• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
natnat88

Firewall disabled and no access to system services

25 posts in this topic

using windows xp home SP2

 

someone sent me a link via msn saying "are these your pics? [link]" i didn't take much notice and clicked on the link.

 

after i clicked it i realised my friends name said if i send you a link don't click it, but by this time something had downloaded itself onto my system.

 

straight after this happened my AVG firewall was stopped and still wont start again. also i have tried to enter msconfig and the services option in administrative tools, but when i open these tools, they close immediately.

 

i found (on the internet) Hijack This to be very useful in this sort of situation, but when i run the .exe file, a message pops up and before i get chance to click ok it closes, so i can't scan for a log to be posted.

 

i tried logging on a different user but the same thing happened, so i uninstalled AVG and re-installed in on a different user, the firewall was up and running and everything worked, logged off and back on to my account and it all went to pot again.

 

can anyone help as i am really getting sick of this.

 

thnx

 

Please read our Forum FAQ in order to find out what info we need (HijackThislog) so we can help you.

 

I said above, hijack this wont even open this thing closes it down before you can even click scan. also i can't access AV websites, i tried going onto Grisoft but it wouldn't load, my brother could get on it on his computer but i couldn't, same network and internet connection.

Edited by natnat88

Share this post


Link to post
Share on other sites

Welcome to SWI. We apologize for the delay; our helpers have been very busy.

If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

 

Thank you for your patience.

 

[this is an automated reply]

Share this post


Link to post
Share on other sites

Hi,

 

OK, you have the HiJackThis executable I'm assuming. Please right-click on it, select rename and name it to something random then try to open and scan with it again. If that works, post the scan here.

 

If not, please do this:

 

Download http://www.geekstogo.com/forum/index.php?a...nload&id=19 Deckard's System Scanner (formerly Comboscan) to your Desktop.

  1. Close all applications and windows.
  2. Double-click on comboscan.exe to run it, and follow the prompts.
  3. When the scan is complete, a text file will open - ComboScan.txt
  4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of ComboScan.txt in your thread.
  5. A folder, C:\ComboScan, will also open. In it will be another text file, Supplementary.txt.
  6. Please attach Supplementary.txt to your post.

Note: some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.

 

(Note, I haven't used DSS for a while so the process mentioned above may now be different, but basically I want any logs it produces)

 

If that also doesn't work, let me know.

 

jedi

Share this post


Link to post
Share on other sites

HijackThis rename didn't work but other thing did, here's the log:

 

Deckard's System Scanner v20070826.66

Run by Nat on 2007-09-03 13:37:43

Computer is in Normal Mode.

--------------------------------------------------------------------------------

 

-- System Restore --------------------------------------------------------------

 

System Restore is disabled; attempting to re-enable...success.

 

 

-- Last 1 Restore Point(s) --

1: 2007-09-03 12:37:47 UTC - RP1 - System Checkpoint

 

 

Backed up registry hives.

Performed disk cleanup.

 

Total Physical Memory: 447 MiB (512 MiB recommended).

 

 

-- HijackThis (run as Nat.exe) -------------------------------------------------

 

Unable to find log (file not found); running clone.

-- HijackThis Clone ------------------------------------------------------------

 

Emulating logfile of HijackThis v1.99.1

Scan saved at 2007-09-03 13:40:24

Platform: Windows XP Service Pack 2 (5.01.2600)

MSIE: Internet Explorer (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\system32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Grisoft\AVG7\avgupsvc.exe

C:\Program Files\SpywareDetector\SDService.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\lhjvimuv\lsass.exe

C:\WINDOWS\system32\VTTimer.exe

C:\WINDOWS\system32\VTTrayp.exe

C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\Program Files\Google\Gmail Notifier\gnotify.exe

C:\Program Files\SpywareDetector\SDSystemTray.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

C:\Program Files\Messenger\Msmsgs.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe

C:\Program Files\MSN Messenger\usnsvc.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Grisoft\AVG7\avgamsvr.exe

C:\Program Files\Grisoft\AVG7\avgemc.exe

C:\Program Files\Grisoft\AVG7\avgcc.exe

C:\Documents and Settings\Nat\Desktop\dss.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virushelpzone.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://uk.yahoo.com/fsc/

R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://uk.yahoo.com/fsc/

R0 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/fsc/

F0 - win.ini: load=C:\WINDOWS\system32\lhjvimuv\lsass.exe

F0 - win.ini: run=C:\WINDOWS\system32\lhjvimuv\lsass.exe

F3 - REG:win.ini: Load=C:\WINDOWS\system32\userinit.exe,

F3 - REG:win.ini: Run=C:\WINDOWS\system32\userinit.exe,

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll

O4 - HKEY_LOCAL_MACHINE\..\Run: [VTTimer] VTTimer.exe

O4 - HKEY_LOCAL_MACHINE\..\Run: [VTTrayp] VTtrayp.exe

O4 - HKEY_LOCAL_MACHINE\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKEY_LOCAL_MACHINE\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKEY_LOCAL_MACHINE\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKEY_LOCAL_MACHINE\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe

O4 - HKEY_LOCAL_MACHINE\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKEY_LOCAL_MACHINE\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe

O4 - HKEY_LOCAL_MACHINE\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKEY_LOCAL_MACHINE\..\Run: [systemTraySD] C:\Program Files\SpywareDetector\SDSystemTray.exe -AUTO

O4 - HKEY_LOCAL_MACHINE\..\Run: [sDAutoLiveupdate] C:\Program Files\SpywareDetector\LiveUpdateSD.exe -AUTO

O4 - HKEY_LOCAL_MACHINE\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKEY_LOCAL_MACHINE\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\Msmsgs.exe" /background

O4 - Startup: lsass.lnk =

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)

O9 - Extra 'Tools' menuitem: (no name) - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\ypager.exe

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\ypager.exe

O9 - Extra button: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\Msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\Msmsgs.exe

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab

O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://asp.mathxl.com/wizmodules/testgen/i...GenXInstall.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://borobabe881988.spaces.live.com//Pho...ad/MsnPUpld.cab

O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - http://asp.mathxl.com/applets/PearsonInstallAsst.cab

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab

O16 - DPF: {EEC9DBCC-04AD-4A1B-BEA7-C6DAD9515D5A} (Pearson MyEconLab Player Control) - http://asp.mathxl.com/books/_Players/EconPlayer.cab

O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab

O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll

O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll

O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL

O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL

O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL

O20 - Winlogon Notify: SDNotify - C:\Program Files\SpywareDetector\SDNotify.dll

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - "C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe"

O23 - Service: Apple Mobile Device - Apple, Inc. - "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgemc.exe

O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe /srvfsys

 

 

 

-- File Associations -----------------------------------------------------------

 

.reg - regfile - shell\open\command - "%1"

 

 

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

 

S3 Ad-Watch Connect Filter (Ad-Watch Connect Kernel Filter) - c:\windows\system32\drivers\nsdriver.sys <Not Verified; Lavasoft AB; Ad-Watch Connections>

S3 usbsermpt (Motorola USB Modem Driver for MPT) - c:\windows\system32\drivers\usbsermpt.sys <Not Verified; Microsoft Corporation; Microsoft® Windows ® 2000 Operating System>

 

 

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

 

R2 aawservice (Ad-Aware 2007 Service) - "c:\program files\lavasoft\ad-aware 2007\aawservice.exe" <Not Verified; Lavasoft AB; Ad-Aware 2007 Service>

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>

 

 

-- Device Manager: Disabled ----------------------------------------------------

 

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}

Description: VIA Rhine II Fast Ethernet Adapter

Device ID: PCI\VEN_1106&DEV_3065&SUBSYS_10CD1734&REV_78\3&61AAA01&0&90

Manufacturer: VIA Technologies, Inc.

Name: VIA Rhine II Fast Ethernet Adapter

PNP Device ID: PCI\VEN_1106&DEV_3065&SUBSYS_10CD1734&REV_78\3&61AAA01&0&90

Service: FETND5BV

 

 

-- Scheduled Tasks -------------------------------------------------------------

 

2007-09-03 12:20:04 324 --a------ C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job

2007-08-08 18:17:10 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

 

 

-- Files created between 2007-08-03 and 2007-09-03 -----------------------------

 

2007-09-03 10:30:00 0 d-------- C:\WINDOWS\LastGood

2007-08-16 12:39:33 0 d-------- C:\Documents and Settings\All Users\Application Data\Avanquest Software

2007-08-10 13:22:18 0 dr-h----- C:\$VAULT$.AVG

2007-08-08 18:21:16 0 d-------- C:\Program Files\iPod

2007-08-08 18:20:54 0 d-------- C:\Program Files\iTunes

2007-08-08 18:18:24 0 d-------- C:\Program Files\QuickTime

2007-08-08 18:16:10 0 d-------- C:\Program Files\Common Files\Apple

2007-08-08 18:16:09 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple

 

 

-- Find3M Report ---------------------------------------------------------------

 

2007-09-03 10:26:04 0 d-------- C:\Documents and Settings\Nat\Application Data\AVG7

2007-09-03 10:24:28 0 d-------- C:\Program Files\SpywareDetector

2007-08-08 18:16:56 0 d-------- C:\Program Files\Apple Software Update

2007-08-08 18:16:10 0 d-------- C:\Program Files\Common Files

2007-07-11 16:34:19 0 d-------- C:\Program Files\Windows Live Safety Center

2007-07-11 16:20:27 0 d--h----- C:\Program Files\InstallShield Installation Information

2007-07-10 15:32:33 0 d-------- C:\Documents and Settings\Nat\Application Data\Ahead

2007-07-10 14:18:50 0 d-------- C:\Program Files\Lavasoft

2007-07-10 14:18:26 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard

 

 

-- Registry Dump ---------------------------------------------------------------

 

*Note* empty entries & legit default entries are not shown

 

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"VTTimer"="VTTimer.exe" [08/03/2005 02:33 C:\WINDOWS\system32\VTTimer.exe]

"VTTrayp"="VTtrayp.exe" [01/11/2005 03:15 C:\WINDOWS\system32\VTTrayp.exe]

"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [12/01/2006 15:40]

"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [19/02/2006 03:41]

"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [23/10/2003 19:51]

"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [13/01/2006 08:14]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [10/11/2005 14:03]

"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [15/07/2005 22:48]

"lsass"="" []

