NAMED_PIPE 866CC3D0

Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE 866CC358

Device \Driver\Tcpip \Device\Ip IRP_MJ_READ 86918FA8

Device \Driver\Tcpip \Device\Ip IRP_MJ_WRITE 86918F30

Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_INFORMATION 865EFFA8

Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_INFORMATION 865EFF30

Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_EA 866E3888

Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_EA 866E3810

Device \Driver\Tcpip \Device\Ip IRP_MJ_FLUSH_BUFFERS 8661C210

Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_VOLUME_INFORMATION 8661C198

Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_VOLUME_INFORMATION 86524370

Device \Driver\Tcpip \Device\Ip IRP_MJ_DIRECTORY_CONTROL 865242F8

Device \Driver\Tcpip \Device\Ip IRP_MJ_FILE_SYSTEM_CONTROL 865C1FA8

Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL 865C1F30

Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL 868413D0

Device \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN 86841358

Device \Driver\Tcpip \Device\Ip IRP_MJ_LOCK_CONTROL 865E0020

Device \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP 865E00F0

Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_MAILSLOT 865E72B0

Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_SECURITY 865E7238

Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_SECURITY 86624B40

Device \Driver\Tcpip \Device\Ip IRP_MJ_POWER 86624AC8

Device \Driver\Tcpip \Device\Ip IRP_MJ_SYSTEM_CONTROL 868775F8

Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CHANGE 86877580

Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_QUOTA 86877508

Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_QUOTA 868B4D30

Device \Driver\Tcpip \Device\Ip IRP_MJ_PNP 868B4CB8

 

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [F33F9370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_NAMED_PIPE [F33F9370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [F33F9370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_READ [F33F9370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_WRITE [F33F9370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_INFORMATION [F33F9370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_INFORMATION [F33F9370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_EA [F33F9370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_EA [F33F9370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_FLUSH_BUFFERS [F33F9370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_VOLUME_INFORMATION [F33F9370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_VOLUME_INFORMATION [F33F9370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DIRECTORY_CONTROL [F33F9370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_FILE_SYSTEM_CONTROL [F33F9370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [F33F9370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F33F9370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN [F33F9370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_LOCK_CONTROL [F33F9370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [F33F9370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_MAILSLOT [F33F9370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_SECURITY [F33F9370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_SECURITY [F33F9370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_POWER [F33F9370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SYSTEM_CONTROL [F33F9370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CHANGE [F33F9370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_QUOTA [F33F9370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_QUOTA [F33F9370] SYMTDI.SYS

 

Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_CREATE 864DA980

Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_CLOSE 864DA980

Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_DEVICE_CONTROL 864DA980

Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_INTERNAL_DEVICE_CONTROL 864DA980

Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_POWER 864DA980

Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_SYSTEM_CONTROL 864DA980

Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_PNP 864DA980

Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_CREATE 864DA980

Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_CLOSE 864DA980

Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_DEVICE_CONTROL 864DA980

Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_INTERNAL_DEVICE_CONTROL 864DA980

Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_POWER 864DA980

Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_SYSTEM_CONTROL 864DA980

Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_PNP 864DA980

Device \Driver\usbehci \Device\USBPDO-2 IRP_MJ_CREATE 8667A980

Device \Driver\usbehci \Device\USBPDO-2 IRP_MJ_CLOSE 8667A980

Device \Driver\usbehci \Device\USBPDO-2 IRP_MJ_DEVICE_CONTROL 8667A980

Device \Driver\usbehci \Device\USBPDO-2 IRP_MJ_INTERNAL_DEVICE_CONTROL 8667A980

Device \Driver\usbehci \Device\USBPDO-2 IRP_MJ_POWER 8667A980

Device \Driver\usbehci \Device\USBPDO-2 IRP_MJ_SYSTEM_CONTROL 8667A980

Device \Driver\usbehci \Device\USBPDO-2 IRP_MJ_PNP 8667A980

Device \Driver\usbuhci \Device\USBPDO-3 IRP_MJ_CREATE 864DA980

Device \Driver\usbuhci \Device\USBPDO-3 IRP_MJ_CLOSE 864DA980

Device \Driver\usbuhci \Device\USBPDO-3 IRP_MJ_DEVICE_CONTROL 864DA980

Device \Driver\usbuhci \Device\USBPDO-3 IRP_MJ_INTERNAL_DEVICE_CONTROL 864DA980

Device \Driver\usbuhci \Device\USBPDO-3 IRP_MJ_POWER 864DA980

Device \Driver\usbuhci \Device\USBPDO-3 IRP_MJ_SYSTEM_CONTROL 864DA980

Device \Driver\usbuhci \Device\USBPDO-3 IRP_MJ_PNP 864DA980

Device \Driver\usbuhci \Device\USBPDO-4 IRP_MJ_CREATE 864DA980

Device \Driver\usbuhci \Device\USBPDO-4 IRP_MJ_CLOSE 864DA980

Device \Driver\usbuhci \Device\USBPDO-4 IRP_MJ_DEVICE_CONTROL 864DA980

Device \Driver\usbuhci \Device\USBPDO-4 IRP_MJ_INTERNAL_DEVICE_CONTROL 864DA980

Device \Driver\usbuhci \Device\USBPDO-4 IRP_MJ_POWER 864DA980

Device \Driver\usbuhci \Device\USBPDO-4 IRP_MJ_SYSTEM_CONTROL 864DA980

Device \Driver\usbuhci \Device\USBPDO-4 IRP_MJ_PNP 864DA980

Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE 865F5158

Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_NAMED_PIPE 866CC3D0

Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE 866CC358

Device \Driver\Tcpip \Device\Tcp IRP_MJ_READ 86918FA8

Device \Driver\Tcpip \Device\Tcp IRP_MJ_WRITE 86918F30

Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_INFORMATION 865EFFA8

Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_INFORMATION 865EFF30

Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_EA 866E3888

Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_EA 866E3810

Device \Driver\Tcpip \Device\Tcp IRP_MJ_FLUSH_BUFFERS 8661C210

Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_VOLUME_INFORMATION 8661C198

Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_VOLUME_INFORMATION 86524370

Device \Driver\Tcpip \Device\Tcp IRP_MJ_DIRECTORY_CONTROL 865242F8

Device \Driver\Tcpip \Device\Tcp IRP_MJ_FILE_SYSTEM_CONTROL 865C1FA8

Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL 865C1F30

Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL 868413D0

Device \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN 86841358

Device \Driver\Tcpip \Device\Tcp IRP_MJ_LOCK_CONTROL 865E0020

Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP 865E00F0

Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_MAILSLOT 865E72B0

Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_SECURITY 865E7238

Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_SECURITY 86624B40

Device \Driver\Tcpip \Device\Tcp IRP_MJ_POWER 86624AC8

Device \Driver\Tcpip \Device\Tcp IRP_MJ_SYSTEM_CONTROL 868775F8

Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CHANGE 86877580

Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_QUOTA 86877508

Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_QUOTA 868B4D30

Device \Driver\Tcpip \Device\Tcp IRP_MJ_PNP 868B4CB8

 

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [F33F9370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_NAMED_PIPE [F33F9370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [F33F9370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_READ [F33F9370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_WRITE [F33F9370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_INFORMATION [F33F9370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_INFORMATION [F33F9370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_EA [F33F9370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_EA [F33F9370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_FLUSH_BUFFERS [F33F9370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_VOLUME_INFORMATION [F33F9370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_VOLUME_INFORMATION [F33F9370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DIRECTORY_CONTROL [F33F9370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_FILE_SYSTEM_CONTROL [F33F9370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [F33F9370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F33F9370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN [F33F9370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_LOCK_CONTROL [F33F9370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [F33F9370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_MAILSLOT [F33F9370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_SECURITY [F33F9370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_SECURITY [F33F9370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_POWER [F33F9370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SYSTEM_CONTROL [F33F9370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CHANGE [F33F9370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_QUOTA [F33F9370] SYMTDI.SYS

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_QUOTA [F33F9370] SYMTDI.SYS

 

