Jump to content


Photo

yahoo jukebox and svchost.exe...??


  • This topic is locked This topic is locked
17 replies to this topic

#1 p_a_t_t_y_k_i_n_s

p_a_t_t_y_k_i_n_s

    Member

  • Full Member
  • Pip
  • 31 posts

Posted 02 November 2007 - 01:20 PM

I just updated my yahoo jukebox and I'm using Comodo firewall and it pops up saying 1 of (it works its way up to around 10)...all different IP's and they are all svchost.exe 'parents'...and it usually saysd something about the system tray part...

lol and the first time I 'allowed' the notice and random songs started getting added to my playlist

so thats why I think I might have a problem with these notifications...I keep denying them but a fe minutes later they pop up again...

am I infected ??...and every so often I get a cannot display this page typr of msg when trying to access the net...?..and its been a lil slower than usual

any ideas???

Yes, review the forum FAQ and then post your HijackThis log here in your original topic.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:52:33 PM, on 11/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\TrojanHunter 4.7\THGuard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/corporate
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.7\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by132fd.bay13...es/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://hgtv.view22.c...p/view22rte.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by132fd.bay13...ex/HMAtchmt.ocx
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 9643 bytes

(the AVG scan didn't find anything wrong)

Edited by p_a_t_t_y_k_i_n_s, 02 November 2007 - 08:55 PM.


#2 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,533 posts

Posted 05 November 2007 - 05:30 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.

#3 Indrid_Cold

Indrid_Cold

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 7,081 posts

Posted 07 November 2007 - 06:39 PM

Please do not clutter the topic Not getting help with your log? with duplicate posts. One post is sufficient so I have deleted the duplicate.

Hope is not a method.

If I have helped in some way, please consider donating to SpywareInfo's crusade against Malware See Here

Member of ASAP since 2004 Alliance of Security Analysis Professionals
Member of UNITE since 2006 United Network of Instructors and Trained Eliminators

 


#4 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Retired Staff
  • PipPipPipPipPip
  • 15,830 posts

Posted 09 November 2007 - 01:04 PM

Hi,

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: Posted Image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.
Next:

1. Download this file -
ComboFix
2. Double click ComboFix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply

Note:
Do not mouseclick ComboFix's window whilst it's running. That may cause it to stall

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#5 p_a_t_t_y_k_i_n_s

p_a_t_t_y_k_i_n_s

    Member

  • Full Member
  • Pip
  • 31 posts

Posted 09 November 2007 - 08:12 PM

ok so I tried downloading the CureIt program from the link...no luck, took and impossibly long time for nothing to happen. I downloaded it from download.com but when I tried to start the program it said it hadn't been updated in 360 days and needed to be updated, it opened up a browser page but nothing ever appears on it, no sign of any update or anything actually happening...even going onto the dr.web site I can't download the program...

is the update crucial or can I go ahead without it???

thanks

#6 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Retired Staff
  • PipPipPipPipPip
  • 15,830 posts

Posted 10 November 2007 - 06:53 AM

Hi again,

CureIt is a standalone tool and doesn't update, so I think you've ended up with an old version.
Run it if you can, if not just move on to Combofix.

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#7 p_a_t_t_y_k_i_n_s

p_a_t_t_y_k_i_n_s

    Member

  • Full Member
  • Pip
  • 31 posts

Posted 10 November 2007 - 08:34 AM

the CureIt program was still giving me issues so I went ahead with ComboFix...

ComboFix 07-11-08.3 - Patricia 2007-11-10 9:28:52.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.89 [GMT -5:00]Running from: C:\Documents and Settings\Patricia\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-10-10 to 2007-11-10 )))))))))))))))))))))))))))))))
.