"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [13/08/2007 11:48]

"SystemTraySD"="C:\Program Files\SpywareDetector\SDSystemTray.exe" [10/07/2007 18:53]

"SDAutoLiveupdate"="C:\Program Files\SpywareDetector\LiveUpdateSD.exe" [10/07/2007 18:53]

"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [29/06/2007 06:24]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [31/07/2007 18:44]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [21/03/2006 18:41]

"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [19/01/2007 13:54]

"MSMSGS"="C:\Program Files\Messenger\Msmsgs.exe" [31/08/2005 19:27]

"lsass"="" []

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

"DisableRegistryTools"=1

"NoAdminPage"=1

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SDNotify]

C:\Program Files\SpywareDetector\SDNotify.dll 09/07/2007 18:54 176128 C:\Program Files\SpywareDetector\SDNotify.dll

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

@="Service"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

"C:\Program Files\iTunes\iTunesHelper.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

"C:\Program Files\QuickTime\qttask.exe" -atboottime

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]

sm56hlpr.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]

SOUNDMAN.EXE

 

 

 

 

-- Hosts -----------------------------------------------------------------------

 

127.0.0.1 www.test.com

127.0.0.1 www.ads.x10.com

127.0.0.1 www.600pics.com

127.0.0.1 www.doberman.befree.com

127.0.0.1 www.enews.bfast.com

127.0.0.1 www.etoys.bfast.com

127.0.0.1 www.falcon.bfast.com

127.0.0.1 www.ftp.befree.com

127.0.0.1 www.ftp.bfast.com

127.0.0.1 www.geocities.bfast.com

 

873 more entries in hosts file.

 

 

-- End of Deckard's System Scanner: finished at 2007-09-03 13:43:05 ------------

 

 

There was an 'extra.txt file not sup. here it is.

 

Deckard's System Scanner v20070826.66

Extra logfile - please post this as an attachment with your post.

--------------------------------------------------------------------------------

 

-- System Information ----------------------------------------------------------

 

Microsoft Windows XP Home Edition (build 2600) SP 2.0

Architecture: X86; Language: English

 

CPU 0: Intel® Celeron® M processor 1.70GHz

Percentage of Memory in Use: 71%

Physical Memory (total/avail): 446.23 MiB / 127.49 MiB

Pagefile Memory (total/avail): 1055.92 MiB / 715.86 MiB

Virtual Memory (total/avail): 2047.88 MiB / 1963.42 MiB

 

C: is Fixed (NTFS) - 37.25 GiB total, 14.33 GiB free.

D: is CDROM (No Media)

 

\\.\PHYSICALDRIVE0 - WDC WD400UE-07HCT0 - 37.26 GiB - 1 partition

\PARTITION0 (bootable) - Installable File System - 37.25 GiB - C:

 

 

 

-- Security Center -------------------------------------------------------------

 

AUOptions is scheduled to auto-install.

Windows Internal Firewall is disabled.

 

FirstRunDisabled is set.

 

FW: AVG Firewall 7.5.475 v7.5.475 (GRISOFT) Disabled

AV: AVG 7.5.485 v7.5.485 (GRISOFT)

 

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"

"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"

"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

 

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe:*:Enabled:hpqtra08.exe"

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe:*:Enabled:hpqste08.exe"

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe:*:Enabled:hpofxm08.exe"

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe:*:Enabled:hposfx08.exe"

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe:*:Enabled:hposid01.exe"

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe:*:Enabled:hpqcopy.exe"

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe:*:Enabled:hpfccopy.exe"

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"

"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe:*:Enabled:hpqphunl.exe"

"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe:*:Enabled:hpqdia.exe"

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe:*:Enabled:hpoews01.exe"

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe:*:Enabled:hpqnrs08.exe"

"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"

"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Disabled:Windows Live Messenger 8.0 (Phone)"

"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"

"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"

"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"

"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"

 

 

-- Environment Variables -------------------------------------------------------

 

ALLUSERSPROFILE=C:\Documents and Settings\All Users

APPDATA=C:\Documents and Settings\Nat\Application Data

CLASSPATH=.;C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip

CLIENTNAME=Console

CommonProgramFiles=C:\Program Files\Common Files

COMPUTERNAME=NATALIE

ComSpec=C:\WINDOWS\system32\cmd.exe

FP_NO_HOST_CHECK=NO

HOMEDRIVE=C:

HOMEPATH=\Documents and Settings\Nat

LOGONSERVER=\\NATALIE

NUMBER_OF_PROCESSORS=1

OS=Windows_NT

Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\

PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH

PROCESSOR_ARCHITECTURE=x86

PROCESSOR_IDENTIFIER=x86 Family 6 Model 13 Stepping 8, GenuineIntel

PROCESSOR_LEVEL=6

PROCESSOR_REVISION=0d08

ProgramFiles=C:\Program Files

PROMPT=$P$G

QTJAVA=C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip

SESSIONNAME=Console

SystemDrive=C:

SystemRoot=C:\WINDOWS

TEMP=C:\DOCUME~1\Nat\LOCALS~1\Temp

TMP=C:\DOCUME~1\Nat\LOCALS~1\Temp

USERDOMAIN=NATALIE

USERNAME=Nat

USERPROFILE=C:\Documents and Settings\Nat

windir=C:\WINDOWS

 

 

-- User Profiles ---------------------------------------------------------------

 

Nat (admin)

James (admin)

 

 

-- Add/Remove Programs ---------------------------------------------------------

 

--> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER

--> C:\Program Files\Nero\Nero 7\nero\uninstall\UNNERO.exe /UNINSTALL

--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu

--> C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL

--> C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL

--> C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL

--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL

--> C:\WINDOWS\UNRecode.exe /UNINSTALL

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf

Ad-Aware 2007 --> MsiExec.exe /X{E31C348B-63A9-4CBF-8D7F-D932ABB63244}

Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe

Adobe Reader 7.0.7 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70700000002}

Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log

Apple Mobile Device Support --> MsiExec.exe /I{967D588C-9B96-40C9-A222-DCD6922563CA}

Apple Software Update --> MsiExec.exe /I{492724FC-3B26-46B4-824F-3CE2722D9AA0}

AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL

DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC

DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER

DivX Converter --> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER

DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER

DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN

Google Gmail Notifier --> "C:\Program Files\Google\Gmail Notifier\UninstallGmail.exe"

High Definition Audio Driver Package - KB888111 --> "C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"

HijackThis 1.99.1 --> C:\Documents and Settings\Nat\Desktop\HijackThis.exe /uninstall

Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"

Hotfix for Windows Media Format SDK (KB902344) --> "C:\WINDOWS\$NtUninstallKB902344$\spuninst\spuninst.exe"

HP Customer Participation Program 7.0 --> C:\Program Files\HP\Digital Imaging\ExtCapUninstall\hpzscr01.exe -datfile hpqhsc01.dat

hp deskjet 5600 --> msiexec /x{DB5518BE-F40F-407A-B451-012625D4497B}

HP Imaging Device Functions 7.0 --> C:\Program Files\HP\Digital Imaging\DeviceManagement\hpzscr01.exe -datfile hpqbud01.dat

HP Photosmart Essential --> MsiExec.exe /X{6994491D-D491-48F1-AE1F-E179C1FFFC2F}

HP Photosmart, Officejet and Deskjet 7.0.A --> C:\Program Files\HP\Digital Imaging\{BDBE2F3E-42DB-4d4a-8CB1-19BA765DBC6C}\setup\hpzscr01.exe -datfile hposcr11.dat

HP Software Update --> MsiExec.exe /X{BB85ED9C-AFC9-43BD-B8DC-258C3C7DF72E}

HP Solution Center 7.0 --> C:\Program Files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat

InterVideo WinDVD --> "C:\Program Files\InstallShield Installation Information\{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}\setup.exe" REMOVEALL

iTunes --> MsiExec.exe /I{E0219810-16E4-437D-9165-93D7B22524F9}

J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}

Macromedia Flash Player 8 --> MsiExec.exe /X{5E8A1B08-0FBD-4543-9646-F2C2D0D05750}

Messenger Plus! Live --> "C:\Program Files\Messenger Plus! Live\Uninstall.exe"

Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"

Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}

Microsoft Picture It! Print Studio 2001 --> MsiExec.exe /I{F3BF1670-5541-45A2-AFD3-2AA2E9754EEE}

Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"

Microsoft Works --> MsiExec.exe /I{6D52C408-B09A-4520-9B18-475B81D393F1}

Motorola Phone Tools --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BAD8CA9C-77C0-4663-B00B-A8D3B13C341B}\setup.exe" -l0x9 -removeonly

Motorola SM56 Data Fax Modem --> C:\WINDOWS\Motorola\SMSERIAL\sm56unst.exe

Mozilla Firefox (2.0.0.4) --> C:\PROGRA~1\Mozilla Firefox\uninstall\helper.exe

Mozilla Firefox (2.0.0.6) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe

Nero 7 Essentials --> MsiExec.exe /I{DD090DED-AC90-4B12-915E-72511B7B1033}

OCR Software by I.R.I.S 7.0 --> C:\Program Files\HP\Digital Imaging\OCR\hpzscr01.exe -datfile hpqbud11.dat

PHStat2 version 2.5.1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10�\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{363798A0-FE16-4BA8-8119-572A02202DBF}\setup.exe" -l0x9 -removeonly

QuickTime --> MsiExec.exe /I{95A890AA-B3B1-44B6-9C18-A8F7AB3EE7FC}

Realtek AC'97 Audio --> Alcrmv.exe -r -m

Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"

Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"

Shockwave --> C:\WINDOWS\system32\Macromed\SHOCKW~2\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~2\INSTALL.LOG

Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"

Spyware Detector --> "C:\Program Files\SpywareDetector\unins000.exe"

VIA Rhine-Family Fast Ethernet Adapter --> Rundll32.exe vuins32.dll,vuins32Ex $Rhine $VIA

Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}

Windows Live OneCare safety scanner --> RunDll32.exe "C:\Program Files\Windows Live Safety Center\wlscCore.dll",UninstallFunction WLSC_SCANNER_PRODUCT

Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"

Windows Media Format SDK Hotfix - KB891122 --> "C:\WINDOWS\$NtUninstallKB891122$\spuninst\spuninst.exe"

Windows Media Hotfix - KB895181 --> "C:\WINDOWS\$NtUninstallKB895181$\spuninst\spuninst.exe"

Windows Messenger 5.1 --> MsiExec.exe /I{9D1C26BD-E792-4159-9D16-07EA222D8EF0}

Windows Messenger 5.1 MUI Pack --> MsiExec.exe /I{F3CBA4E6-436E-4B51-9651-93830EE38616}

Yahoo! Companion --> rundll32.exe C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\YCOMP5~1.DLL,DllCommand ui

Yahoo! Messenger with BT Communicator --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG

 

 

-- Application Event Log -------------------------------------------------------

 

Event Record #/Type8203 / Success

Event Submitted/Written: 09/03/2007 10:27:37 AM

Event ID/Source: 12001 / usnjsvc

Event Description:

The Messenger Sharing USN Journal Reader service started successfully.