Device \Driver\usbuhci \Device\USBPDO-5 IRP_MJ_CREATE 864DA980

Device \Driver\usbuhci \Device\USBPDO-5 IRP_MJ_CLOSE 864DA980

Device \Driver\usbuhci \Device\USBPDO-5 IRP_MJ_DEVICE_CONTROL 864DA980

Device \Driver\usbuhci \Device\USBPDO-5 IRP_MJ_INTERNAL_DEVICE_CONTROL 864DA980

Device \Driver\usbuhci \Device\USBPDO-5 IRP_MJ_POWER 864DA980

Device \Driver\usbuhci \Device\USBPDO-5 IRP_MJ_SYSTEM_CONTROL 864DA980

Device \Driver\usbuhci \Device\USBPDO-5 IRP_MJ_PNP 864DA980

Device \Driver\usbehci \Device\USBPDO-6 IRP_MJ_CREATE 8667A980

Device \Driver\usbehci \Device\USBPDO-6 IRP_MJ_CLOSE 8667A980

Device \Driver\usbehci \Device\USBPDO-6 IRP_MJ_DEVICE_CONTROL 8667A980

Device \Driver\usbehci \Device\USBPDO-6 IRP_MJ_INTERNAL_DEVICE_CONTROL 8667A980

Device \Driver\usbehci \Device\USBPDO-6 IRP_MJ_POWER 8667A980

Device \Driver\usbehci \Device\USBPDO-6 IRP_MJ_SYSTEM_CONTROL 8667A980

Device \Driver\usbehci \Device\USBPDO-6 IRP_MJ_PNP 8667A980

Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CREATE 86BCE1E8

Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_READ 86BCE1E8

Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_WRITE 86BCE1E8

Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_FLUSH_BUFFERS 86BCE1E8

Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_DEVICE_CONTROL 86BCE1E8

Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_INTERNAL_DEVICE_CONTROL 86BCE1E8

Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SHUTDOWN 86BCE1E8

Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CLEANUP 86BCE1E8

Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_POWER 86BCE1E8

Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SYSTEM_CONTROL 86BCE1E8

Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_PNP 86BCE1E8

Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_CREATE 86BCE1E8

Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_READ 86BCE1E8

Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_WRITE 86BCE1E8

Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_FLUSH_BUFFERS 86BCE1E8

Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_DEVICE_CONTROL 86BCE1E8

Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_INTERNAL_DEVICE_CONTROL 86BCE1E8

Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_SHUTDOWN 86BCE1E8

Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_CLEANUP 86BCE1E8

Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_POWER 86BCE1E8

Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_SYSTEM_CONTROL 86BCE1E8

Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_PNP 86BCE1E8

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE 864DB980

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLOSE 864DB980

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_READ 864DB980

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_WRITE 864DB980

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FLUSH_BUFFERS 864DB980

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CONTROL 864DB980

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_INTERNAL_DEVICE_CONTROL 864DB980

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SHUTDOWN 864DB980

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_POWER 864DB980

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SYSTEM_CONTROL 864DB980

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_PNP 864DB980

Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_CREATE 86BCE1E8

Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_READ 86BCE1E8

Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_WRITE 86BCE1E8

Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_FLUSH_BUFFERS 86BCE1E8

Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_DEVICE_CONTROL 86BCE1E8

Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_INTERNAL_DEVICE_CONTROL 86BCE1E8

Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_SHUTDOWN 86BCE1E8

Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_CLEANUP 86BCE1E8

Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_POWER 86BCE1E8

Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_SYSTEM_CONTROL 86BCE1E8

Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_PNP 86BCE1E8

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE 864DB980

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CLOSE 864DB980

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_READ 864DB980

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_WRITE 864DB980

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_FLUSH_BUFFERS 864DB980

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DEVICE_CONTROL 864DB980

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_INTERNAL_DEVICE_CONTROL 864DB980

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SHUTDOWN 864DB980

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_POWER 864DB980

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SYSTEM_CONTROL

Share this post


Link to post
Share on other sites

Combo LOG:

 

"User" - 2007-07-16 15:25:31 - ComboFix 07-07-13.8 - Service Pack 2 NTFS

 

 

((((((((((((((((((((((((( Files Created from 2007-06-16 to 2007-07-16 )))))))))))))))))))))))))))))))

 

 

2007-07-16 14:55 <DIR> d-------- C:\WINDOWS\ERUNT

2007-07-13 17:33 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab

2007-07-13 17:20 51,200 --a------ C:\WINDOWS\nircmd.exe

2007-07-13 15:57 233,472 --a------ C:\WINDOWS\system32\REX Shared Library.dll

2007-07-13 15:57 225,280 --a------ C:\WINDOWS\system32\ReWire.dll

2007-07-13 15:57 <DIR> d-------- C:\DOCUME~1\User\APPLIC~1\Propellerhead Software

2007-07-13 15:57 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Propellerhead Software

2007-07-12 14:07 <DIR> d-------- C:\Program Files\Microsoft Games

2007-07-06 18:21 <DIR> d-------- C:\HJT

2007-07-06 18:18 4,238 --a------ C:\WINDOWS\system32\tmp.reg

2007-07-05 12:50 <DIR> d-------- C:\DOCUME~1\NETWOR~1\APPLIC~1\Webroot

2007-06-30 16:54 <DIR> d-------- C:\DOCUME~1\User\APPLIC~1\Roni Music

2007-06-25 19:30 1 --a------ C:\DOCUME~1\User\SI.bin

2007-06-23 15:15 <DIR> d-------- C:\WINDOWS\lhsp

2007-06-23 15:09 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\NCH Swift Sound

