Jump to content


Photo

Hijacked by trojan(s)


  • This topic is locked This topic is locked
25 replies to this topic

#1 rcroft

rcroft

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 31 May 2007 - 10:00 AM

Well, I hit a bad site (I was using the current firefox, with updated and current XP AND Avast Pro..... I also keep spywareblaster running and updated)

and the alarms went off. I tried to quarantine w/ avast, but several trojans hit at the same time screwing my system. I'm getting multiple crashes, "page fault in non-paged area" crashes, mem dumps, can't shut system restore off, and lately I've noticed that my broadband is clogged with what now seems to be mass emailings OUT from my hijacked computer. I've taken it off-line, run SuperAntiSpyware in safe mode, ComboFix in safe mode, and Avast multiple times.... I'm still infected.

Need help please!

Here's the current HJT log, after running AVGas in safe.....

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 6:57:54 PM, on 5/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Safe mode

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\ctfmon.exe
C:\Documents and Settings\ron\Application Data\U3\07A15A6081E1287F\LaunchPad.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Documents and Settings\ron\Desktop\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1101231130\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [PivotSoftware] "C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe"
O4 - HKLM\..\Run: [DT Task] C:\Program Files\Portrait Displays\PerfectSuite\DTHtml.exe -startup_folder
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe"
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINNT\system32\tbctray.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - S-1-5-18 Startup: discfix.lnk = C:\DELL\discfix.cmd (User 'SYSTEM')
O4 - .DEFAULT Startup: discfix.lnk = C:\DELL\discfix.cmd (User 'Default user')
O4 - .DEFAULT User Startup: discfix.lnk = C:\DELL\discfix.cmd (User 'Default user')
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Startup: PunchClock Client.lnk = C:\Program Files\PunchClock Client2\PunchClock Client.exe
O4 - Startup: SpywareBlaster.lnk = C:\Program Files\SpywareBlaster\spywareblaster.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: HushEncryptionEngine - https://mailserver2....ptionEngine.cab
O16 - DPF: symsupportutil - https://www-secure.s...supportutil.CAB
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.av.a...83/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1119896207295
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1124211473233
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.c...es/PROFILER.CAB
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadbl...ivex/sabspx.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.av.a...,20/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{761A1D4A-EE9C-4DA6-A311-8A51E3A3DDEC}: NameServer = 65.32.2.130,65.32.1.70
O17 - HKLM\System\CCS\Services\Tcpip\..\{970D1E11-0D90-4E8E-B2E5-166309A8EA59}: NameServer = 65.32.2.130,65.32.1.70
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINNT\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINNT\System32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe
O23 - Service: Asset Management Daemon - Unknown owner - C:\Program Files\Portrait Displays\PerfectSuite\dtsslsrv.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\SYSTEM32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Portrait Displays\PerfectSuite\DTSRVC.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Unknown owner - C:\PROGRA~1\NORTON~1\AdvTools\NPROTECT.EXE (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: SymWMI Service (SymWSC) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

--
End of file - 11113 bytes


Here's the AVGas log....



VG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 6:55:55 PM 5/30/2007

+ Scan result:



C:\System Volume Information\_restore{50F0928E-FAC0-4680-8FA5-07889EDD2BE6}\RP580\A0119192.dll -> Adware.BraveSentry : Cleaned.
C:\System Volume Information\_restore{50F0928E-FAC0-4680-8FA5-07889EDD2BE6}\RP580\A0119193.dll -> Adware.BraveSentry : Cleaned.
C:\System Volume Information\_restore{50F0928E-FAC0-4680-8FA5-07889EDD2BE6}\RP580\A0119194.dll -> Adware.BraveSentry : Cleaned.
C:\System Volume Information\_restore{50F0928E-FAC0-4680-8FA5-07889EDD2BE6}\RP580\A0119190.exe -> Adware.SpySheriff : Cleaned.
C:\System Volume Information\_restore{50F0928E-FAC0-4680-8FA5-07889EDD2BE6}\RP580\A0044195.DLL -> Adware.Viewpoint : Cleaned.
C:\Program Files\SnadBoy's Revelation v2\Revelation.exe -> Not-A-Virus.PSWTool.Win32.SnadBoy.2011 : Cleaned.
C:\Program Files\SnadBoy's Revelation v2\RevelationHelper.dll -> Not-A-Virus.PSWTool.Win32.SnadBoy.2011 : Cleaned.
C:\Documents and Settings\ron\COOKIES\ron@search.live[2].txt -> TrackingCookie.Live : Cleaned.


::Report end



Thanks for any help -




RC

#2 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,523 posts

Posted 03 June 2007 - 06:30 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.

#3 rcroft

rcroft

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 04 June 2007 - 04:12 PM

Here are some updated logs...

Logfile of HijackThis v1.99.1
Scan saved at 2:05:16 PM, on 6/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\mom.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Portrait Displays\PerfectSuite\dtsslsrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Portrait Displays\PerfectSuite\DTSRVC.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Common Files\AOL\1101231130\ee\AOLSoftware.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe
C:\Program Files\Portrait Displays\PerfectSuite\DTHtml.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Netropa\Multimedia Keyboard\mmusbkb2.exe
C:\WINNT\system32\tbctray.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Portrait Displays\Pivot Software\floater.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1101231130\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [PivotSoftware] "C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe"
O4 - HKLM\..\Run: [DT Task] C:\Program Files\Portrait Displays\PerfectSuite\DTHtml.exe -startup_folder
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINNT\system32\tbctray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Startup: PunchClock Client.lnk = C:\Program Files\PunchClock Client2\PunchClock Client.exe
O4 - Startup: SpywareBlaster.lnk = C:\Program Files\SpywareBlaster\spywareblaster.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: HushEncryptionEngine - https://mailserver2....ptionEngine.cab
O16 - DPF: symsupportutil - https://www-secure.s...supportutil.CAB
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.av.a...83/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1119896207295
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1124211473233
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.c...es/PROFILER.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadbl...ivex/sabspx.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.av.a...,20/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{761A1D4A-EE9C-4DA6-A311-8A51E3A3DDEC}: NameServer = 65.32.2.130,65.32.1.70
O17 - HKLM\System\CCS\Services\Tcpip\..\{970D1E11-0D90-4E8E-B2E5-166309A8EA59}: NameServer = 65.32.2.130,65.32.1.70
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINNT\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe
O23 - Service: Asset Management Daemon - Unknown owner - C:\Program Files\Portrait Displays\PerfectSuite\dtsslsrv.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\SYSTEM32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Portrait Displays\PerfectSuite\DTSRVC.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Unknown owner - C:\PROGRA~1\NORTON~1\AdvTools\NPROTECT.EXE (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: SymWMI Service (SymWSC) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe











__________++++++++++++++++++++_______________________




Here' the uninstall....