2007-11-03 08:31 1,891 --a------ C:\WINDOWS\mozver.dat
2007-11-03 07:40 0 --a------ C:\WINDOWS\nsreg.dat
2007-11-02 21:52 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-02 20:07 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-11-02 13:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems
2007-11-02 13:22 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2007-10-29 13:58 <DIR> d-------- C:\Program Files\TrojanHunter 5.0
2007-10-12 20:18 <DIR> d-------- C:\Documents and Settings\Patricia\Application Data\PlayFirst
2007-10-12 20:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PlayFirst

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-10 02:33 --------- d-----w C:\Program Files\Common Files\Adobe
2007-11-09 23:08 --------- d-----w C:\Documents and Settings\Patricia\Application Data\Azureus
2007-11-09 21:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2007-11-07 13:11 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-07 13:11 --------- d-----w C:\Program Files\MSN Games
2007-11-06 20:19 12,264 ----a-w C:\Documents and Settings\Patricia\Application Data\wklnhst.dat
2007-11-02 20:31 --------- d-----w C:\Program Files\TrojanHunter 4.7
2007-11-02 20:29 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-10-31 16:38 --------- d-----w C:\Documents and Settings\Patricia\Application Data\AdobeUM
2007-09-28 13:21 3,532 ----a-w C:\drmHeader.bin
2007-09-25 12:19 --------- d-----w C:\Documents and Settings\Patricia\Application Data\AVG7
2007-09-23 13:14 --------- d-----w C:\Documents and Settings\Patricia\Application Data\Apple Computer
2007-09-22 01:33 --------- d-----w C:\Program Files\WiFiConnector
2007-09-14 17:19 --------- d-----w C:\Program Files\View22
2007-09-12 20:15 --------- d-----w C:\Program Files\QuickTime
2007-09-12 20:15 --------- d-----w C:\Program Files\iTunes
2007-09-12 20:15 --------- d-----w C:\Program Files\iPod
2007-09-12 20:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-09-12 20:14 --------- d-----w C:\Program Files\Apple Software Update
2007-09-12 20:13 --------- d-----w C:\Program Files\Common Files\Apple
2007-09-12 20:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2007-02-02 16:16 447 ----a-w C:\Program Files\INSTALL.LOG
2003-01-31 16:08 65,536 ------w C:\WINDOWS\inf\setup\bcr.exe
2003-01-31 16:08 50,934 ------w C:\WINDOWS\inf\ssdsl3x\drivers\vvpciusb.sys
2003-01-31 16:08 50,911 ------w C:\WINDOWS\inf\ssdsl3x\drivers\vvbususb.sys
2003-01-31 16:08 49,296 ------w C:\WINDOWS\inf\setup\efnt16.dll
2003-01-31 16:08 49,152 ------w C:\WINDOWS\inf\enclss32.dll
2003-01-31 16:08 32,768 ------w C:\WINDOWS\inf\setup\efnt32.dll
2003-01-31 16:08 3,690,496 ------w C:\WINDOWS\inf\setup.exe
2003-01-31 16:08 28,005 ------w C:\WINDOWS\inf\ssdsl3x\drivers\enethusb.sys
2003-01-31 16:08 241,664 ------w C:\WINDOWS\inf\setup\bohica.dll
2003-01-31 16:08 23,560 ------w C:\WINDOWS\inf\enclss16.dll
2003-01-31 16:08 163,840 ------w C:\WINDOWS\inf\setup\enisnmp.dll
2003-01-31 16:08 163,840 ------w C:\WINDOWS\inf\setup\efntsw.dll
2003-01-31 16:08 159,744 ------w C:\WINDOWS\inf\setup\l2xpdrv.dll
2003-01-31 16:08 159,744 ------w C:\WINDOWS\inf\setup\csshim.dll
2003-01-31 16:08 155,648 ------w C:\WINDOWS\inf\setup\prox.dll
2003-01-31 16:08 155,648 ------w C:\WINDOWS\inf\setup\efntos2k.dll
2003-01-31 16:08 155,648 ------w C:\WINDOWS\inf\setup\ClearMB.exe
2003-01-31 16:08 15,332 ------w C:\WINDOWS\inf\ssdsl3x\drivers\vvbeth.sys
2003-01-31 16:08 15,309 ------w C:\WINDOWS\inf\ssdsl3x\drivers\vvbetht.sys
2003-01-31 16:08 147,456 ------w C:\WINDOWS\inf\setup\efntos9x.dll
2003-01-31 16:08 139,264 ------w C:\WINDOWS\inf\setup\enicommon.dll
2003-01-31 16:08 135,168 ------w C:\WINDOWS\inf\setup\EnCmnSvr.exe
2003-01-31 16:08 122,880 ------w C:\WINDOWS\inf\setup\efntos.dll
2003-01-31 16:08 122,880 ------w C:\WINDOWS\inf\setup\efntnio.dll
2003-01-31 16:08 118,784 ------w C:\WINDOWS\inf\setup\defdel.exe
2002-06-04 09:06 65,536 ------w C:\WINDOWS\inf\copyinf.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 14:42]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 21:05]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 20:15]
"Motive SmartBridge"="C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe" [2004-10-22 15:13]
"StandardInstall"="" []
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 16:50]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 16:50]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 15:07]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40]
"HPHUPD05"="C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe" [2004-03-31 23:34]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 08:38]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2003-12-05 15:41]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-23 07:43]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-07-06 11:29]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-07 15:55]
"THGuard"="C:\Program Files\TrojanHunter 4.7\THGuard.exe" [2007-06-22 23:19]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-01-15 16:14]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 18:23]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Symantec NetDriver Warning"=C:\PROGRA~1\SYMNET~1\SNDWarn.exe
"ALUAlert"=C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-04 00:12:18]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04]
NetAssistant.lnk - C:\Program Files\NetAssistant\bin\matcli.exe [2007-02-02 11:30:35]
Run Nintendo Wi-Fi USB Connector Registration Tool.lnk - C:\Program Files\WiFiConnector\NintendoWFCReg.exe [2007-09-21 20:33:02]
ymetray.lnk - C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2007-10-03 12:56:10]