2007-06-23 15:08 <DIR> d-------- C:\DOCUME~1\User\APPLIC~1\NCH Swift Sound

2007-06-19 13:33 73,216 --a------ C:\WINDOWS\ST6UNST.EXE

2007-06-19 13:33 286,720 --------- C:\WINDOWS\Setup1.exe

 

 

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

 

2007-07-14 07:57:02 -------- d-----w C:\Program Files\Common Files\Symantec Shared

2007-07-13 06:49:14 -------- d--h--w C:\Program Files\InstallShield Installation Information

2007-07-06 06:42:55 -------- d-----w C:\Program Files\BFG

2007-07-04 11:14:01 -------- d-----w C:\DOCUME~1\User\APPLIC~1\Azureus

2007-07-04 00:46:10 21,480 ----a-w C:\WINDOWS\system32\GDIPFONTCACHEV1.DAT

2007-06-28 07:30:02 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll

2007-06-25 10:13:47 -------- d-----w C:\DOCUME~1\User\APPLIC~1\Petroglyph

2007-06-25 09:39:13 -------- d-----w C:\DOCUME~1\User\APPLIC~1\Lionhead Studios

2007-06-08 07:06:07 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard

2007-06-08 07:05:20 -------- d-----w C:\Program Files\AGEIA Technologies

2007-06-08 07:02:29 -------- d-----w C:\DOCUME~1\User\APPLIC~1\InstallShield

2007-06-06 22:07:24 40,667 ----a-w C:\WINDOWS\nsreg.dat

2007-06-06 10:53:27 -------- d-----w C:\Program Files\Common Files\Real

2007-06-05 06:45:15 -------- d-----w C:\Program Files\Real

2007-06-05 06:44:54 -------- d-----w C:\Program Files\Netscape

2007-06-05 06:23:51 -------- d-----w C:\DOCUME~1\User\APPLIC~1\InterTrust

2007-05-28 11:40:42 -------- d-----w C:\Program Files\Common Files\InstallShield

2007-05-27 05:02:44 -------- d-----w C:\Program Files\Ubisoft

2007-05-27 04:11:56 81,920 ----a-w C:\WINDOWS\system32\OpenAL32.dll

2007-05-26 11:23:27 -------- d-----w C:\Program Files\Avid

2007-05-26 11:16:19 -------- d-----w C:\DOCUME~1\User\APPLIC~1\combustion4

2007-05-26 11:10:59 -------- d-----w C:\DOCUME~1\User\APPLIC~1\Apple Computer

2007-05-21 11:42:28 -------- d-----w C:\Program Files\K-Lite Codec Pack

2007-05-20 11:45:15 -------- d-----w C:\DOCUME~1\User\APPLIC~1\DivX

2007-05-20 01:50:08 -------- d-----w C:\Program Files\DivX

2007-05-15 09:06:58 71,208 ----a-w C:\WINDOWS\system32\PhysXLoader.dll

2007-05-11 17:54:15 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe

2007-05-11 04:37:15 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll

2007-05-11 04:37:15 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll

2007-05-11 04:37:15 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll

2007-05-11 04:37:15 740,442 ----a-w C:\WINDOWS\system32\DivX.dll

2007-04-23 00:15:29 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll

2007-04-23 00:15:18 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll

2007-04-23 00:15:18 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll

2007-04-23 00:02:34 73,728 ----a-w C:\WINDOWS\system32\dpl100.dll

2007-04-23 00:02:34 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll

2007-04-23 00:02:33 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll

2007-04-23 00:02:31 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll

2007-04-23 00:02:31 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll

2007-04-23 00:02:31 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll

2007-04-23 00:02:31 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll

2007-04-23 00:02:31 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll

2007-04-23 00:01:47 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll

2007-04-23 00:01:46 124,472 ----a-w C:\WINDOWS\system32\DivXCodecUpdateChecker.exe

2007-04-19 00:21:33 48,776 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL

2007-04-16 12:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll

2007-04-16 12:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll

2007-04-16 12:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll

2007-04-16 12:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll

2007-04-16 12:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll

2007-04-16 12:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll

2007-04-16 12:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe

2007-04-16 12:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll

 

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

2006-10-22 23:08 62080 --a------ C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1E8A6170-7264-4D0F-BEAE-D42A53123C75}]

2007-01-12 17:04 96936 -ra------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]

2006-12-15 02:23 440056 --a------ C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RTHDCPL"="RTHDCPL.EXE" [2006-07-21 18:56 C:\WINDOWS\RTHDCPL.exe]

"SkyTel"="SkyTel.EXE" [2006-05-16 20:04 C:\WINDOWS\SkyTel.exe]