 

Event Record #/Type8197 / Error

Event Submitted/Written: 08/30/2007 10:59:16 AM

Event ID/Source: 1002 / Application Hang

Event Description:

Hanging application msnmsgr.exe, version 8.1.178.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

 

Event Record #/Type8196 / Error

Event Submitted/Written: 08/30/2007 10:59:15 AM

Event ID/Source: 1002 / Application Hang

Event Description:

Hanging application msnmsgr.exe, version 8.1.178.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

 

Event Record #/Type8184 / Success

Event Submitted/Written: 08/28/2007 11:07:03 AM

Event ID/Source: 12001 / usnjsvc

Event Description:

The Messenger Sharing USN Journal Reader service started successfully.

 

Event Record #/Type8173 / Error

Event Submitted/Written: 08/16/2007 00:56:50 PM

Event ID/Source: 1001 / Application Error

Event Description:

Fault bucket 278382273.

The Wep key exchange did not result in a secure connection setup after 802.1x authentication. The current setting has been marked as failed and the Wireless connection will be disconnected.

 

 

 

-- Security Event Log ----------------------------------------------------------

 

No Errors/Warnings found.

 

 

-- System Event Log ------------------------------------------------------------

 

No Errors/Warnings found.

 

 

-- End of Deckard's System Scanner: finished at 2007-09-03 13:43:05 ------------

Edited by natnat88

Share this post


Link to post
Share on other sites

Hi again,

 

Download MsnCleaner.zip from here, but don't use it yet.

http://www.forospyware.com/Msncleaner/MsnCleaner.zip

(Copy/Paste the URL into the address bar or use "Save Target As")

  • Now reboot into Safe Mode
  • Double-click MsnCleaner.exe to run it.
  • Click the Analyze button.
  • A report will be created once after you finish scan.
  • If it finds an infection, click the Deleted button.
  • Now, please reboot back to normal mode.
  • Please post the contents of C:\MsnCleaner.txt in a reply to this post.

Next:

 

1. Download this file -

ComboFix

2. Double click ComboFix.exe & follow the prompts.

3. When finished, it will produce a log for you. Post that log in your next reply

 

Note:

Do not mouseclick ComboFix's window whilst it's running. That may cause it to stall

 

jedi

Share this post


Link to post
Share on other sites

nothing found with msn scanner.

 

log for ComboFix:

 

ComboFix 07-09-04.4 - "Nat" 2007-09-04 12:18:29.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.127 [GMT 1:00]

 

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

C:\WINDOWS\system32\taskkill.com

 

 

((((((((((((((((((((((((( Files Created from 2007-08-04 to 2007-09-04 )))))))))))))))))))))))))))))))

 

 

2007-09-04 12:17 51,200 --a------ C:\WINDOWS\NirCmd.exe

2007-09-04 12:12 <DIR> d-------- C:\BackUpMSNCleaner

2007-09-03 13:37 <DIR> d-------- C:\Deckard

2007-08-16 12:39 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Avanquest Software

2007-08-08 18:21 <DIR> d-------- C:\Program Files\iPod

2007-08-08 18:20 <DIR> d-------- C:\Program Files\iTunes

2007-08-08 18:18 <DIR> d-------- C:\Program Files\QuickTime

2007-08-08 18:16 <DIR> d-------- C:\Program Files\Common Files\Apple

2007-08-08 18:16 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple

 

 

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

 

2007-09-04 12:14 --------- d-------- C:\Program Files\SpywareDetector

2007-08-08 18:16 --------- d-------- C:\Program Files\Apple Software Update

2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll

2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll

2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe

2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll

2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll

2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll

2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll

2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll

2007-07-11 17:16 63 --a------ C:\WINDOWS\system\SysSD.dll

2007-07-11 16:40 110592 --a------ C:\WINDOWS\system32\avgfwafu.dll

2007-07-11 16:34 --------- d-------- C:\Program Files\Windows Live Safety Center

2007-07-11 16:29 --------- d-------- C:\DOCUME~1\James\APPLIC~1\Screenshot Sender

2007-07-11 16:20 --------- d--h----- C:\Program Files\InstallShield Installation Information

2007-07-10 15:32 --------- d-------- C:\DOCUME~1\Nat\APPLIC~1\Ahead

2007-07-10 14:18 --------- d-------- C:\Program Files\Lavasoft

2007-07-10 14:18 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard

2007-07-10 14:18 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft

2007-07-09 19:06 67024 --a------ C:\WINDOWS\system32\CloseAll.exe

2007-06-26 07:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll

2007-06-19 14:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll

2007-06-13 12:26 1033216 --a------ C:\WINDOWS\explorer.exe

2006-10-22 14:00 24192 --a------ C:\DOCUME~1\Nat\usbsermptxp.sys

2006-10-22 14:00 22768 --a------ C:\DOCUME~1\Nat\usbsermpt.sys

 

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"VTTimer"="VTTimer.exe" [2005-03-08 02:33 C:\WINDOWS\system32\VTTimer.exe]

"VTTrayp"="VTtrayp.exe" [2005-11-01 03:15 C:\WINDOWS\system32\VTTrayp.exe]

"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40]

"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 03:41]

"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-23 19:51]

"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2006-01-13 08:14]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 14:03]

"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 22:48]

"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-08-13 11:48]

"SystemTraySD"="C:\Program Files\SpywareDetector\SDSystemTray.exe" [2007-07-10 18:53]

"SDAutoLiveupdate"="C:\Program Files\SpywareDetector\LiveUpdateSD.exe" [2007-07-10 18:53]

"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-31 18:44]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-03-21 18:41]

"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 13:54]

"MSMSGS"="C:\Program Files\Messenger\Msmsgs.exe" [2005-08-31 19:27]

"lsass"="" []

 

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\

Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26]

HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 05:21:22]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

"DisableRegistryTools"=1

"NoAdminPage"=1

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SDNotify]

C:\Program Files\SpywareDetector\SDNotify.dll 2007-07-09 18:54 176128 C:\Program Files\SpywareDetector\SDNotify.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

"C:\Program Files\iTunes\iTunesHelper.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

"C:\Program Files\QuickTime\qttask.exe" -atboottime

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]

sm56hlpr.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]

SOUNDMAN.EXE

R0 SiSRaid2;SiSRaid2;C:\WINDOWS\system32\drivers\SiSRaid2.sys

R0 viamraid;viamraid;C:\WINDOWS\system32\drivers\viamraid.sys

R3 EKBfltr;ENE Keyboard Controller;C:\WINDOWS\system32\DRIVERS\EKBfltr.sys

 

*Newly Created Service* - CATCHME

 

Contents of the 'Scheduled Tasks' folder

"2007-08-08 17:17:10 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"

- C:\Program Files\Apple Software Update\SoftwareUpdate.exe

"2007-09-03 11:20:04 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"

- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

 

**************************************************************************

 

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-09-04 12:21:10

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

Completion time: 2007-09-04 12:21:53

C:\ComboFix-quarantined-files.txt ... 2007-09-04 12:21

 

--- E O F ---

Share this post


Link to post
Share on other sites

Hi again,

 

Do Start > Run > and type in regedit then hit OK.

 

In the registry editor, navigate to HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system by clicking on the + symbols to expand the keys. When you get to the System folder click on it to open it.

In the right hand pane, double click on

"DisableRegistryTools"

An Edit DWORD value box will open. In the Value Data box, change the value from 1 to 0, OK that then close the box.

Repeat for

"NoAdminPage"

then close the registry editor.

 

Next:

 

Open notepad and copy/paste the text in the quotebox below into it (do not include the word ‘Quote’)

 

File::

C:\WINDOWS\system32\lhjvimuv\lsass.exe

Registry::

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"lsass"=-

 

Save this as CFScript

 

CFScript.gif

 

Refering to the picture above, drag CFScript into ComboFix.exe

 

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog, assuming HiJackThis will run.

 

jedi

Share this post


Link to post
Share on other sites

hi,

 

regedit opens then closes again, it seems to close anything that will lead to getting rid of it.

 

will the text document still work with combofix or does it have to be used in conjunction with the regedit changes?

Edited by natnat88

Share this post


Link to post
Share on other sites

Hi again,

 

The Combofix instructions will work independently, please run them.

 

Next:

 

For regedit, please do this:

 

Please run Notepad and paste the following text into a new file, do not include the word ‘quote’:

 

REGEDIT4

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

"DisableRegistryTools"=0

"NoAdminPage"=0

 

Save the file to the desktop as fix.reg and make sure the "Save as Type" field says "All Files". Then please go to the desktop and double-click on fix.reg, and click Yes to merge it with the registry.

 

Then test whether regedit will open (Do Start > Run > and type in regedit then hit OK.). Let me know it the registry editor opens OK. Please also post the Combofix.txt and a new HiJackThis log.