3Com NIC Diagnostics
Active+ Software MIME Indexer
Ad-Aware SE Personal
Adobe Acrobat 7.0.9 Professional
Adobe Flash Player 9 ActiveX
Adobe Reader 7.0.5 Language Support
Adobe Reader 7.0.9
Advanced System Optimizer 2.10
Aladdin Expander 5.1
AnswerWorks Runtime
AOL Coach Version 1.0(Build:20040229.1 en)
AOL Coach Version 2.0(Build:20041026.5 en)
AOL Deskbar
AOL Instant Messenger (SM)
AOL Spyware Protection
AOL Uninstaller (Choose which Products to Remove)
AP Configuration
AportisDoc Reader
Arachnophilia 5.2
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
ATI DVD Decoder 2.1.0.1
ATI Multimedia Center 8.1.0.0
ATI RADEON 9700 Bacteria Screen Saver v1.0
ATI RADEON 9700 Bear Demo v1.0
ATI RADEON 9700 Car Paint Demo v1.0
ATI RADEON 9700 Debevec RNL Demo v1.0
ATI RADEON 9700 Dogs Screen Saver v1.0
ATI RADEON 9700 Moebius Strip Screen Saver v1.0
ATI RADEON 9700 NPR Hatching Demo v1.0
ATI RADEON 9700 Pipe Dream Demo v1.0
Attune 2.3.2
audioGnome
audioGnome Active Installer
avast! Antivirus
AVG Anti-Spyware 7.5
BounceBack Express
Canon Camera Window for ZoomBrowser EX
Canon PhotoRecord
Canon Utilities PhotoStitch 3.1
Canon Utilities RemoteCapture 1.1
Canon Utilities ZoomBrowser EX
ChainCast Proxy (remove only)
Corel Applications
CutePDF Writer 2.5
DAO
DAO
Dell Documents
DellEPro Internet Service
DellTouch
Depositions
DiscWizard 2003
Doom 3
Eraser
Fatali Gallery Screen Saver: In Celebration of Land & Spirit
GdiplusUpgrade
Google Desktop
Google Desktop Extreme
Half-Life® 2
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 1.99.1
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB928388)
Hotfix for Windows XP (KB929120)
HP Image Zone 4.7
HP PSC & OfficeJet 4.7
Intel Ultra ATA Storage Driver
InterVideo WinDVD
Java 2 Runtime Environment, SE v1.4.2_01
Larry's WordPerfect Indexer
Learn2 Player (Uninstall Only)
LexisNexis CD
LexisNexis® CD on Folio 4
Liquid Player
Macromedia Shockwave Player
MaxSecret Conduit
MaxSecret Desktop Viewer
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 2.0
Microsoft .NET Framework 3.0
Microsoft .NET Framework 3.0
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft IntelliPoint
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 SR-1 Disc 2
Microsoft Office OneNote 2003
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office XP Small Business
Microsoft User-Mode Driver Framework Feature Pack 1.0
Movie Maker Background Music Files
Movie Maker Sound Effects
Movie Maker Title Images
Mozilla Firefox (2.0.0.3)
Mozilla Thunderbird (1.5.0.10)
MSXML 4.0 SP2 (KB927978)
MSXML 6.0 Parser (KB927977)
MSXML4 Parser
Napster v2.0 BETA 9.6
Nero Digital
Nero Media Player
Nero OEM
Palm Desktop
PerfectSuite
Personal License Update Wizard for Windows Media Player
Pivot Software
Plus! MP3 Audio Converter LE
Prevail
Prevail 3.9.2 Demo
Prevail Control Panel
PunchClock Client 2.23
QuickTime
RealPlayer Basic
Santa Cruz
Security Task Manager 1.6e
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Microsoft .NET Framework 2.0 (KB922770)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917537)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926247)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Shred 2 (PC Magazine)
SmartFTP
SnadBoy's Revelation v2
Spybot - Search & Destroy 1.3
SpywareBlaster v3.5.1
Steam™
SUPERAntiSpyware Free Edition
Swiff Chart 2.5
TapeCalc 2.0
Trellix Web Demo Shortcut Adder
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB900930)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920342)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925720)
Update for Windows XP (KB925876)
Update for Windows XP (KB929338)
Update for Windows XP (KB931836)
Viewpoint Media Player
ViewSonic Monitor Drivers
ViewSonic Windows XP Signed Files
WAP11 Utility
Windows Communication Foundation
Windows Genuine Advantage v1.3.0254.0
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Installer Clean Up
Windows Internet Explorer 7
Windows Media Bonus Pack for Windows XP
Windows Media Encoder 9 Series
Windows Media Encoder 9 Series
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows Media Player 11
Windows Media Player Playlist Import to Excel Wizard
Windows Media Player Skin Importer
Windows Media Player Tray Control
Windows Presentation Foundation
Windows Rights Management Client Backwards Compatibility SP2
Windows Rights Management Client with Service Pack 2
Windows Workflow Foundation
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB887797
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinZip
WordPerfect Office 2000 Hot Fix








Here's the AVG log...


AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 6:55:55 PM 5/30/2007

+ Scan result:



C:\System Volume Information\_restore{50F0928E-FAC0-4680-8FA5-07889EDD2BE6}\RP580\A0119192.dll -> Adware.BraveSentry : Cleaned.
C:\System Volume Information\_restore{50F0928E-FAC0-4680-8FA5-07889EDD2BE6}\RP580\A0119193.dll -> Adware.BraveSentry : Cleaned.
C:\System Volume Information\_restore{50F0928E-FAC0-4680-8FA5-07889EDD2BE6}\RP580\A0119194.dll -> Adware.BraveSentry : Cleaned.
C:\System Volume Information\_restore{50F0928E-FAC0-4680-8FA5-07889EDD2BE6}\RP580\A0119190.exe -> Adware.SpySheriff : Cleaned.
C:\System Volume Information\_restore{50F0928E-FAC0-4680-8FA5-07889EDD2BE6}\RP580\A0044195.DLL -> Adware.Viewpoint : Cleaned.
C:\Program Files\SnadBoy's Revelation v2\Revelation.exe -> Not-A-Virus.PSWTool.Win32.SnadBoy.2011 : Cleaned.
C:\Program Files\SnadBoy's Revelation v2\RevelationHelper.dll -> Not-A-Virus.PSWTool.Win32.SnadBoy.2011 : Cleaned.
C:\Documents and Settings\ron\COOKIES\ron@search.live[2].txt -> TrackingCookie.Live : Cleaned.


::Report end





Here's the Pandasoft scan....