"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 18:42]

"IntelliType"="C:\Program Files\Microsoft Hardware\Keyboard\type32.exe" [2002-03-22 14:41]

"Easy-PrintToolBox"="C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe" [2004-01-14 11:10]

"nwiz"="nwiz.exe" [2006-10-22 11:22 C:\WINDOWS\system32\nwiz.exe]

"NvMediaCenter"="RunDLL32.exe" [2006-02-28 22:00 C:\WINDOWS\system32\rundll32.exe]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 02:23]

"H2O"="C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe" [2005-10-23 00:00]

"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 15:59]

"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-01-14 17:11]

"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30]

"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]

"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2005-02-16 17:15]

"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 17:15]

"CTDVDDET"="C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" []

"CTHelper"="CTHELPER.EXE" []

"CTxfiHlp"="CTXFIHLP.EXE" []

"RCSystem"="C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" []

"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-03-01 19:55]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 22:00]

"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 02:24]

"InternodeUsage"="D:\UTILIT~1\INTERN~1\MUMINT~1\mum.exe" [2007-01-30 17:00]

"DAEMON Tools"="D:\Utilities\DAEMON Tools\daemon.exe" [2006-11-12 20:48]

"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" []

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService]

 

*Newly Created Service* - COMHOST

*Newly Created Service* - GMER

 

Contents of the 'Scheduled Tasks' folder

2007-07-09 10:00:17 C:\WINDOWS\tasks\Norton Internet Security - Run Full System Scan - User.job

 

**************************************************************************

 

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-07-16 15:26:24

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

Completion time: 2007-07-16 15:26:45

 

--- E O F ---

 

 

 

 

 

 

 

 

 

HTJ Log:

 

Logfile of HijackThis v1.99.1

Scan saved at 3:40:26 PM, on 16/07/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0011)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\WINDOWS\ATKKBService.exe

C:\Program Files\Microsoft Hardware\Keyboard\type32.exe

C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe

C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe

C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

D:\UTILIT~1\INTERN~1\MUMINT~1\mum.exe

D:\Utilities\DAEMON Tools\daemon.exe

D:\Utilities\WinZip\WZQKPICK.EXE

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\slserv.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\UAService7.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Java\jre1.5.0_11\bin\jucheck.exe

C:\Program Files\Webroot\Spy Sweeper\SSU.EXE

C:\HJT\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll

O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [intelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"

O4 - HKLM\..\Run: [Easy-PrintToolBox] "C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE" /logon

O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install

O4 - HKLM\..\Run: [NvMediaCenter] "RunDLL32.exe" NvMCTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"

O4 - HKLM\..\Run: [H2O] "C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"

O4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [iSUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [CTDVDDET] ; "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"

O4 - HKLM\..\Run: [CTHelper] ; CTHELPER.EXE

O4 - HKLM\..\Run: [CTxfiHlp] ; CTXFIHLP.EXE

O4 - HKLM\..\Run: [RCSystem] ; "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" RCSystem * -Startup

O4 - HKLM\..\Run: [spySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [internodeUsage] D:\UTILIT~1\INTERN~1\MUMINT~1\mum.exe

O4 - HKCU\..\Run: [DAEMON Tools] "D:\Utilities\DAEMON Tools\daemon.exe" -lang 1033

O4 - HKCU\..\Run: [Creative Detector] ; "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: WinZip Quick Pick.lnk = D:\Utilities\WinZip\WZQKPICK.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html

O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html

O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html

O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/w...ntrol_en_US.cab

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5.0/jin...ows-i586-jc.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe

O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h cltCommon (file missing)

O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PDEngine - Raxco Software, Inc. - D:\Utilities\PerfectDisk v7.0.42\PDEngine.exe

O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - D:\Utilities\PerfectDisk v7.0.42\PDSched.exe

O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe

O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

 

 

 

 

Once again, many thanks (goodness knows how long it must take you to read through these things, so I am greatly appreciative!)

 

Bobbo

Share this post


Link to post
Share on other sites

Hi Bobbo12, :wave:

 

You’re most welcome, Bobbo12. :)

 

I take it that the only problem on your system is that you cannot access Task Manager in Normal Mode?

 

OK, let’s fix some leftovers, and then see whether we can fix your Task Manager problem.