 

jedi

Share this post


Link to post
Share on other sites

hi there,

 

ComboFix log:

 

ComboFix 07-09-04.4 - "Nat" 2007-09-14 13:52:53.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.95 [GMT 1:00]

 

FILE::

C:\WINDOWS\system32\lhjvimuv\lsass.exe

 

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

C:\WINDOWS\system32\taskkill.com

 

 

((((((((((((((((((((((((( Files Created from 2007-08-14 to 2007-09-14 )))))))))))))))))))))))))))))))

 

 

2007-09-10 11:56 <DIR> d-------- C:\Program Files\iPod

2007-09-10 11:55 <DIR> d-------- C:\Program Files\iTunes

2007-09-04 12:17 51,200 --a------ C:\WINDOWS\NirCmd.exe

2007-09-04 12:12 <DIR> d-------- C:\BackUpMSNCleaner

2007-09-03 13:37 <DIR> d-------- C:\Deckard

2007-08-16 12:39 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Avanquest Software

 

 

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

 

2007-09-14 13:47 --------- d-------- C:\Program Files\SpywareDetector

2007-09-13 16:17 63 --a------ C:\WINDOWS\system\SysSD.dll

2007-08-08 18:19 --------- d-------- C:\Program Files\QuickTime

2007-08-08 18:16 --------- d-------- C:\Program Files\Common Files\Apple

2007-08-08 18:16 --------- d-------- C:\Program Files\Apple Software Update

2007-08-08 18:16 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple

2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll

2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll

2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe

2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll

2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll

2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll

2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll

2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll

2007-07-11 16:40 110592 --a------ C:\WINDOWS\system32\avgfwafu.dll

2007-07-09 19:06 67024 --a------ C:\WINDOWS\system32\CloseAll.exe

2007-06-26 07:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll

2007-06-19 14:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll

2006-10-22 14:00 24192 --a------ C:\DOCUME~1\Nat\usbsermptxp.sys

2006-10-22 14:00 22768 --a------ C:\DOCUME~1\Nat\usbsermpt.sys

 

 

((((((((((((((((((((((((((((( snapshot_2007-09-04_122122.78 )))))))))))))))))))))))))))))))))))))))))

 

-c----w 315,904 2006-11-01 17:31:34 C:\WINDOWS\$NtUninstallKB939683$\unregmp2.exe

-c----w 213,216 2005-06-28 09:23:26 C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe

-c----w 371,424 2005-06-28 09:23:54 C:\WINDOWS\$NtUninstallKB939683$\spuninst\updspapi.dll

----a-w 317,440 2007-06-26 21:10:26 C:\WINDOWS\inf\unregmp2.exe

----a-r 102,400 2007-09-10 10:56:58 C:\WINDOWS\Installer\{B8A204BC-7177-470E-BBDD-47256D05B325}\iTunesIco.exe

----a-w 17,474,680 2007-09-06 02:50:42 C:\WINDOWS\system32\MRT.exe

-c--a-w 317,440 2007-06-26 21:10:26 C:\WINDOWS\system32\dllcache\unregmp2.exe

-c--a-w 30,336 2007-09-06 12:28:16 C:\WINDOWS\system32\DRVSTORE\usbaapl_A65621D65F5B7507DD7B22331826547BDD2D206B\usbaapl.sys

----a-w 2,823,048 2007-09-13 15:24:39 C:\WINDOWS\temp\mpengine.dll

 

----a-w 315,904 2006-11-01 17:31:34 C:\WINDOWS\inf\unregmp2.exe

----a-w 16,789,464 2007-08-03 04:34:10 C:\WINDOWS\system32\MRT.exe

-c--a-w 315,904 2006-11-01 17:31:34 C:\WINDOWS\system32\dllcache\unregmp2.exe

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"VTTimer"="VTTimer.exe" [2005-03-08 02:33 C:\WINDOWS\system32\VTTimer.exe]

"VTTrayp"="VTtrayp.exe" [2005-11-01 03:15 C:\WINDOWS\system32\VTTrayp.exe]

"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40]

"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 03:41]

"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-23 19:51]

"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2006-01-13 08:14]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 14:03]

"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 22:48]

"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-08-13 11:48]

"SystemTraySD"="C:\Program Files\SpywareDetector\SDSystemTray.exe" [2007-07-10 18:53]

"SDAutoLiveupdate"="C:\Program Files\SpywareDetector\LiveUpdateSD.exe" [2007-07-10 18:53]

"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-07 16:55]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-03-21 18:41]

"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 13:54]

"MSMSGS"="C:\Program Files\Messenger\Msmsgs.exe" [2005-08-31 19:27]

 

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\

Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26]

HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 05:21:22]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SDNotify]

C:\Program Files\SpywareDetector\SDNotify.dll 2007-07-09 18:54 176128 C:\Program Files\SpywareDetector\SDNotify.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

"C:\Program Files\iTunes\iTunesHelper.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

"C:\Program Files\QuickTime\qttask.exe" -atboottime

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]

sm56hlpr.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]

SOUNDMAN.EXE

R0 SiSRaid2;SiSRaid2;C:\WINDOWS\system32\drivers\SiSRaid2.sys

R0 viamraid;viamraid;C:\WINDOWS\system32\drivers\viamraid.sys

R3 EKBfltr;ENE Keyboard Controller;C:\WINDOWS\system32\DRIVERS\EKBfltr.sys

 

 

Contents of the 'Scheduled Tasks' folder

"2007-08-08 17:17:10 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"

- C:\Program Files\Apple Software Update\SoftwareUpdate.exe

"2007-09-10 11:20:52 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"

 

**************************************************************************

 

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-09-14 13:55:30

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

Completion time: 2007-09-14 13:56:19

C:\ComboFix-quarantined-files.txt ... 2007-09-14 13:56

C:\ComboFix2.txt ... 2007-09-04 12:21

 

--- E O F ---

 

 

HijackThis then worked, so here's that log:

 

Logfile of HijackThis v1.99.1

Scan saved at 14:05:36, on 14/09/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\Program Files\SpywareDetector\SDService.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\VTTimer.exe

C:\WINDOWS\system32\VTtrayp.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\Program Files\Google\Gmail Notifier\gnotify.exe

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

C:\Program Files\SpywareDetector\SDSystemTray.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

C:\Program Files\Messenger\Msmsgs.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\MSN Messenger\usnsvc.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\Documents and Settings\Nat\Desktop\nat.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virushelpzone.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://uk.yahoo.com/fsc/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/fsc/

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://uk.yahoo.com/fsc/

O1 - Hosts: 1.1.1.1 f-secure.com

O1 - Hosts: 1.1.1.1 www.f-secure.com

O1 - Hosts: 1.1.1.1 ftp.f-secure.com

O1 - Hosts: 1.1.1.1 ftp.sophos.com

O1 - Hosts: 1.1.1.1 liveupdate.symantec.com

O1 - Hosts: 1.1.1.1 customer.symantec.com

O1 - Hosts: 1.1.1.1 dispatch.mcafee.com

O1 - Hosts: 1.1.1.1 download.mcafee.com

O1 - Hosts: 1.1.1.1 rads.mcafee.com

O1 - Hosts: 1.1.1.1 mast.mcafee.com

O1 - Hosts: 1.1.1.1 my-etrust.com

O1 - Hosts: 1.1.1.1 www.my-etrust.com

O1 - Hosts: 1.1.1.1 nai.com

O1 - Hosts: 1.1.1.1 www.nai.com

O1 - Hosts: 1.1.1.1 networkassociates.com

O1 - Hosts: 1.1.1.1 secure.nai.com

O1 - Hosts: 1.1.1.1 securityresponse.symantec.com

O1 - Hosts: 1.1.1.1 service1.symantec.com

O1 - Hosts: 1.1.1.1 sophos.com

O1 - Hosts: 1.1.1.1 www.sophos.com

O1 - Hosts: 1.1.1.1 support.microsoft.com

O1 - Hosts: 1.1.1.1 symantec.com

O1 - Hosts: 1.1.1.1 www.symantec.com

O1 - Hosts: 1.1.1.1 update.symantec.com

O1 - Hosts: 1.1.1.1 updates.symantec.com

O1 - Hosts: 1.1.1.1 us.mcafee.com

O1 - Hosts: 1.1.1.1 vil.nai.com

O1 - Hosts: 1.1.1.1 viruslist.com

O1 - Hosts: 1.1.1.1 www.viruslist.com

O1 - Hosts: 1.1.1.1 grisoft.com

O1 - Hosts: 1.1.1.1 www.grisoft.com

O1 - Hosts: 1.1.1.1 free.grisoft.com

O1 - Hosts: 1.1.1.1 trendmicro.com

O1 - Hosts: 1.1.1.1 housecall.trendmicro.com

O1 - Hosts: 1.1.1.1 www.trendmicro.com

O1 - Hosts: 1.1.1.1 pandasoftware.com

O1 - Hosts: 1.1.1.1 www.pandasoftware.com

O1 - Hosts: 1.1.1.1 usa.kaspersky.com

O1 - Hosts: 1.1.1.1 ewido.net

O1 - Hosts: 1.1.1.1 www.ewido.net

O1 - Hosts: 1.1.1.1 zonelabs.com

O1 - Hosts: 1.1.1.1 www.zonelabs.com

O1 - Hosts: 1.1.1.1 bitdefender.com

O1 - Hosts: 1.1.1.1 www.bitdefender.com

O1 - Hosts: 1.1.1.1 download.bitdefender.com

O1 - Hosts: 1.1.1.1 upgrade.bitdefender.com

O1 - Hosts: 1.1.1.1 spywareinfo.com

O1 - Hosts: 1.1.1.1 www.spywareinfo.com

O1 - Hosts: 1.1.1.1 merijn.org

O1 - Hosts: 1.1.1.1 www.merijn.org

O1 - Hosts: 1.1.1.1 sysinternals.com

O1 - Hosts: 1.1.1.1 www.sysinternals.com

O1 - Hosts: 1.1.1.1 onguardonline.gov

O1 - Hosts: 1.1.1.1 www.onguardonline.gov

O1 - Hosts: 1.1.1.1 avast.com

O1 - Hosts: 1.1.1.1 www.avast.com

O1 - Hosts: 1.1.1.1 safety.live.com

O1 - Hosts: 1.1.1.1 www.paretologic.com

O1 - Hosts: 1.1.1.1 paretologic.com

O1 - Hosts: 1.1.1.1 virusscan.jotti.org

O1 - Hosts: 1.1.1.1 services.google.com

O1 - Hosts: 1.1.1.1 www.webroot.com

O1 - Hosts: 1.1.1.1 webroot.com

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll

O4 - HKLM\..\Run: [VTTimer] VTTimer.exe

O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [systemTraySD] C:\Program Files\SpywareDetector\SDSystemTray.exe -AUTO

O4 - HKLM\..\Run: [sDAutoLiveupdate] C:\Program Files\SpywareDetector\LiveUpdateSD.exe -AUTO

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\Msmsgs.exe" /background

O4 - Startup: lsass.lnk = ?