Incident Status Location

Adware:Adware/IST.ISTBar Not disinfected C:\Documents and Settings\ron\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-5aa0b436-7af0c544.zip[javainstaller/InstallerApplet.class]
Virus:W32/Tearec.A.worm!CME-24 Disinfected C:\Documents and Settings\ron\Application Data\Thunderbird\Profiles\clsnf5fc.default\Mail\pop-server.tampabay.rr.com\Inbox[Attachments00.HQX][Attachments,zip .SCR]
Virus:W32/Tearec.A.worm!CME-24 Disinfected C:\Documents and Settings\ron\Application Data\Thunderbird\Profiles\clsnf5fc.default\Mail\pop-server.tampabay.rr.com\Trash[Attachments00.HQX][Attachments,zip .SCR]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\ron\DESKTOP\ComboFix.exe[ComboFixT\nircmd.cfexe]
Adware:Adware/SpySheriff Not disinfected C:\QooBox\Quarantine\C\WINNT\SYSTEM32\dlh9jkd1q2.exe.vir
Hacktool:Rootkit/Nurech.A Not disinfected C:\QooBox\Quarantine\C\WINNT\SYSTEM32\wincom32.sys.vir
Potentially unwanted tool:Application/PassRock Not disinfected C:\TEMP\PC Utilities\Keyfinder\keyfinder.exe
Potentially unwanted tool:Application/PassRock Not disinfected C:\TEMP\PC Utilities\Keyfinder\kf15b3.zip[keyfinder.exe]
Potentially unwanted tool:Application/PassRock Not disinfected C:\TEMP\PC Utilities\Keyfinder\kf15b3.zip[keyfinder.exe][findkey.exe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINNT\nircmd.exe





Any help would be most appreciated!

RC

This

#4 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Emeritus
  • PipPipPipPipPip
  • 15,830 posts

Posted 06 June 2007 - 05:00 AM

Hi, sorry about the wait.

Ok, can you run ComboFix again, in normal mode, I need to see the log. Here's the download just in case:

1. Download this file - ComboFix
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Also:

Download GMER from here:
http://www.majorgeek...GMER_d5198.html

Unzip it to desktop.

Open the program and click on the Rootkit tab.
Make sure all the boxes on the right of the screen are checked, apart from ‘Show All’.
Click on Scan.
When the scan has run click Copy and paste the results (if any) into this thread.

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#5 rcroft

rcroft

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 06 June 2007 - 11:38 AM

Thanks for the response! I'm glad to finally be on the road to getting this computer fixe - it has been a royal PITA.

Here are the new logs.....


"ron" - 2007-06-06 10:55:35 Service Pack 2 NTFS
ComboFix 07-06-3B - Running from: "C:\Documents and Settings\ron\DESKTOP\"


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINNT\system32\windev-1daf-bf9.sys
C:\WINNT\system32\windev-peers.ini


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\windev-1daf-bf9


((((((((((((((((((((((((( Files Created from 2007-05-06 to 2007-06-06 )))))))))))))))))))))))))))))))


2007-06-04 14:08 <DIR> d-------- C:\Program Files\CCleaner
2007-06-04 12:47 <DIR> d-------- C:\WINNT\SYSTEM32\ActiveScan
2007-05-30 10:29 3,968 --a------ C:\WINNT\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-05-23 09:48 134,260 --a------ C:\WINNT\SYSTEM32\alt.exe


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2013-05-12 09:13:38 1,025 --sh--w C:\WINNT\system32\l34501.sys
2007-06-06 14:22:19 -------- d-----w C:\Program Files\Mozilla Thunderbird
2007-06-05 19:14:13 -------- d-----w C:\Program Files\SUPERAntiSpyware
2007-06-05 15:04:29 -------- d-----w C:\Program Files\America Online 9.0a
2007-06-05 15:04:28 -------- d-----w C:\Program Files\America Online 9.0
2007-06-05 14:39:11 -------- d-----w C:\Program Files\SpywareBlaster
2007-06-04 17:24:29 -------- d-----w C:\Program Files\SmartFTP
2007-06-04 17:15:39 -------- d-----w C:\Program Files\Common Files\aolshare
2007-05-31 00:08:25 -------- d-----w C:\DOCUME~1\ron\APPLIC~1\U3
2007-05-09 16:55:22 -------- d-----w C:\Program Files\Common Files\AOL
2007-05-03 18:52:36 -------- d-----w C:\Program Files\Common Files\Acronis
2007-05-03 18:48:39 -------- d-----w C:\DOCUME~1\ron\APPLIC~1\Microsoft Games
2007-05-03 18:42:07 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-03 17:46:57 -------- d-----w C:\Program Files\Pure Networks
2007-05-02 21:02:36 -------- d-----w C:\DOCUME~1\ron\APPLIC~1\SUPERAntiSpyware.com
2007-05-02 20:51:20 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-05-02 20:24:33 -------- d-----w C:\Program Files\IObit
2007-04-30 15:46:10 745,600 ----a-w C:\WINNT\system32\aswBoot.exe
2007-04-30 15:41:55 85,952 ----a-w C:\WINNT\system32\drivers\aswmon.sys
2007-04-30 15:41:42 94,552 ----a-w C:\WINNT\system32\drivers\aswmon2.sys
2007-04-30 15:39:41 23,416 ----a-w C:\WINNT\system32\drivers\aswRdr.sys
2007-04-30 15:38:51 43,176 ----a-w C:\WINNT\system32\drivers\aswTdi.sys
2007-04-30 15:37:23 26,888 ----a-w C:\WINNT\system32\drivers\aavmker4.sys
2007-04-30 15:35:28 95,872 ----a-w C:\WINNT\system32\AVASTSS.scr
2007-04-30 14:40:06 -------- d-----w C:\DOCUME~1\ron\APPLIC~1\webex
2007-04-30 14:39:49 200,263 ----a-w C:\WINNT\system32\atasnt40.dll
2007-04-20 19:13:47 -------- d-----w C:\DOCUME~1\ron\APPLIC~1\AdobeUM
2007-04-17 02:47:36 33,624 ----a-w C:\WINNT\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINNT\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINNT\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINNT\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINNT\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINNT\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINNT\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINNT\system32\wups2.dll
2007-04-17 02:44:20 271,224 ----a-w C:\WINNT\system32\mucltui.dll
2007-04-17 02:44:18 208,248 ----a-w C:\WINNT\system32\muweb.dll
2007-04-13 17:31:03 103,984 ----a-w C:\WINNT\system32\AOLDial.dll
2007-04-13 17:30:43 33,592 ----a-w C:\WINNT\system32\drivers\atwpkt264.sys
2007-04-13 17:30:39 25,136 ----a-w C:\WINNT\system32\drivers\atwpkt2.sys
2007-04-03 15:27:53 96,968 ----a-w C:\DOCUME~1\ron\APPLIC~1\GDIPFONTCACHEV1.DAT
2007-03-23 10:07:56 1,683,280 ------w C:\WINNT\system32\XpsSvcs.dll
2007-03-23 10:07:54 583,504 ------w C:\WINNT\system32\XPSSHHDR.dll
2007-03-23 00:25:02 124,928 ------w C:\WINNT\system32\prntvpt.dll
2007-03-17 13:43:01 292,864 ----a-w C:\WINNT\system32\winsrv.dll
2007-03-12 21:42:50 62,009 ----a-w C:\WINNT\system32\wpfb_ati2dvag.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINNT\system32\user32.dll
2007-03-08 15:36:28 40,960 ------w C:\WINNT\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINNT\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ------w C:\WINNT\system32\win32k.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2004-05-12 01:03]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"POINTER"="point32.exe" []
"TCASUTIEXE"="TCAUDIAG -off" []
"MsmqIntCert"="regsvr32 /s mqrt.dll" []
"Synchronization Manager"="mobsync.exe" [2004-08-04 03:56 C:\WINNT\SYSTEM32\mobsync.exe]
"MULTIMEDIA KEYBOARD"="C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe" [2000-09-21 15:34]
"HostManager"="C:\Program Files\Common Files\AOL\1101231130\ee\AOLSoftware.exe" [2006-09-25 20:52]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 11:42]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-12 20:52]
"@"="" []
"PivotSoftware"="C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe" [2005-12-07 17:59]
"DT Task"="C:\Program Files\Portrait Displays\PerfectSuite\DTHtml.exe" [2006-04-11 11:48]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe" [2003-08-19 18:23]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2006-10-07 08:20]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2004-08-04 03:56]
"ATI Launchpad"="C:\Program Files\ATI Multimedia\main\launchpd.exe" []
"@"="" []
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-05 12:00]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop
"tscuninstall"=%systemroot%\system32\tscupgrd.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispAppearancePage"=0 (0x0)
"NoColorChoice"=0 (0x0)
"NoSizeChoice"=0 (0x0)
"NoDispBackgroundPage"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)
"NoDispCPL"=0 (0x0)
"NoVisualStyleChoice"=0 (0x0)
"NoDispSettingsPage"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSaveSettings"=0 (0x0)
"NoThemesTab"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 13:55]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 10:13]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
AutoRun\command- G:\LaunchU3.exe -a