 

For this next step, please ensure that ComboFix.exe is on your desktop:

  • Then, please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
    (start copying from "File::")
     
     
    File::
    C:\Documents and Settings\User\Local Settings\Temp\BIT173.tmp
    C:\Documents and Settings\User\Local Settings\Temp\BIT174.tmp
    C:\Documents and Settings\User\Local Settings\Temp\BIT175.tmp
    C:\Documents and Settings\User\Local Settings\Temp\BIT176.tmp


     
     

  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
     
     
    CFScript.gif
     
     
     
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION:

Please do NOT mouse-click ComboFix's window while it is running. That may cause it to stall.

Also, please do NOT adjust your time format while ComboFix is running.

 

 

NEXT:

 

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

(start copying from "Windows Registry Editor Version 5.00")

 

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\LocalUser\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=dword:00000000
"**del.DisableTaskMgr"=" "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\]
"DisableTaskMgr"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"DisableCAD"=dword:00000000

 

Save this as fix.reg and change the "Save as type" to "All Files" and place it on your desktop.

 

It should look like this: reg.gif

 

Double-click on it and when it asks you if you want to merge the contents to the registry, click "Yes" or "OK". You should receive a message that it was successful.

 

In case you still are unsure on how to create a REG file, please take a look HERE with screenshots.

 

REBOOT afterwards.... really important!

 

 

NEXT:

 

Please REBOOT your computer normally into Windows and post these logs in your next reply:

  1. The log from the ComboFix scan located at C:\ComboFix.txt.
  2. A new HijackThis log.

(You might have to paste the logs in multiple posts in the event they are too long and breach the post length restrictions of the forum software).

 

How are things running now?

Share this post


Link to post
Share on other sites

No the problem which persists since the beginning is that those hidden BIT***.tmp files (the ones u want me to scan with Combofix) keep getting created when I connect to the internet, at a rate of approx 1 per second. Those ones you want me to scan are just an example of these files because I usually delete them every few minutes - a few minutes on the net causes hundreds of them, and they all have different names (tho they are all in the format of "BIT***.tmp"). The constant creation of these files makes system performance very poor. This is the problem which I hope to fix.

 

(ps. I enabled the task manager a while ago with a very simple registry change, thx anyway :) )

 

 

Here is the new combo fix log. I had to scan different BIT***.tmp files because I must have deleted those original ones u wanted me to scan. So i just connected to the net and waited for some new ones to be created by the virus, and I scanned them with Combofix.

 

"User" - 2007-07-17 11:45:33 - ComboFix 07-07-13.8 - Service Pack 2 NTFS

Command switches used :: C:\Documents and Settings\User\Desktop\CFScript.txt

 

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

C:\Documents and Settings\User\Local Settings\Temp\BIT10B.tmp

C:\Documents and Settings\User\Local Settings\Temp\BIT10C.tmp

C:\Documents and Settings\User\Local Settings\Temp\BIT10D.tmp

C:\Documents and Settings\User\Local Settings\Temp\BIT10E.tmp

 

 

((((((((((((((((((((((((( Files Created from 2007-06-17 to 2007-07-17 )))))))))))))))))))))))))))))))

 

 

2007-07-16 17:46 82,258 --a------ C:\WINDOWS\system32\drivers\klin.dat

2007-07-16 17:46 82,258 --a------ C:\WINDOWS\system32\drivers\klick.dat

2007-07-16 17:45 4,897,568 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat

2007-07-16 17:45 15,136 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat

2007-07-16 17:45 <DIR> d-------- C:\Program Files\Kaspersky Lab

2007-07-16 17:45 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab

2007-07-16 16:28 <DIR> d-------- C:\KAV

2007-07-16 14:55 <DIR> d-------- C:\WINDOWS\ERUNT

2007-07-13 17:33 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab

2007-07-13 17:20 51,200 --a------ C:\WINDOWS\nircmd.exe

2007-07-13 15:57 233,472 --a------ C:\WINDOWS\system32\REX Shared Library.dll

2007-07-13 15:57 225,280 --a------ C:\WINDOWS\system32\ReWire.dll

2007-07-13 15:57 <DIR> d-------- C:\DOCUME~1\User\APPLIC~1\Propellerhead Software

2007-07-13 15:57 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Propellerhead Software

2007-07-12 14:07 <DIR> d-------- C:\Program Files\Microsoft Games

2007-07-06 18:21 <DIR> d-------- C:\HJT

2007-07-06 18:18 4,238 --a------ C:\WINDOWS\system32\tmp.reg

2007-07-05 12:50 <DIR> d-------- C:\DOCUME~1\NETWOR~1\APPLIC~1\Webroot

2007-06-30 16:54 <DIR> d-------- C:\DOCUME~1\User\APPLIC~1\Roni Music

2007-06-25 19:30 1 --a------ C:\DOCUME~1\User\SI.bin

2007-06-23 15:15 <DIR> d-------- C:\WINDOWS\lhsp

2007-06-23 15:09 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\NCH Swift Sound