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

O9 - Extra button: @c:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: @c:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab

O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://asp.mathxl.com/wizmodules/testgen/i...GenXInstall.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://borobabe881988.spaces.live.com//Pho...ad/MsnPUpld.cab

O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - http://asp.mathxl.com/applets/PearsonInstallAsst.cab

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab

O16 - DPF: {EEC9DBCC-04AD-4A1B-BEA7-C6DAD9515D5A} (Pearson MyEconLab Player Control) - http://asp.mathxl.com/books/_Players/EconPlayer.cab

O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O20 - Winlogon Notify: SDNotify - C:\Program Files\SpywareDetector\SDNotify.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: SDService - Max Secure Software - C:\Program Files\SpywareDetector\SDService.exe

 

 

anf finally RegEdit opened ok, didn't close automatically.

Share this post


Link to post
Share on other sites

Hi again,

 

OK, looks like we're winning. :thumbsup:

 

Download HostsXpert from here:

http://www.funkytoad.com/download/HostsXpert.zip

 

Unzip it. Open the program and click on 'Restore Original Hosts'

 

OK the prompt, and exit HostsXpert.

 

Next:

 

Please do the following:

Run a BitDefender Online scan Here and post the results.

 

jedi

Share this post


Link to post
Share on other sites

I clicked on restore original hosts but an error occured and it said it couldn't create a file. When i clicked ok, the program closed itself.

 

I will do the Bitdefender scan now.

Share this post


Link to post
Share on other sites

I have tried to run the bitdefender scan but the website will not open.

 

I tried to open it from google as well as your link but this didn't work either.

 

I will try it again later.

 

Thanks.

Share this post


Link to post
Share on other sites

Jedi has taken some time off for vacation/holiday. I'll jump in and help from here on out.

 

The account you were running HostsXpert does have Admin privileges, right? (Upon reviewing your DSS log it seem there are only 2 account and both have it.)

 

I've never seen it do that before but will look into it farther. Let's reset it with a little more force. The following program I'm having you run NOT because you have a SDBot infection but because it will reset your Hosts file.

 

Download SDFix and save it to your desktop.

 

Double click SDFix.exe and it will extract the files to C:\SDFix

 

Please then reboot your computer in Safe Mode (without Networking) by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.

  • Open the C:\SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back here along with the following log..(below)

 

As far as the BitDefender scan goes, you are not trying to run it with Firefox are you? You MUST you IE on the scan.

If you WERE using IE I noticed you said the whole site won't open. I suspect your comprimised Hosts file is blocking access to it.

Retry after rebooting from the SDFix.

 

Please post

  • C:\SDFix\Report.txt
  • BitDefender results
  • Fresh Combofix log

in your next post

Share this post


Link to post
Share on other sites

SDFix: Version 1.105

 

Run by Nat on 18/09/2007 at 15:04

 

Microsoft Windows XP [Version 5.1.2600]

 

Running From: C:\SDFix

 

Safe Mode:

Checking Services:

 

 

Restoring Windows Registry Values

Restoring Windows Default Hosts File

 

Rebooting...

 

 

Normal Mode:

Checking Files:

 

Trojan Files Found:

 

C:\Documents and Settings\Nat\Start Menu\Programs\Startup\lsass.lnk - Deleted

 

 

 

Removing Temp Files...

 

ADS Check:

 

C:\WINDOWS

No streams found.

 

C:\WINDOWS\system32

No streams found.

 

C:\WINDOWS\system32\svchost.exe

No streams found.

 

C:\WINDOWS\system32\ntoskrnl.exe

No streams found.

 

 

 

Final Check:

 

Remaining Services:

------------------

 

 

 

 

Authorized Application Key Export:

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

 

Remaining Files:

---------------

 

File Backups: - C:\SDFix\backups\backups.zip

 

Files with Hidden Attributes:

 

C:\Documents and Settings\Nat\Local Settings\Application Data\Microsoft\Messenger\borobabe88@hotmail.co.uk\Sharing Folders\blondie_connection2k2@hotmail.com\Thumbs.db

C:\Documents and Settings\Nat\Local Settings\Application Data\Microsoft\Messenger\borobabe88@hotmail.co.uk\Sharing Folders\donnelly_doogle@hotmail.com\Thumbs.db

C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp

C:\Documents and Settings\Nat\My Documents\introduction to management\term 1\~WRL0001.tmp

C:\Documents and Settings\Nat\My Documents\introduction to management\term 1\~WRL0004.tmp

 

Finished!

 

 

 

BitDefender still didn't load in IE.

 

 

ComboFix 07-09-18.4 - "Nat" 2007-09-18 15:26:35.3 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.128 [GMT 1:00]

.

Rootkit driver pe386 is present. ... attempting disinfection

Rootkit driver msguard is present. ... attempting disinfection

Rootkit driver lzx32 is present. ... attempting disinfection

Rootkit driver huy32 is present. ... attempting disinfection

Rootkit driver xpdt is present. ... attempting disinfection

Rootkit driver pe386 is still present. A rootkit scan is required

Rootkit driver msguard is still present. A rootkit scan is required

Rootkit driver lzx32 is still present. A rootkit scan is required

Rootkit driver huy32 is still present. A rootkit scan is required

Rootkit driver xpdt is still present. A rootkit scan is required

 

((((((((((((((((((((((((( Files Created from 2007-08-18 to 2007-09-18 )))))))))))))))))))))))))))))))

.

 

2007-09-18 15:03 <DIR> d-------- C:\WINDOWS\ERUNT

2007-09-10 11:56 <DIR> d-------- C:\Program Files\iPod

2007-09-10 11:55 <DIR> d-------- C:\Program Files\iTunes

2007-09-04 12:17 51,200 --a------ C:\WINDOWS\NirCmd.exe

2007-09-04 12:12 <DIR> d-------- C:\BackUpMSNCleaner

2007-09-03 13:37 <DIR> d-------- C:\Deckard

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2007-09-18 15:32 --------- d-------- C:\Program Files\SpywareDetector

2007-08-16 12:39 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Avanquest Software

2007-08-08 18:19 --------- d-------- C:\Program Files\QuickTime

2007-08-08 18:16 --------- d-------- C:\Program Files\Common Files\Apple

2007-08-08 18:16 --------- d-------- C:\Program Files\Apple Software Update

2007-08-08 18:16 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple

2006-10-22 14:00 24192 --a------ C:\DOCUME~1\Nat\usbsermptxp.sys

2006-10-22 14:00 22768 --a------ C:\DOCUME~1\Nat\usbsermpt.sys

.

 

((((((((((((((((((((((((((((( snapshot_2007-09-04_122122.78 )))))))))))))))))))))))))))))))))))))))))

.

-c----w 315,904 2006-11-01 17:31:34 C:\WINDOWS\$NtUninstallKB939683$\unregmp2.exe

-c----w 213,216 2005-06-28 09:23:26 C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe

-c----w 371,424 2005-06-28 09:23:54 C:\WINDOWS\$NtUninstallKB939683$\spuninst\updspapi.dll

----a-w 163,328 2007-09-17 14:25:00 C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE

----a-w 4,956,160 2007-09-18 14:03:47 C:\WINDOWS\ERUNT\SDFIX\Users000001\NTUSER.DAT

----a-w 98,304 2007-09-18 14:03:47 C:\WINDOWS\ERUNT\SDFIX\Users000002\UsrClass.dat

----a-w 163,328 2007-09-17 14:25:00 C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE

----a-w 4,956,160 2007-09-18 14:03:44 C:\WINDOWS\ERUNT\SDFIX_First_Run\Users000001\NTUSER.DAT

----a-w 98,304 2007-09-18 14:03:44 C:\WINDOWS\ERUNT\SDFIX_First_Run\Users000002\UsrClass.dat

----a-w 317,440 2007-06-26 21:10:26 C:\WINDOWS\inf\unregmp2.exe

----a-r 102,400 2007-09-10 10:56:58 C:\WINDOWS\Installer\{B8A204BC-7177-470E-BBDD-47256D05B325}\iTunesIco.exe

----a-w 17,474,680 2007-09-06 02:50:42 C:\WINDOWS\system32\MRT.exe

-c--a-w 317,440 2007-06-26 21:10:26 C:\WINDOWS\system32\dllcache\unregmp2.exe

-c--a-w 30,336 2007-09-06 12:28:16 C:\WINDOWS\system32\DRVSTORE\usbaapl_A65621D65F5B7507DD7B22331826547BDD2D206B\usbaapl.sys

.

----a-w 315,904 2006-11-01 17:31:34 C:\WINDOWS\inf\unregmp2.exe

----a-w 16,789,464 2007-08-03 04:34:10 C:\WINDOWS\system32\MRT.exe

-c--a-w 315,904 2006-11-01 17:31:34 C:\WINDOWS\system32\dllcache\unregmp2.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"VTTimer"="VTTimer.exe" [2005-03-08 02:33 C:\WINDOWS\system32\VTTimer.exe]

"VTTrayp"="VTtrayp.exe" [2005-11-01 03:15 C:\WINDOWS\system32\VTTrayp.exe]

"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40]

"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 03:41]

"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-23 19:51]

"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2006-01-13 08:14]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 14:03]

"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 22:48]

"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-08-13 11:48]

"SystemTraySD"="C:\Program Files\SpywareDetector\SDSystemTray.exe" [2007-07-10 18:53]

"SDAutoLiveupdate"="C:\Program Files\SpywareDetector\LiveUpdateSD.exe" [2007-07-10 18:53]

"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-07 16:55]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-03-21 18:41]

"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 13:54]

"MSMSGS"="C:\Program Files\Messenger\Msmsgs.exe" [2005-08-31 19:27]

 

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\

Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26]

HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 05:21:22]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SDNotify]

C:\Program Files\SpywareDetector\SDNotify.dll 2007-07-09 18:54 176128 C:\Program Files\SpywareDetector\SDNotify.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

"C:\Program Files\iTunes\iTunesHelper.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

"C:\Program Files\QuickTime\qttask.exe" -atboottime

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]

sm56hlpr.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]

SOUNDMAN.EXE

 

.

Contents of the 'Scheduled Tasks' folder

"2007-08-08 17:17:10 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"

- C:\Program Files\Apple Software Update\SoftwareUpdate.exe

"2007-09-18 07:34:58 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"

- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

.