**************************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-06 11:01:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-06 11:04:38 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-06 11:04
C:\ComboFix2.txt ... 2007-05-02 16:22

--- E O F ---






GMER 1.0.12.12244 - http://www.gmer.net
Rootkit scan 2007-06-06 12:27:43
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.12 ----

SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess

---- Kernel code sections - GMER 1.0.12 ----

? C:\WINNT\System32\DRIVERS\update.sys
? C:\WINNT\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified.

---- Devices - GMER 1.0.12 ----

Device \FileSystem\Fastfat \Fat IRP_MJ_CREATE A6D35C8A
Device \FileSystem\Fastfat \Fat IRP_MJ_CLOSE A6D327C8
Device \FileSystem\Fastfat \Fat IRP_MJ_READ A6D2E60A
Device \FileSystem\Fastfat \Fat IRP_MJ_WRITE A6D2EAED
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_INFORMATION A6D39958
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_INFORMATION A6D3C821
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_EA A6D4538A
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_EA A6D44D49
Device \FileSystem\Fastfat \Fat IRP_MJ_FLUSH_BUFFERS A6D3EBBE
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_VOLUME_INFORMATION A6D3F331
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_VOLUME_INFORMATION A6D4D4F4
Device \FileSystem\Fastfat \Fat IRP_MJ_DIRECTORY_CONTROL A6D35B37
Device \FileSystem\Fastfat \Fat IRP_MJ_FILE_SYSTEM_CONTROL A6D31948
Device \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CONTROL A6D3B46B
Device \FileSystem\Fastfat \Fat IRP_MJ_SHUTDOWN A6D4C79D
Device \FileSystem\Fastfat \Fat IRP_MJ_LOCK_CONTROL A6D4BC4A
Device \FileSystem\Fastfat \Fat IRP_MJ_CLEANUP A6D322FD
Device \FileSystem\Fastfat \Fat IRP_MJ_PNP A6D4C1DB
Device \FileSystem\Fastfat \Fat FastIoCheckIfPossible A6D471F9

---- EOF - GMER 1.0.12 ----




Thanks!

RC

#6 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Emeritus
  • PipPipPipPipPip
  • 15,830 posts

Posted 06 June 2007 - 01:18 PM

Hi again,

Please go here:
http://virusscan.jotti.org/
and browse to, upload and scan this file:
C:\WINNT\system32\l34501.sys
Post the results here.

Next:

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: Posted Image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.
jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#7 rcroft

rcroft

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 06 June 2007 - 01:57 PM

Here's the jottiscsan... I'm prepping the rest as we speak...


Jotti's malware scan 2.99-TRANSITION_TO_3.00-R1
File to upload & scan: Virus

Service
Service load:
0% 100%
File: l34501.sys
Status:
OK
MD5 0889da735da65d3a423c4e89cff98464
Packers detected:
-
Scanner results
Scan taken on 06 Jun 2007 18:41:08 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Rising Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

Powered by
images/asquared.png images/antivir.png images/arcabit.png images/avast.png images/avg.gif images/bitdefender.png images/clamav-logo1.png images/drweb.gif images/f-prot.png images/f-secure_logo.gif images/fortinet.gif images/kaspersky.png images/nod32.gif images/norman.png images/panda.png images/rising.gif images/virusbuster.gif images/vba32.png
Disclaimer
This service is by no means 100% safe. If this scanner says 'OK', it does not necessarily mean the file is clean. There could be a whole new virus on the loose. NEVER EVER rely on one single product only, not even this service, even though it utilizes several products. Therefore, We cannot and will not be held responsible for any damage caused by results presented by this non-profit online service.

Also, we are aware of the implications of a setup like this. We are sure this whole thing is by no means scientifically correct, since this is a fully automated service (although manual correction is possible). We are aware, in spite of efforts to proactively counter these, false positives might occur, for example. We do not consider this a very big issue, so please do not e-mail us about it. This is a simple online scan service, not the university of Wichita.

Scanning can take a while, since several scanners are being used, plus the fact some scanners use very high levels of (time consuming) heuristics. Scanners used are Linux versions, differences with Windows scanners may or may not occur. Another note: some scanners will only report one virus when scanning archives with multiple pieces of malware.

Virus definitions are updated every hour. There is a 10Mb limit per file. Please refrain from uploading tons of hex-edited or repacked variants of the same sample.