2007-06-23 15:08 <DIR> d-------- C:\DOCUME~1\User\APPLIC~1\NCH Swift Sound

2007-06-19 13:33 73,216 --a------ C:\WINDOWS\ST6UNST.EXE

2007-06-19 13:33 286,720 --------- C:\WINDOWS\Setup1.exe

 

 

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

 

2007-07-16 11:08:45 -------- d-----w C:\Program Files\Common Files\Symantec Shared

2007-07-16 07:53:43 3,476 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx

2007-07-16 07:53:43 1,172 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx

2007-07-13 06:49:14 -------- d--h--w C:\Program Files\InstallShield Installation Information

2007-07-06 06:42:55 -------- d-----w C:\Program Files\BFG

2007-07-04 11:14:01 -------- d-----w C:\DOCUME~1\User\APPLIC~1\Azureus

2007-07-04 00:46:10 21,480 ----a-w C:\WINDOWS\system32\GDIPFONTCACHEV1.DAT

2007-06-28 07:30:02 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll

2007-06-25 10:13:47 -------- d-----w C:\DOCUME~1\User\APPLIC~1\Petroglyph

2007-06-25 09:39:13 -------- d-----w C:\DOCUME~1\User\APPLIC~1\Lionhead Studios

2007-06-08 07:06:07 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard

2007-06-08 07:05:20 -------- d-----w C:\Program Files\AGEIA Technologies

2007-06-08 07:02:29 -------- d-----w C:\DOCUME~1\User\APPLIC~1\InstallShield

2007-06-06 22:07:24 40,667 ----a-w C:\WINDOWS\nsreg.dat

2007-06-06 10:53:27 -------- d-----w C:\Program Files\Common Files\Real

2007-06-05 06:45:15 -------- d-----w C:\Program Files\Real

2007-06-05 06:44:54 -------- d-----w C:\Program Files\Netscape

2007-06-05 06:23:51 -------- d-----w C:\DOCUME~1\User\APPLIC~1\InterTrust

2007-05-28 11:40:42 -------- d-----w C:\Program Files\Common Files\InstallShield

2007-05-27 05:02:44 -------- d-----w C:\Program Files\Ubisoft

2007-05-27 04:11:56 81,920 ----a-w C:\WINDOWS\system32\OpenAL32.dll

2007-05-26 11:23:27 -------- d-----w C:\Program Files\Avid

2007-05-26 11:16:19 -------- d-----w C:\DOCUME~1\User\APPLIC~1\combustion4

2007-05-26 11:10:59 -------- d-----w C:\DOCUME~1\User\APPLIC~1\Apple Computer

2007-05-21 11:42:28 -------- d-----w C:\Program Files\K-Lite Codec Pack

2007-05-20 11:45:15 -------- d-----w C:\DOCUME~1\User\APPLIC~1\DivX

2007-05-20 01:50:08 -------- d-----w C:\Program Files\DivX

2007-05-15 09:06:58 71,208 ----a-w C:\WINDOWS\system32\PhysXLoader.dll

2007-05-11 17:54:15 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe

2007-05-11 04:37:15 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll

2007-05-11 04:37:15 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll

2007-05-11 04:37:15 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll

2007-05-11 04:37:15 740,442 ----a-w C:\WINDOWS\system32\DivX.dll

2007-04-23 00:15:29 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll

2007-04-23 00:15:18 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll

2007-04-23 00:15:18 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll

2007-04-23 00:02:34 73,728 ----a-w C:\WINDOWS\system32\dpl100.dll

2007-04-23 00:02:34 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll

2007-04-23 00:02:33 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll

2007-04-23 00:02:31 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll

2007-04-23 00:02:31 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll

2007-04-23 00:02:31 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll

2007-04-23 00:02:31 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll

2007-04-23 00:02:31 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll

2007-04-23 00:01:47 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll

2007-04-23 00:01:46 124,472 ----a-w C:\WINDOWS\system32\DivXCodecUpdateChecker.exe

 

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

2006-10-22 23:08 62080 --a------ C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]

2007-07-12 04:00 501136 --a------ C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RTHDCPL"="RTHDCPL.EXE" [2006-07-21 18:56 C:\WINDOWS\RTHDCPL.exe]

"SkyTel"="SkyTel.EXE" [2006-05-16 20:04 C:\WINDOWS\SkyTel.exe]