**************************************************************************

 

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-09-18 15:32:27

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

Completion time: 2007-09-18 15:34:27 - machine was rebooted

C:\ComboFix-quarantined-files.txt ... 2007-09-18 15:34

C:\ComboFix2.txt ... 2007-09-14 13:56

C:\ComboFix3.txt ... 2007-09-04 12:21

.

--- E O F ---

Share this post


Link to post
Share on other sites

Delete the combofix you now have and get a new/updated one from HERE but don't run it yet

 

Download rustbfix from HERE and save it to your desktop.

Double click on rustbfix.exe to run the tool.

If a Rustock.b-infection is found, you will shortly hereafter be asked to reboot the computer.

The reboot will probably take quite a while, and perhaps 2 reboots will be needed.

But this will happen automatically.

After the reboot 2 logfiles will open (C\avenger.txt & C\rustbfix\pelog.txt).

 

Post the content of these logfiles and then run and post a Combofix log also please.

Share this post


Link to post
Share on other sites

************************* Rustock.b-fix v. 1.01 -- By ejvindh *************************

21/09/2007 14:09:35.45

 

No Rustock.b-rootkits found

 

******************************* End of Logfile ********************************

 

 

 

 

ComboFix 07-09-21.2 - "Nat" 2007-09-21 14:11:16.4 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.139 [GMT 1:00]

* Created a new restore point

.

 

((((((((((((((((((((((((( Files Created from 2007-08-21 to 2007-09-21 )))))))))))))))))))))))))))))))

.

 

2007-09-21 14:09 <DIR> d-------- C:\Rustbfix

2007-09-18 15:03 <DIR> d-------- C:\WINDOWS\ERUNT

2007-09-10 11:56 <DIR> d-------- C:\Program Files\iPod

2007-09-10 11:55 <DIR> d-------- C:\Program Files\iTunes

2007-09-04 12:17 51,200 --a------ C:\WINDOWS\NirCmd.exe

2007-09-04 12:12 <DIR> d-------- C:\BackUpMSNCleaner

2007-09-03 13:37 <DIR> d-------- C:\Deckard

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2007-09-21 09:10 --------- d-------- C:\Program Files\SpywareDetector

2007-08-16 12:39 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Avanquest Software

2007-08-08 18:19 --------- d-------- C:\Program Files\QuickTime

2007-08-08 18:16 --------- d-------- C:\Program Files\Common Files\Apple

2007-08-08 18:16 --------- d-------- C:\Program Files\Apple Software Update

2007-08-08 18:16 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple

2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll

2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll

2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe

2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll

2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll

2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll

2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll

2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll

2007-07-11 16:40 110592 --a------ C:\WINDOWS\system32\avgfwafu.dll

2007-07-09 19:06 67024 --a------ C:\WINDOWS\system32\CloseAll.exe

2007-06-26 07:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll

2006-10-22 14:00 24192 --a------ C:\DOCUME~1\Nat\usbsermptxp.sys

2006-10-22 14:00 22768 --a------ C:\DOCUME~1\Nat\usbsermpt.sys

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"VTTimer"="VTTimer.exe" [2005-03-08 02:33 C:\WINDOWS\system32\VTTimer.exe]

"VTTrayp"="VTtrayp.exe" [2005-11-01 03:15 C:\WINDOWS\system32\VTTrayp.exe]

"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40]

"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 03:41]

"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-23 19:51]

"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2006-01-13 08:14]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 14:03]

"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 22:48]

"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-09-21 09:17]

"SystemTraySD"="C:\Program Files\SpywareDetector\SDSystemTray.exe" [2007-07-10 18:53]

"SDAutoLiveupdate"="C:\Program Files\SpywareDetector\LiveUpdateSD.exe" [2007-07-10 18:53]

"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-07 16:55]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-03-21 18:41]

"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 13:54]

"MSMSGS"="C:\Program Files\Messenger\Msmsgs.exe" [2005-08-31 19:27]

 

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\

Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26]

HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 05:21:22]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SDNotify]

C:\Program Files\SpywareDetector\SDNotify.dll 2007-07-09 18:54 176128 C:\Program Files\SpywareDetector\SDNotify.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

"C:\Program Files\iTunes\iTunesHelper.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

"C:\Program Files\QuickTime\qttask.exe" -atboottime

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]

sm56hlpr.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]

SOUNDMAN.EXE

 

R0 SiSRaid2;SiSRaid2;C:\WINDOWS\system32\drivers\SiSRaid2.sys

R0 viamraid;viamraid;C:\WINDOWS\system32\drivers\viamraid.sys

R3 EKBfltr;ENE Keyboard Controller;C:\WINDOWS\system32\DRIVERS\EKBfltr.sys

 

.

Contents of the 'Scheduled Tasks' folder

"2007-08-08 17:17:10 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"

- C:\Program Files\Apple Software Update\SoftwareUpdate.exe

"2007-09-21 13:01:51 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"

- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

.

**************************************************************************

 

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-09-21 14:14:03

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

**************************************************************************

.

Completion time: 2007-09-21 14:15:04

C:\ComboFix-quarantined-files.txt ... 2007-09-21 14:14

C:\ComboFix2.txt ... 2007-09-18 15:34

C:\ComboFix3.txt ... 2007-09-14 13:56

.

--- E O F ---

Share this post


Link to post
Share on other sites

Well the fact that rustbfix and new Combofix run didn't flag it is a GOOD thing.

 

Now back to a scan....haha

 

Let's get a log from the following please.

 

Clean your Cache and Cookies in IE:

Go to Control Panel > Internet Options > General tab.

Click the "Delete Cookies" button and then the "Delete Files" button next to it.

When prompted, place a check in: "Delete all offline content",

(You will have to re-enter passwords at websites that require them.)

Click OK

 

Clean other Temporary files + Recycle bin:

Go to start > run and type: cleanmgr and click ok.

Let it scan your system for files to remove.

Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.

Press OK to remove them.

 

Please do an online scan with Kaspersky WebScanner

 

Click on Kaspersky Online Scanner

 

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT

  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:

    • Extended (if available otherwise Standard)

    • Scan Options:

    • Scan Archives
      Scan Mail Bases

    [*]Click OK

    [*]Now under select a target to scan:

    • Select My Computer

    [*]This will program will start and scan your system.

    [*]The scan will take a while so be patient and let it run.

    [*]Once the scan is complete it will display if your system has been infected.

    • Now click on the Save as Text button:

    [*]Save the file to your desktop.

    [*]Copy and paste that information in your next post.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

 

When done post the Kaspersky log and a fresh Deckard System Scan log.

 

To get the best results from the DSS..manually delete BOTH the c:\Deckard folder and the DSS executable you downloaded in post #3( on your desktop most likely) ..then get a new/updated version from same link.

Share this post


Link to post
Share on other sites

dss main.txt

 

Deckard's System Scanner v20070905.67

Run by Nat on 2007-10-01 21:22:33

Computer is in Normal Mode.

--------------------------------------------------------------------------------

 

-- System Restore --------------------------------------------------------------

 

Successfully created a Deckard's System Scanner Restore Point.

 

 

-- Last 5 Restore Point(s) --

6: 2007-10-01 20:22:41 UTC - RP6 - Deckard's System Scanner Restore Point

5: 2007-10-01 13:30:21 UTC - RP5 - System Checkpoint

4: 2007-09-30 13:26:05 UTC - RP4 - System Checkpoint

3: 2007-09-21 13:11:10 UTC - RP3 - ComboFix created restore point

2: 2007-09-21 09:57:26 UTC - RP2 - System Checkpoint

 

 

-- First Restore Point --

1: 2007-09-18 14:24:11 UTC - RP1 - System Checkpoint

 

 

Performed disk cleanup.

 

Percentage of Memory in Use: 79% (more than 75%).

Total Physical Memory: 447 MiB (512 MiB recommended).

 

 

-- HijackThis (run as Nat.exe) -------------------------------------------------

 

Logfile of HijackThis v1.99.1

Scan saved at 21:22:55, on 01/10/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\Program Files\SpywareDetector\SDService.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\VTTimer.exe

C:\WINDOWS\system32\VTtrayp.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\Program Files\Google\Gmail Notifier\gnotify.exe

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

C:\Program Files\SpywareDetector\SDSystemTray.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

C:\Program Files\Messenger\Msmsgs.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\WINDOWS\system32\wscntfy.exe

C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

C:\Documents and Settings\Nat\Desktop\dss.exe

C:\DOCUME~1\Nat\Desktop\Nat.exe

C:\WINDOWS\system32\NOTEPAD.EXE

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virushelpzone.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://uk.yahoo.com/fsc/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/fsc/

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://uk.yahoo.com/fsc/

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll

O4 - HKLM\..\Run: [VTTimer] VTTimer.exe

O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [systemTraySD] C:\Program Files\SpywareDetector\SDSystemTray.exe -AUTO

O4 - HKLM\..\Run: [sDAutoLiveupdate] C:\Program Files\SpywareDetector\LiveUpdateSD.exe -AUTO

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\Msmsgs.exe" /background

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

O9 - Extra button: @c:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: @c:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab

O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://asp.mathxl.com/wizmodules/testgen/i...GenXInstall.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://borobabe881988.spaces.live.com//Pho...ad/MsnPUpld.cab

O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - http://asp.mathxl.com/applets/PearsonInstallAsst.cab

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab

O16 - DPF: {EEC9DBCC-04AD-4A1B-BEA7-C6DAD9515D5A} (Pearson MyEconLab Player Control) - http://asp.mathxl.com/books/_Players/EconPlayer.cab

O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O20 - Winlogon Notify: SDNotify - C:\Program Files\SpywareDetector\SDNotify.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: SDService - Max Secure Software - C:\Program Files\SpywareDetector\SDService.exe

 

 

-- File Associations -----------------------------------------------------------

 

All associations okay.

 

 

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

 

S3 Ad-Watch Connect Filter (Ad-Watch Connect Kernel Filter) - c:\windows\system32\drivers\nsdriver.sys <Not Verified; Lavasoft AB; Ad-Watch Connections>

S3 catchme - c:\docume~1\nat\locals~1\temp\catchme.sys (file missing)

S3 usbsermpt (Motorola USB Modem Driver for MPT) - c:\windows\system32\drivers\usbsermpt.sys <Not Verified; Microsoft Corporation; Microsoft® Windows ® 2000 Operating System>

 

 

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

 

R2 aawservice (Ad-Aware 2007 Service) - "c:\program files\lavasoft\ad-aware 2007\aawservice.exe" <Not Verified; Lavasoft AB; Ad-Aware 2007 Service>

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>

 

 

-- Device Manager: Disabled ----------------------------------------------------

 

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}

Description: VIA Rhine II Fast Ethernet Adapter

Device ID: PCI\VEN_1106&DEV_3065&SUBSYS_10CD1734&REV_78\3&61AAA01&0&90

Manufacturer: VIA Technologies, Inc.