Please do not ask for viruses uploaded here, unless you work for an anti-virus vendor. They are not for trade. This is a legitimate service, not a VX site. Viruses uploaded here will be distributed to antivirus vendors without exception. Read more about this in our privacy policy. If you do not want your files to be distributed, please do not send them at all.

Sponsored by donations (in random order) from: Stormbyte Technologies LLC, The ClamAV project, Steve S., Eric Johansen, Eric Schechter, Paul Bokel, Wilders Security, Wilfried Lilie, Prevx, SonicWALL, Lance Mueller, Ewido networks, HotelScraper.com, people who donated in the past, and some people who prefer to remain anonymous... many thanks to all!
Statistics
Last file scanned at least one scanner reported something about: koxp_1480_ko-le.rar (MD5: 2d87773d72655793388428268ff31900, size: 2409840 bytes), detected by:

Scanner Malware name
A-Squared X
AntiVir HEUR/Crypted
ArcaVir X
Avast X
AVG Antivirus X
BitDefender X
ClamAV X
Dr.Web X
F-Prot Antivirus X
F-Secure Anti-Virus X
Fortinet X
Kaspersky Anti-Virus X
NOD32 X
Norman Virus Control X
Panda Antivirus X
Rising Antivirus X
VirusBuster X
VBA32 X


You're free to (mis)interpret these automated, flawed statistics at your own discretion. For antivirus comparisons, visit AV comparatives
We are not affiliated with any third parties that conduct tests using this service.



Frequently asked questions - Feedback - Privacy policy

Debian

Page generated by JTPL

Copyright © 2004-2007 Jordi Bosveld <jotti@jotti.org>

#8 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Emeritus
  • PipPipPipPipPip
  • 15,830 posts

Posted 06 June 2007 - 04:07 PM

Hi,

It came back clean, but I still want a closer look:

Please upload the file to me here:
http://www.bleepingc....php?channel=18

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#9 rcroft

rcroft

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 06 June 2007 - 07:41 PM

Here's the Dr. Web Cureit report... I'll upload the other file next...

Process.exe;C:\Documents and Settings\ron\DESKTOP\smitRem;Tool.Prockill;Incurable.Moved.;
GTDownAO_106.ocx;C:\Program Files\Common Files\AolCoach\en_en;Adware.Gdown;Incurable.Moved.;
PluginManagerPlugin.dll;C:\Program Files\Liquid Audio\Liquid Plugins;Probably DLOADER.Trojan;Incurable.Moved.;
dlh9jkd1q2.exe.vir;C:\QooBox\Quarantine\C\WINNT\SYSTEM32;Trojan.Packed.113;Deleted.;
dlh9jkd1q6.exe.vir;C:\QooBox\Quarantine\C\WINNT\SYSTEM32;Trojan.Packed.113;Deleted.;
dlh9jkd1q7.exe.vir;C:\QooBox\Quarantine\C\WINNT\SYSTEM32;Trojan.Packed.113;Deleted.;
pdp.exe.exe.vir;C:\QooBox\Quarantine\C\WINNT\SYSTEM32;Trojan.Packed.113;Deleted.;
sony.exe.exe.vir;C:\QooBox\Quarantine\C\WINNT\SYSTEM32;Trojan.Packed.113;Deleted.;
wincom32.sys.vir;C:\QooBox\Quarantine\C\WINNT\SYSTEM32;Trojan.Packed.115;Deleted.;
A0081468.dll;C:\System Volume Information\_restore{50F0928E-FAC0-4680-8FA5-07889EDD2BE6}\RP580;Probably DLOADER.Trojan;Incurable.Moved.;
A0119196.exe;C:\System Volume Information\_restore{50F0928E-FAC0-4680-8FA5-07889EDD2BE6}\RP580;Trojan.Packed.112;Deleted.;
A0119205.exe;C:\System Volume Information\_restore{50F0928E-FAC0-4680-8FA5-07889EDD2BE6}\RP580;Trojan.Packed.113;Deleted.;
A0119206.exe;C:\System Volume Information\_restore{50F0928E-FAC0-4680-8FA5-07889EDD2BE6}\RP580;Trojan.DownLoader.21844;Deleted.;
A0119228.exe;C:\System Volume Information\_restore{50F0928E-FAC0-4680-8FA5-07889EDD2BE6}\RP580;Trojan.Packed.113;Deleted.;
A0119229.exe;C:\System Volume Information\_restore{50F0928E-FAC0-4680-8FA5-07889EDD2BE6}\RP580;Trojan.Packed.113;Deleted.;
A0119230.exe;C:\System Volume Information\_restore{50F0928E-FAC0-4680-8FA5-07889EDD2BE6}\RP580;Trojan.Packed.113;Deleted.;
A0119232.exe;C:\System Volume Information\_restore{50F0928E-FAC0-4680-8FA5-07889EDD2BE6}\RP580;Trojan.Packed.113;Deleted.;
A0119233.exe;C:\System Volume Information\_restore{50F0928E-FAC0-4680-8FA5-07889EDD2BE6}\RP580;Trojan.DownLoader.21844;Deleted.;
A0119234.exe;C:\System Volume Information\_restore{50F0928E-FAC0-4680-8FA5-07889EDD2BE6}\RP580;Trojan.DownLoader.21304;Deleted.;
A0119235.exe;C:\System Volume Information\_restore{50F0928E-FAC0-4680-8FA5-07889EDD2BE6}\RP580;Trojan.Packed.113;Deleted.;
A0119236.exe;C:\System Volume Information\_restore{50F0928E-FAC0-4680-8FA5-07889EDD2BE6}\RP580;Trojan.Packed.113;Deleted.;
A0119238.sys;C:\System Volume Information\_restore{50F0928E-FAC0-4680-8FA5-07889EDD2BE6}\RP580;Trojan.Packed.115;Deleted.;
A0123356.sys;C:\System Volume Information\_restore{50F0928E-FAC0-4680-8FA5-07889EDD2BE6}\RP580;Trojan.Packed.115;Deleted.;
A0127805.exe;C:\System Volume Information\_restore{50F0928E-FAC0-4680-8FA5-07889EDD2BE6}\RP580;Probably BACKDOOR.Trojan;Incurable.Moved.;
A0130636.exe;C:\System Volume Information\_restore{50F0928E-FAC0-4680-8FA5-07889EDD2BE6}\RP580;Trojan.DownLoader.21304;Deleted.;
A0141088.exe;C:\System Volume Information\_restore{50F0928E-FAC0-4680-8FA5-07889EDD2BE6}\RP580;Trojan.Packed.135;Deleted.;
A0142144.exe;C:\System Volume Information\_restore{50F0928E-FAC0-4680-8FA5-07889EDD2BE6}\RP580;Trojan.Packed.135;Deleted.;
A0142145.sys;C:\System Volume Information\_restore{50F0928E-FAC0-4680-8FA5-07889EDD2BE6}\RP580;BackDoor.Groan;Deleted.;
A0142252.exe;C:\System Volume Information\_restore{50F0928E-FAC0-4680-8FA5-07889EDD2BE6}\RP580;Trojan.Packed.135;Deleted.;
A0142281.exe;C:\System Volume Information\_restore{50F0928E-FAC0-4680-8FA5-07889EDD2BE6}\RP580;Probably BACKDOOR.Trojan;Incurable.Moved.;
A0143230.exe;C:\System Volume Information\_restore{50F0928E-FAC0-4680-8FA5-07889EDD2BE6}\RP580;Trojan.Spambot;Deleted.;
A0147235.exe;C:\System Volume Information\_restore{50F0928E-FAC0-4680-8FA5-07889EDD2BE6}\RP580;Trojan.Packed.112;Deleted.;
A0147239.exe;C:\System Volume Information\_restore{50F0928E-FAC0-4680-8FA5-07889EDD2BE6}\RP580;Tool.PassRevel;Incurable.Moved.;
alt.exe;C:\WINNT\SYSTEM32;Trojan.Packed.135;Deleted.;