"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 18:42]

"IntelliType"="C:\Program Files\Microsoft Hardware\Keyboard\type32.exe" [2002-03-22 14:41]

"Easy-PrintToolBox"="C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe" [2004-01-14 11:10]

"nwiz"="nwiz.exe" [2006-10-22 11:22 C:\WINDOWS\system32\nwiz.exe]

"NvMediaCenter"="RunDLL32.exe" [2006-02-28 22:00 C:\WINDOWS\system32\rundll32.exe]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]

"H2O"="C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe" [2005-10-23 00:00]

"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]

"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2005-02-16 17:15]

"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 17:15]

"CTDVDDET"="C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" []

"CTHelper"="CTHELPER.EXE" []

"CTxfiHlp"="CTXFIHLP.EXE" []

"RCSystem"="C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" []

"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-03-01 19:55]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 22:00]

"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 02:24]

"InternodeUsage"="D:\UTILIT~1\INTERN~1\MUMINT~1\mum.exe" [2007-01-30 17:00]

"DAEMON Tools"="D:\Utilities\DAEMON Tools\daemon.exe" [2006-11-12 20:48]

"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" []

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService]

 

 

**************************************************************************

 

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-07-17 11:46:44

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

Completion time: 2007-07-17 11:47:06

C:\ComboFix-quarantined-files.txt ... 2007-07-17 11:47

C:\ComboFix2.txt ... 2007-07-16 15:26

 

--- E O F ---

 

 

 

 

 

 

 

 

HTJ log:

 

 

Logfile of HijackThis v1.99.1

Scan saved at 11:53:28 AM, on 17/07/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0011)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\Microsoft Hardware\Keyboard\type32.exe

C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\ATKKBService.exe

D:\UTILIT~1\INTERN~1\MUMINT~1\mum.exe

D:\Utilities\DAEMON Tools\daemon.exe

C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe

D:\Utilities\WinZip\WZQKPICK.EXE

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\slserv.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\system32\UAService7.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\Program Files\Webroot\Spy Sweeper\SSU.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\explorer.exe

C:\HJT\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [intelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"

O4 - HKLM\..\Run: [Easy-PrintToolBox] "C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE" /logon

O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install

O4 - HKLM\..\Run: [NvMediaCenter] "RunDLL32.exe" NvMCTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

O4 - HKLM\..\Run: [H2O] "C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [iSUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [CTDVDDET] ; "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"

O4 - HKLM\..\Run: [CTHelper] ; CTHELPER.EXE

O4 - HKLM\..\Run: [CTxfiHlp] ; CTXFIHLP.EXE

O4 - HKLM\..\Run: [RCSystem] ; "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" RCSystem * -Startup

O4 - HKLM\..\Run: [spySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [internodeUsage] D:\UTILIT~1\INTERN~1\MUMINT~1\mum.exe

O4 - HKCU\..\Run: [DAEMON Tools] "D:\Utilities\DAEMON Tools\daemon.exe" -lang 1033

O4 - HKCU\..\Run: [Creative Detector] ; "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: WinZip Quick Pick.lnk = D:\Utilities\WinZip\WZQKPICK.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html

O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html

O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html

O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/w...ntrol_en_US.cab

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll

O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe

O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PDEngine - Raxco Software, Inc. - D:\Utilities\PerfectDisk v7.0.42\PDEngine.exe

O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - D:\Utilities\PerfectDisk v7.0.42\PDSched.exe

O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe

O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

Share this post


Link to post
Share on other sites

I see nothing in the logs that could be causing your problem. :(

 

Let's do a search scan with SmitfraudFix and see it picks up any hidden malware.

 

Please delete your current copy of SmitfraudFix and download an updated copy.

 

Please download SmitfraudFix (by S!Ri).

  • Extract the content (a folder named SmitfraudFix) to your desktop.
  • Open the SmitfraudFix folder and double-click smitfraudfix.cmd
  • Select Option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
  • Please copy/paste the content of that report into your next reply.

NOTE : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

http://www.beyondlogic.org/consulting/proc...processutil.htm

Share this post


Link to post
Share on other sites

Hi thanks so much for all your help. Unfortunately I think this particular malware was just incredibly well hidden, and it was taking me too much time and effort to try and find it so I have ended up formatting and reinstalling Windows (and the problem is now gone). Thanks so much for your help and time I appreciate it. Even tho we didnt end up fixing it, you taught me a lot about getting rid of malware, and if we ever get infected again hopefully I might be able to do it myself.

 

Thanks

 

Bobbo

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0