Name: VIA Rhine II Fast Ethernet Adapter

PNP Device ID: PCI\VEN_1106&DEV_3065&SUBSYS_10CD1734&REV_78\3&61AAA01&0&90

Service: FETND5BV

 

 

-- Scheduled Tasks -------------------------------------------------------------

 

2007-10-01 12:32:55 324 --a------ C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job

2007-08-08 18:17:10 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

 

 

-- Files created between 2007-09-01 and 2007-10-01 -----------------------------

 

2007-10-01 17:05:46 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab

2007-10-01 17:05:44 0 d-------- C:\WINDOWS\system32\Kaspersky Lab

2007-09-21 14:09:34 0 d-------- C:\Rustbfix

2007-09-18 15:03:41 0 d-------- C:\WINDOWS\ERUNT

2007-09-10 11:56:07 0 d-------- C:\Program Files\iPod

2007-09-10 11:55:20 0 d-------- C:\Program Files\iTunes

2007-09-04 12:12:19 0 d-------- C:\BackUpMSNCleaner

 

 

-- Find3M Report ---------------------------------------------------------------

 

2007-10-01 21:15:56 0 d-------- C:\Program Files\SpywareDetector

2007-10-01 09:27:44 0 d-------- C:\Documents and Settings\Nat\Application Data\AVG7

2007-08-08 18:19:14 0 d-------- C:\Program Files\QuickTime

2007-08-08 18:16:56 0 d-------- C:\Program Files\Apple Software Update

2007-08-08 18:16:10 0 d-------- C:\Program Files\Common Files

2007-08-08 18:16:10 0 d-------- C:\Program Files\Common Files\Apple

 

 

-- Registry Dump ---------------------------------------------------------------

 

*Note* empty entries & legit default entries are not shown

 

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"VTTimer"="VTTimer.exe" [08/03/2005 02:33 C:\WINDOWS\system32\VTTimer.exe]

"VTTrayp"="VTtrayp.exe" [01/11/2005 03:15 C:\WINDOWS\system32\VTTrayp.exe]

"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [12/01/2006 15:40]

"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [19/02/2006 03:41]

"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [23/10/2003 19:51]

"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [13/01/2006 08:14]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [10/11/2005 14:03]

"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [15/07/2005 22:48]

"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [21/09/2007 09:17]

"SystemTraySD"="C:\Program Files\SpywareDetector\SDSystemTray.exe" [10/07/2007 18:53]

"SDAutoLiveupdate"="C:\Program Files\SpywareDetector\LiveUpdateSD.exe" [10/07/2007 18:53]

"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [29/06/2007 06:24]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [07/09/2007 16:55]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [21/03/2006 18:41]

"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [19/01/2007 13:54]

"MSMSGS"="C:\Program Files\Messenger\Msmsgs.exe" [31/08/2005 19:27]

 

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [23/09/2005 21:05:26]

HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [19/02/2006 05:21:22]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SDNotify]

C:\Program Files\SpywareDetector\SDNotify.dll 09/07/2007 18:54 176128 C:\Program Files\SpywareDetector\SDNotify.dll

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

@="Service"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

"C:\Program Files\iTunes\iTunesHelper.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

"C:\Program Files\QuickTime\qttask.exe" -atboottime

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]

sm56hlpr.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]

SOUNDMAN.EXE

 

 

 

 

-- End of Deckard's System Scanner: finished at 2007-10-01 21:25:19 ------------

 

 

extra.txt

 

Deckard's System Scanner v20070905.67

Extra logfile - please post this as an attachment with your post.

--------------------------------------------------------------------------------

 

-- System Information ----------------------------------------------------------

 

Microsoft Windows XP Home Edition (build 2600) SP 2.0

Architecture: X86; Language: English

 

CPU 0: Intel® Celeron® M processor 1.70GHz

Percentage of Memory in Use: 80%

Physical Memory (total/avail): 446.23 MiB / 87.76 MiB

Pagefile Memory (total/avail): 1055.96 MiB / 782.75 MiB

Virtual Memory (total/avail): 2047.88 MiB / 1972.52 MiB

 

C: is Fixed (NTFS) - 37.25 GiB total, 13.85 GiB free.

D: is CDROM (No Media)

 

\\.\PHYSICALDRIVE0 - WDC WD400UE-07HCT0 - 37.26 GiB - 1 partition

\PARTITION0 (bootable) - Installable File System - 37.25 GiB - C:

 

 

 

-- Security Center -------------------------------------------------------------

 

AUOptions is scheduled to auto-install.

Windows Internal Firewall is disabled.

 

FirstRunDisabled is set.

 

FW: AVG Firewall 7.5.475 v7.5.475 (GRISOFT) Disabled

AV: AVG 7.5.488 v7.5.488 (GRISOFT)

 

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

 

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

 

 

-- Environment Variables -------------------------------------------------------

 

ALLUSERSPROFILE=C:\Documents and Settings\All Users

APPDATA=C:\Documents and Settings\Nat\Application Data

CLASSPATH=.;C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip

CLIENTNAME=Console

CommonProgramFiles=C:\Program Files\Common Files

COMPUTERNAME=NATALIE

ComSpec=C:\WINDOWS\system32\cmd.exe

FP_NO_HOST_CHECK=NO

HOMEDRIVE=C:

HOMEPATH=\Documents and Settings\Nat

LOGONSERVER=\\NATALIE

NUMBER_OF_PROCESSORS=1

OS=Windows_NT

Path=C:\Program Files\Mozilla Firefox;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\QuickTime\QTSystem

PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH

PROCESSOR_ARCHITECTURE=x86

PROCESSOR_IDENTIFIER=x86 Family 6 Model 13 Stepping 8, GenuineIntel

PROCESSOR_LEVEL=6

PROCESSOR_REVISION=0d08

ProgramFiles=C:\Program Files

PROMPT=$P$G

QTJAVA=C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip

SESSIONNAME=Console

SystemDrive=C:

SystemRoot=C:\WINDOWS

TEMP=C:\DOCUME~1\Nat\LOCALS~1\Temp

TMP=C:\DOCUME~1\Nat\LOCALS~1\Temp

USERDOMAIN=NATALIE

USERNAME=Nat

USERPROFILE=C:\Documents and Settings\Nat

windir=C:\WINDOWS

 

 

-- User Profiles ---------------------------------------------------------------

 

Nat (admin)

James (admin)

 

 

-- Add/Remove Programs ---------------------------------------------------------

 

--> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER

--> C:\Program Files\Nero\Nero 7\nero\uninstall\UNNERO.exe /UNINSTALL

--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu

--> C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL

--> C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL

--> C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL

--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL

--> C:\WINDOWS\UNRecode.exe /UNINSTALL

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf

Ad-Aware 2007 --> MsiExec.exe /X{E31C348B-63A9-4CBF-8D7F-D932ABB63244}

Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe

Adobe Reader 7.0.7 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70700000002}

Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log

Apple Mobile Device Support --> MsiExec.exe /I{3EBD3749-304E-4A4C-9575-C00E5F015217}

Apple Software Update --> MsiExec.exe /I{492724FC-3B26-46B4-824F-3CE2722D9AA0}

AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL

DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC

DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER

DivX Converter --> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER

DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER

DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN

Google Gmail Notifier --> "C:\Program Files\Google\Gmail Notifier\UninstallGmail.exe"

High Definition Audio Driver Package - KB888111 --> "C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"

HijackThis 1.99.1 --> C:\Documents and Settings\Nat\Desktop\HijackThis.exe /uninstall

Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"

Hotfix for Windows Media Format SDK (KB902344) --> "C:\WINDOWS\$NtUninstallKB902344$\spuninst\spuninst.exe"

HP Customer Participation Program 7.0 --> C:\Program Files\HP\Digital Imaging\ExtCapUninstall\hpzscr01.exe -datfile hpqhsc01.dat

hp deskjet 5600 --> msiexec /x{DB5518BE-F40F-407A-B451-012625D4497B}

HP Imaging Device Functions 7.0 --> C:\Program Files\HP\Digital Imaging\DeviceManagement\hpzscr01.exe -datfile hpqbud01.dat

HP Photosmart Essential --> MsiExec.exe /X{6994491D-D491-48F1-AE1F-E179C1FFFC2F}

HP Photosmart, Officejet and Deskjet 7.0.A --> C:\Program Files\HP\Digital Imaging\{BDBE2F3E-42DB-4d4a-8CB1-19BA765DBC6C}\setup\hpzscr01.exe -datfile hposcr11.dat

HP Software Update --> MsiExec.exe /X{BB85ED9C-AFC9-43BD-B8DC-258C3C7DF72E}

HP Solution Center 7.0 --> C:\Program Files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat

InterVideo WinDVD --> "C:\Program Files\InstallShield Installation Information\{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}\setup.exe" REMOVEALL

iTunes --> MsiExec.exe /I{B8A204BC-7177-470E-BBDD-47256D05B325}

J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}

Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe

Macromedia Flash Player 8 --> MsiExec.exe /X{5E8A1B08-0FBD-4543-9646-F2C2D0D05750}

Messenger Plus! Live --> "C:\Program Files\Messenger Plus! Live\Uninstall.exe"

Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"

Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}

Microsoft Picture It! Print Studio 2001 --> MsiExec.exe /I{F3BF1670-5541-45A2-AFD3-2AA2E9754EEE}

Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"

Microsoft Works --> MsiExec.exe /I{6D52C408-B09A-4520-9B18-475B81D393F1}

Motorola Phone Tools --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BAD8CA9C-77C0-4663-B00B-A8D3B13C341B}\setup.exe" -l0x9 -removeonly