That's the end of the log. I did try to go and turn system restore off after rebooting (post Dr.webcureit) and it it still disabled.

Thanks again,

RC

#10 rcroft

rcroft

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 06 June 2007 - 07:48 PM

OK - file l34501.sys submitted.

thanks again -

RC

#11 rcroft

rcroft

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 06 June 2007 - 09:54 PM

I took the liberty of running Drweb again after reboot into regular mode (not safe mode) -

It found a few more, that did not exist before, so whatever has my system seems to be shutting down my ability to change settings in system restore, and placing malicious files in system restore.

Here's the new DrWeb log -

A0152424.exe;C:\System Volume Information\_restore{50F0928E-FAC0-4680-8FA5-07889EDD2BE6}\RP580;Trojan.Packed.135;Deleted.;
A0152425.exe;C:\System Volume Information\_restore{50F0928E-FAC0-4680-8FA5-07889EDD2BE6}\RP580;Tool.Prockill;Incurable.Moved.;
A0152426.ocx;C:\System Volume Information\_restore{50F0928E-FAC0-4680-8FA5-07889EDD2BE6}\RP580;Adware.Gdown;Incurable.Moved.;
A0152427.dll;C:\System Volume Information\_restore{50F0928E-FAC0-4680-8FA5-07889EDD2BE6}\RP580;Probably DLOADER.Trojan;Incurable.Moved.;


Thanks again -

RC

#12 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Emeritus
  • PipPipPipPipPip
  • 15,830 posts

Posted 07 June 2007 - 12:41 PM

Hi,

Those are BraveSentry entries, and harmless where they are, but let's double-check whether it still exists.

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlog...processutil.htm

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#13 rcroft

rcroft

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 07 June 2007 - 01:10 PM

Here's the log....

SmitFraudFix v2.192

Scan done at 14:05:45.49, Thu 06/07/2007
Run from C:\Documents and Settings\ron\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Portrait Displays\PerfectSuite\dtsslsrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Portrait Displays\PerfectSuite\DTSRVC.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\wanmpsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\wscntfy.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Common Files\AOL\1101231130\ee\AOLSoftware.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Netropa\Multimedia Keyboard\mmusbkb2.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Portrait Displays\PerfectSuite\DTHtml.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Portrait Displays\Pivot Software\floater.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINNT\system32\cmd.exe
C:\WINNT\system32\wuauclt.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\ron


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\ron\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\ron\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: 3Com 3C920 Integrated Fast Ethernet Controller (3C905C-TX Compatible)
DNS Server Search Order: 65.32.2.130
DNS Server Search Order: 65.32.1.70

HKLM\SYSTEM\CCS\Services\Tcpip\..\{761A1D4A-EE9C-4DA6-A311-8A51E3A3DDEC}: NameServer=65.32.2.130,65.32.1.70
HKLM\SYSTEM\CCS\Services\Tcpip\..\{970D1E11-0D90-4E8E-B2E5-166309A8EA59}: NameServer=65.32.2.130,65.32.1.70
HKLM\SYSTEM\CS1\Services\Tcpip\..\{761A1D4A-EE9C-4DA6-A311-8A51E3A3DDEC}: NameServer=65.32.2.130,65.32.1.70
HKLM\SYSTEM\CS1\Services\Tcpip\..\{970D1E11-0D90-4E8E-B2E5-166309A8EA59}: NameServer=65.32.2.130,65.32.1.70
HKLM\SYSTEM\CS2\Services\Tcpip\..\{761A1D4A-EE9C-4DA6-A311-8A51E3A3DDEC}: NameServer=65.32.2.130,65.32.1.70
HKLM\SYSTEM\CS2\Services\Tcpip\..\{970D1E11-0D90-4E8E-B2E5-166309A8EA59}: NameServer=65.32.2.130,65.32.1.70


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End



Thanks again,

RC

#14 rcroft

rcroft

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 07 June 2007 - 01:56 PM

Here's an updated HJT log - I tried to load windows defender, and it would not update the definitions, indicating an error. Otehr than that, the only other symptoms I'm aware of is my system restore tab creating an exception/fault when I hit the "System Restore" tab, and my windows firewall is shutdown on startup. I can activate it though, I just have to do it manually every time.

I got this message when I started HJT....

An unexpected error has occurred at procedure: modMain_CheckOther1Item()
Error #5 - Invalid procedure call or argument

Please email me at merijn@spywareinfo.com, reporting the following:
* What you were trying to fix when the error occurred, if applicable
* How you can reproduce the error
* A complete HijackThis scan log, if possible

Windows version: Windows NT 5.01.2600
MSIE version: 7.0.5730.11
HijackThis version: 1.99.1

This message has been copied to your clipboard.
Click OK to continue the rest of the scan.


<<<<<<<<<<<<<<HERE IS THE LOG>>>>>>>>>>>>>>>>>>>


Logfile of HijackThis v1.99.1
Scan saved at 2:50:15 PM, on 6/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Portrait Displays\PerfectSuite\dtsslsrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Portrait Displays\PerfectSuite\DTSRVC.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\wanmpsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Common Files\AOL\1101231130\ee\AOLSoftware.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Netropa\Multimedia Keyboard\mmusbkb2.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Portrait Displays\PerfectSuite\DTHtml.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Portrait Displays\Pivot Software\floater.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1101231130\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [PivotSoftware] "C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe"
O4 - HKLM\..\Run: [DT Task] C:\Program Files\Portrait Displays\PerfectSuite\DTHtml.exe -startup_folder
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Startup: PunchClock Client.lnk = C:\Program Files\PunchClock Client2\PunchClock Client.exe
O4 - Startup: SpywareBlaster.lnk = C:\Program Files\SpywareBlaster\spywareblaster.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: HushEncryptionEngine - https://mailserver2....ptionEngine.cab
O16 - DPF: symsupportutil - https://www-secure.s...supportutil.CAB
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.av.a...83/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1119896207295
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1124211473233
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.c...es/PROFILER.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadbl...ivex/sabspx.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.av.a...,20/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{761A1D4A-EE9C-4DA6-A311-8A51E3A3DDEC}: NameServer = 65.32.2.130,65.32.1.70
O17 - HKLM\System\CCS\Services\Tcpip\..\{970D1E11-0D90-4E8E-B2E5-166309A8EA59}: NameServer = 65.32.2.130,65.32.1.70
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINNT\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe
O23 - Service: Asset Management Daemon - Unknown owner - C:\Program Files\Portrait Displays\PerfectSuite\dtsslsrv.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\SYSTEM32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Portrait Displays\PerfectSuite\DTSRVC.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Unknown owner - C:\PROGRA~1\NORTON~1\AdvTools\NPROTECT.EXE (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: SymWMI Service (SymWSC) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe



Thanks!

RC

Edited by rcroft, 07 June 2007 - 02:13 PM.


#15 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Emeritus
  • PipPipPipPipPip
  • 15,830 posts

Posted 07 June 2007 - 04:16 PM

Hi again,

No sign of an active SmitFraud infection. Can you tell me, have you had Norton on your PC and removed it? The reason I ask is it uninstalls badly sometimes, and can cause some of the problems you're describing.

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#16 rcroft

rcroft

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 07 June 2007 - 06:14 PM

Yes, but it was years ago.....


It's a pretty old system, rejuvenated with a faster processor and vid card.... all those changes were a while ago though - precessor upgrade was 2-3 years ago, and newest video card has been in for 4-5 months. All bad activity started after clicking a bad site.... about 1 mo ago. although... I never did try to change system resore settings prior to the infection.

How can I wipe a bad uninstall clean?

RC

#17 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Emeritus
  • PipPipPipPipPip
  • 15,830 posts

Posted 08 June 2007 - 06:15 AM

Hi again,

Well, it can't do any harm to remove the leftovers, Norton is still running two services on your PC, which will slow it down.

To fully remove Norton AntiVirus, you should go here and download the files and print the instructions for removal, and follow them:
How to uninstall Norton AntiVirus 2004/2005/2006 (note: this removes ALL Norton 2004/2005/2006 products from your computer, and also uninstalls Norton Ghost 10.0/9.0/2003)
How to uninstall Norton AntiVirus 2003 or Norton AntiVirus 2003 Professional Edition
How to uninstall Norton AntiVirus 2000/2001/2002

Let me know if that improves performance, also post a new HiJackThis log.

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#18 rcroft

rcroft

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 08 June 2007 - 11:18 AM

well, no joy on removing NAV.... I tried the uninstallers, and things are still screwy. Is there a way to manually disable the NAV processes/services or to get rid of it forever? (even better)

Thanks!

RC


Logfile of HijackThis v1.99.1
Scan saved at 12:16:10 PM, on 6/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\mom.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Portrait Displays\PerfectSuite\dtsslsrv.exe
C:\Program Files\Portrait Displays\PerfectSuite\DTSRVC.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\system32\HPZipm12.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\wanmpsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Common Files\AOL\1101231130\ee\AOLSoftware.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Netropa\Multimedia Keyboard\mmusbkb2.exe
C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Portrait Displays\PerfectSuite\DTHtml.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Portrait Displays\Pivot Software\floater.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1101231130\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [PivotSoftware] "C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe"
O4 - HKLM\..\Run: [DT Task] C:\Program Files\Portrait Displays\PerfectSuite\DTHtml.exe -startup_folder
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Startup: PunchClock Client.lnk = C:\Program Files\PunchClock Client2\PunchClock Client.exe
O4 - Startup: SpywareBlaster.lnk = C:\Program Files\SpywareBlaster\spywareblaster.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: HushEncryptionEngine - https://mailserver2....ptionEngine.cab
O16 - DPF: symsupportutil - https://www-secure.s...supportutil.CAB
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.av.a...83/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1119896207295
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1124211473233
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.c...es/PROFILER.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadbl...ivex/sabspx.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.av.a...,20/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{761A1D4A-EE9C-4DA6-A311-8A51E3A3DDEC}: NameServer = 65.32.2.130,65.32.1.70
O17 - HKLM\System\CCS\Services\Tcpip\..\{970D1E11-0D90-4E8E-B2E5-166309A8EA59}: NameServer = 65.32.2.130,65.32.1.70
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINNT\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Asset Management Daemon - Unknown owner - C:\Program Files\Portrait Displays\PerfectSuite\dtsslsrv.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\SYSTEM32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Portrait Displays\PerfectSuite\DTSRVC.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Unknown owner - C:\PROGRA~1\NORTON~1\AdvTools\NPROTECT.EXE (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: SymWMI Service (SymWSC) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

#19 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Emeritus
  • PipPipPipPipPip
  • 15,830 posts

Posted 09 June 2007 - 03:55 AM

Hi again

Ok, let's remove the services.

Go to Start > Run and type in Services.msc then click OK

Click the Extended tab.

Scroll down until you find Norton Unerase Protection

Click once on the service to highlight it.

Click Stop

Right-Click on the service.

Click on 'Properties'

Select the 'General' tab

Click the Arrow-down tab on the right-hand side on the 'Start-up Type' box

From the drop-down menu, click on 'Disabled'

Click the 'Apply' tab, then click 'OK'

Please run HijackThis and click Config -> Misc Tools -> Delete an NT service. In the Delete window, type NProtectService and press OK. OK any prompts, close HijackThis, and restart your computer.

And again,

Go to Start > Run and type in Services.msc then click OK

Click the Extended tab.

Scroll down until you find SymWMI Service

Click once on the service to highlight it.

Click Stop

Right-Click on the service.

Click on 'Properties'

Select the 'General' tab

Click the Arrow-down tab on the right-hand side on the 'Start-up Type' box

From the drop-down menu, click on 'Disabled'

Click the 'Apply' tab, then click 'OK'

Please run HijackThis and click Config -> Misc Tools -> Delete an NT service. In the Delete window, type SymWSC and press OK. OK any prompts, close HijackThis, and restart your computer.

Do Start > Run and type in chkdsk and hit OK. A DOS window will open and close when it has finished.

Then please post a fresh HiJackThis log, and let me know how the PC is running.

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#20 rcroft

rcroft

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 13 June 2007 - 12:41 PM

I did everything as directed, still no control over system restore and Windows Defender will not update.

Here's the log. as always, thanks a bajillion for your help!