Motorola SM56 Data Fax Modem --> C:\WINDOWS\Motorola\SMSERIAL\sm56unst.exe

Mozilla Firefox (2.0.0.6) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe

Mozilla Firefox (2.0.0.7) --> C:\PROGRA~1\Mozilla Firefox\uninstall\helper.exe

Nero 7 Essentials --> MsiExec.exe /I{DD090DED-AC90-4B12-915E-72511B7B1033}

OCR Software by I.R.I.S 7.0 --> C:\Program Files\HP\Digital Imaging\OCR\hpzscr01.exe -datfile hpqbud11.dat

PHStat2 version 2.5.1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{363798A0-FE16-4BA8-8119-572A02202DBF}\setup.exe" -l0x9 -removeonly

QuickTime --> MsiExec.exe /I{95A890AA-B3B1-44B6-9C18-A8F7AB3EE7FC}

Realtek AC'97 Audio --> Alcrmv.exe -r -m

Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"

Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"

Shockwave --> C:\WINDOWS\system32\Macromed\SHOCKW~2\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~2\INSTALL.LOG

Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"

Spyware Detector --> "C:\Program Files\SpywareDetector\unins000.exe"

VIA Rhine-Family Fast Ethernet Adapter --> Rundll32.exe vuins32.dll,vuins32Ex $Rhine $VIA

Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}

Windows Live OneCare safety scanner --> RunDll32.exe "C:\Program Files\Windows Live Safety Center\wlscCore.dll",UninstallFunction WLSC_SCANNER_PRODUCT

Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"

Windows Media Format SDK Hotfix - KB891122 --> "C:\WINDOWS\$NtUninstallKB891122$\spuninst\spuninst.exe"

Windows Media Hotfix - KB895181 --> "C:\WINDOWS\$NtUninstallKB895181$\spuninst\spuninst.exe"

Windows Messenger 5.1 --> MsiExec.exe /I{9D1C26BD-E792-4159-9D16-07EA222D8EF0}

Windows Messenger 5.1 MUI Pack --> MsiExec.exe /I{F3CBA4E6-436E-4B51-9651-93830EE38616}

Yahoo! Companion --> rundll32.exe C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\YCOMP5~1.DLL,DllCommand ui

Yahoo! Messenger with BT Communicator --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG

 

 

-- Application Event Log -------------------------------------------------------

 

Event Record #/Type8469 / Success

Event Submitted/Written: 10/01/2007 09:28:39 AM

Event ID/Source: 12001 / usnjsvc

Event Description:

The Messenger Sharing USN Journal Reader service started successfully.

 

Event Record #/Type8461 / Success

Event Submitted/Written: 09/30/2007 05:23:37 PM

Event ID/Source: 12001 / usnjsvc

Event Description:

The Messenger Sharing USN Journal Reader service started successfully.

 

Event Record #/Type8451 / Success

Event Submitted/Written: 09/23/2007 05:23:33 PM

Event ID/Source: 12001 / usnjsvc

Event Description:

The Messenger Sharing USN Journal Reader service started successfully.

 

Event Record #/Type8436 / Success

Event Submitted/Written: 09/21/2007 09:13:53 AM

Event ID/Source: 12001 / usnjsvc

Event Description:

The Messenger Sharing USN Journal Reader service started successfully.

 

Event Record #/Type8423 / Success

Event Submitted/Written: 09/19/2007 10:38:30 AM

Event ID/Source: 12001 / usnjsvc

Event Description:

The Messenger Sharing USN Journal Reader service started successfully.

 

 

 

-- Security Event Log ----------------------------------------------------------

 

No Errors/Warnings found.

 

 

-- System Event Log ------------------------------------------------------------

 

Event Record #/Type1975747 / Warning

Event Submitted/Written: 10/01/2007 08:24:49 PM / 10/01/2007 08:24:50 PM

Event ID/Source: 240 / Win32k

Event Description:

A request to suspend power was denied by winlogon.exe.

 

 

 

-- End of Deckard's System Scanner: finished at 2007-10-01 21:25:19 ------------

 

kaspersky online scanner

 

KASPERSKY ONLINE SCANNER REPORT

Monday, October 01, 2007 7:28:28 PM

Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)

Kaspersky Online Scanner version: 5.0.93.1

Kaspersky Anti-Virus database last update: 1/10/2007

Kaspersky Anti-Virus database records: 426024

Scan Settings

Scan using the following antivirus database extended

Scan Archives true

Scan Mail Bases true

Scan Target My Computer

C:\

D:\

Scan Statistics

Total number of scanned objects 80455

Number of viruses found 1

Number of infected objects 12

Number of suspicious objects 0

Duration of the scan process 01:51:34

 

Infected Object Name Virus Name Last Action

C:\Documents and Settings\All Users\Application Data\Avg7\Log\emc.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\AvgFwLog.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\AvgFwLog.log.lck Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Nat\Application Data\Mozilla\Firefox\Profiles\xtnqhtuj.default\cert8.db Object is locked skipped

C:\Documents and Settings\Nat\Application Data\Mozilla\Firefox\Profiles\xtnqhtuj.default\formhistory.dat Object is locked skipped

C:\Documents and Settings\Nat\Application Data\Mozilla\Firefox\Profiles\xtnqhtuj.default\history.dat Object is locked skipped

C:\Documents and Settings\Nat\Application Data\Mozilla\Firefox\Profiles\xtnqhtuj.default\key3.db Object is locked skipped

C:\Documents and Settings\Nat\Application Data\Mozilla\Firefox\Profiles\xtnqhtuj.default\parent.lock Object is locked skipped

C:\Documents and Settings\Nat\Application Data\Mozilla\Firefox\Profiles\xtnqhtuj.default\search.sqlite Object is locked skipped

C:\Documents and Settings\Nat\Application Data\Mozilla\Firefox\Profiles\xtnqhtuj.default\urlclassifier2.sqlite Object is locked skipped

C:\Documents and Settings\Nat\Application Data\Mozilla\Firefox\Profiles\xtnqhtuj.default\webappsstore.sqlite Object is locked skipped

C:\Documents and Settings\Nat\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Nat\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Nat\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Nat\Local Settings\Application Data\Mozilla\Firefox\Profiles\xtnqhtuj.default\Cache\_CACHE_001_ Object is locked skipped

C:\Documents and Settings\Nat\Local Settings\Application Data\Mozilla\Firefox\Profiles\xtnqhtuj.default\Cache\_CACHE_002_ Object is locked skipped

C:\Documents and Settings\Nat\Local Settings\Application Data\Mozilla\Firefox\Profiles\xtnqhtuj.default\Cache\_CACHE_003_ Object is locked skipped

C:\Documents and Settings\Nat\Local Settings\Application Data\Mozilla\Firefox\Profiles\xtnqhtuj.default\Cache\_CACHE_MAP_ Object is locked skipped

C:\Documents and Settings\Nat\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Nat\Local Settings\History\History.IE5\MSHist012007100120071002\index.dat Object is locked skipped

C:\Documents and Settings\Nat\Local Settings\Temp\hpodvd09.log Object is locked skipped

C:\Documents and Settings\Nat\Local Settings\Temp\~DFF238.tmp Object is locked skipped

C:\Documents and Settings\Nat\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Nat\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Nat\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\ISP\BT_Openworld\Narrowband\Signup\Anytime\signupLt.exe/btwebcontrol.dll Infected: not-a-virus:Dialer.Win32.BT.b skipped

C:\ISP\BT_Openworld\Narrowband\Signup\Anytime\signupLt.exe CAB: infected - 1 skipped

C:\ISP\BT_Openworld\Narrowband\Signup\Reinstall\SignupLt.EXE/btwebcontrol.dll Infected: not-a-virus:Dialer.Win32.BT.b skipped

C:\ISP\BT_Openworld\Narrowband\Signup\Reinstall\SignupLt.EXE CAB: infected - 1 skipped

C:\ISP\BT_Openworld\Narrowband\Signup\Standard\SignupLt.exe/btwebcontrol.dll Infected: not-a-virus:Dialer.Win32.BT.b skipped

C:\ISP\BT_Openworld\Narrowband\Signup\Standard\SignupLt.exe CAB: infected - 1 skipped

C:\Program Files\HP\hpcoretech\hpcmerr.log Object is locked skipped

C:\recover\ISP\BT_Openworld\Narrowband\Signup\Anytime\signupLt.exe/btwebcontrol.dll Infected: not-a-virus:Dialer.Win32.BT.b skipped

C:\recover\ISP\BT_Openworld\Narrowband\Signup\Anytime\signupLt.exe CAB: infected - 1 skipped

C:\recover\ISP\BT_Openworld\Narrowband\Signup\Reinstall\SignupLt.EXE/btwebcontrol.dll Infected: not-a-virus:Dialer.Win32.BT.b skipped

C:\recover\ISP\BT_Openworld\Narrowband\Signup\Reinstall\SignupLt.EXE CAB: infected - 1 skipped

C:\recover\ISP\BT_Openworld\Narrowband\Signup\Standard\SignupLt.exe/btwebcontrol.dll Infected: not-a-virus:Dialer.Win32.BT.b skipped

C:\recover\ISP\BT_Openworld\Narrowband\Signup\Standard\SignupLt.exe CAB: infected - 1 skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{F9EE9364-B88F-4438-8654-6025C9980D20}\RP5\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Share this post


Link to post
Share on other sites

Everything in the logs is looking in shape now EXCEPT for

Windows Internal Firewall is disabled.

FW: AVG Firewall 7.5.475 v7.5.475 (GRISOFT) Disabled

 

Have you tried recently to turn either on? Do you receive any errors when you do. Any other info you could forward would be helpful.

Share this post


Link to post
Share on other sites

Hello,

 

AVG still isn't activating. The error message says:

 

An error occurred while starting Firewall.

The service cannot be started, either because it is disabled or because it has no enabled devices associated with it (1058).

 

In the control centre is says firewall is stopped.

 

The windows firewall seems to be working now. That didn't bring any error messages, it just activated.

 

Thanks

Share this post


Link to post
Share on other sites

Hi,

 

Do you have any ongoing issues or can we close this topic?

 

jedi

Share this post


Link to post
Share on other sites

Do you think that uninstalling AVG and reinstalling it might work to get that firewall to work again? Or are there any other suggestions you can make to get AVG firewall to work?

 

Other than that everything is good, thank you for your help.

Share this post


Link to post
Share on other sites

Yes, it's worth a try, though I'd check with AVG that your licence key will work for a reinstall, before you do that.

 

jedi

Share this post


Link to post
Share on other sites

Glad we could help. :)

 

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0