Logfile of HijackThis v1.99.1
Scan saved at 1:37:50 PM, on 6/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Portrait Displays\PerfectSuite\dtsslsrv.exe
C:\Program Files\Portrait Displays\PerfectSuite\DTSRVC.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\wanmpsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Common Files\AOL\1101231130\ee\AOLSoftware.exe
C:\Program Files\Netropa\Multimedia Keyboard\mmusbkb2.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Portrait Displays\PerfectSuite\DTHtml.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Portrait Displays\Pivot Software\floater.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\Program Files\PunchClock Client2\PunchClock Client.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\WINNT\system32\HPZipm12.exe
C:\Prevail\Prevail.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\Program Files\America Online 9.0\shellmon.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1101231130\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [PivotSoftware] "C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe"
O4 - HKLM\..\Run: [DT Task] C:\Program Files\Portrait Displays\PerfectSuite\DTHtml.exe -startup_folder
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Startup: PunchClock Client.lnk = C:\Program Files\PunchClock Client2\PunchClock Client.exe
O4 - Startup: SpywareBlaster.lnk = C:\Program Files\SpywareBlaster\spywareblaster.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: HushEncryptionEngine - https://mailserver2....ptionEngine.cab
O16 - DPF: symsupportutil - https://www-secure.s...supportutil.CAB
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.av.a...83/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1119896207295
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1124211473233
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.c...es/PROFILER.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadbl...ivex/sabspx.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.av.a...,20/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{761A1D4A-EE9C-4DA6-A311-8A51E3A3DDEC}: NameServer = 65.32.2.130,65.32.1.70
O17 - HKLM\System\CCS\Services\Tcpip\..\{970D1E11-0D90-4E8E-B2E5-166309A8EA59}: NameServer = 65.32.2.130,65.32.1.70
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINNT\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Asset Management Daemon - Unknown owner - C:\Program Files\Portrait Displays\PerfectSuite\dtsslsrv.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\SYSTEM32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Portrait Displays\PerfectSuite\DTSRVC.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

#21 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Emeritus
  • PipPipPipPipPip
  • 15,830 posts

Posted 13 June 2007 - 01:36 PM

Hi,

Well at least the Norton leftovers are gone. Ok, what exactly is happening with System Restore? Can you not open it at all?
If not, try Start > Run and type in msconfig and hit OK. From the System Configuration Utility, try the Launch System Restore tab.

Give me a full description of what's happening.

As for Windows Defender, I don't use it myself, but Googling 'Windows Defender will not update' gets a lot of hits. It looks like a common problem. Possibly an uninstall and reinstall would help. I'll try to find some more info.

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#22 rcroft

rcroft

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 14 June 2007 - 02:19 PM

Whenever I click the "system restore" tab I get an exception - "My Computer" to "properties" reveals the "System Properties" tabbed selector.... "System Restore" is one of those tabs. whn I click on THAT tab, I get a warning - now it says "run DLL as an app has encountered a problem and needs to close"

When I ask for details on the error, I get "AppName rundll32.exe; AppVer: 5.1.2600.2180; ModName: srrstr.dll; ModVer 5.1.2600.2180; Offset 000099b2

The technical info re: the error reveals the following:

Exception information
Code 0xc0000005 Flags 0x00000000
Record: 0x0000000000000000 Address 0x000000005c0299b2

and quite a bit more info.

After I cleared that, I got a DrWatson postmortum debugger - event type BEX with quite a bit more info.

Please note that the above is only after trying your suggestion of going through the run command msconfig, being unsuccessful, and then trying agains through the "my Computer" "Properties".


RE: Windows Defender - I saw where some guys were having a problem if they utilized some type of firewall. I did have sysgate on here a LONG time ago (pre WinXP) and I wonder if any vestiges of it are left over??

RC

#23 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Emeritus
  • PipPipPipPipPip
  • 15,830 posts

Posted 15 June 2007 - 03:48 AM

Ok,

Make sure you're logged in as Administrator. Then do this:

1. Click Start | Control Panel | Administrative Tools | Services.
2. Right-click System Restore Service and click Properties.
3. From the Startup Type drop-down, select Disabled.
4. Click OK.
5. Close the Services and Administrative Tools windows.
6. Right-click My Computer, click Properties, and click the System Restore tab. The System Restore tab should now display properly; however, the System Restore service will be disabled.
7. Enable System Restore and click Apply.

Let me know how it goes.

sysgate on here a LONG time ago (pre WinXP) and I wonder if any vestiges of it are left over


Not that I can see, no. Can you find the version number for Defender, and let me know which version it is.

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#24 rcroft

rcroft

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 19 June 2007 - 06:02 AM

Well, I did as instructed, and found that system restore was set to automatic, and the service was stopped. I set it to disabled, and rerbooted. I am now able to get the system restore TAB open.... but cannot change the size of the hard drive allocated to system restore, and I'm not able to shut it off in the checkbox found in the system restore tab.

I did go back into services and tried several things including activating it, starting it manually, disabling it again, etc.

I do get a warning message from windows when I try to modify system restore in under the system restore tab..... it identified the c drive..... but tells me it cannot release the drive and suggests that I shut the computer down. I tried that too, but it does not seem to make any difference.

Still no joy on windows defender either. In my research, it seems that some firewall services block it. I modified the settings in windows firewall to allow it through, but it did not help either.


I thank you for your help. My computer is acting normally in all ways other than the above, and that would not have happened but for your help. I'll be authorizing a 50$ paypal transfer ASAP, and fell guilty in that the benefit I have received exceeds that amount greatly.

Thanks again,

RC

#25 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Emeritus
  • PipPipPipPipPip
  • 15,830 posts

Posted 19 June 2007 - 12:44 PM

Hi again,

Thank you very much for your generousity. I don't feel I've entirely earned it, as I haven't managed to resolve all your problems, but thanks anyway. :)
As far as Defender is concerned, Avast is an infinately superior program, and if you are running it you're more than adequately protected without Defender updating, it may help to install a fresh version of it though.
As for System Restore, are you able to use it?

There are a couple of things you can do to try to repair system files that may be damaged.

Do Start > Run and type in chkdsk /f (Note: there is a space between k and /) and hit OK.

If the message says it cannot lock the volume type y and restart.

Also:

If you have a Windows install disk you could try running the system file checker to replace any damaged Windows files:

Please go to Start -> Run -> cmd and press Enter. At the command prompt type
sfc /scannow, making sure to put a space between the "c" and the slash, and then press Enter. This will run the System File Checker. Follow the prompts, and insert your Windows installation CD if requested. Then please restart your computer.

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#26 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Emeritus
  • PipPipPipPipPip
  • 15,830 posts

Posted 21 June 2007 - 11:06 AM

Glad we could help. :)

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button