S2 AdobeActiveFileMonitor;Adobe Active File Monitor;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
S2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
S3 XDva002;XDva002;\??\C:\WINDOWS\system32\XDva002.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-10-10 12:08:16 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
"2007-11-05 18:33:33 C:\WINDOWS\Tasks\dfrg.job"
- C:\WINDOWS\system32\dfrg.msc
"2007-11-10 14:08:11 C:\WINDOWS\Tasks\Disk Cleanup.job"
"2007-11-10 02:17:02 C:\WINDOWS\Tasks\HP Usg Daily.job"
- C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\pexpress\hphped05.exe
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-10 09:31:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-11-10 9:32:56
C:\ComboFix-quarantined-files.txt ... 2007-07-05 15:45
C:\ComboFix2.txt ... 2007-07-05 15:46
.
--- E O F ---

#8 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Retired Staff
  • PipPipPipPipPip
  • 15,830 posts

Posted 10 November 2007 - 01:48 PM

Hi again,

Well, I can't see anything sinister, but let's run another scan to be on the safe side:

Please navigate (using Internet Explorer, other browsers won't work) to the following site: http://support.f-sec.../home/ols.shtml

Scroll to the bottom of the page, and click Start Scan.

When prompted, choose to install the software. After the software has installed, click Accept. Click Custom Scan and check the option for Scan inside archives, then click Start. The necessary databases will then be downloaded, and the scan will then start automatically.

Please be patient as this scan will take a while to complete. If any infections are found then once the scan has finished, the "cleaning" screen will be displayed.

Choose Automatic cleaning (recommended).After cleaning has finished, then the Finish screen will be displayed.

Choose Show Report. In order to post the report, press CTRL+A on your keyboard to highlight all the text.

Then copy and paste that information into this thread.

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#9 p_a_t_t_y_k_i_n_s

p_a_t_t_y_k_i_n_s

    Member

  • Full Member
  • Pip
  • 31 posts

Posted 11 November 2007 - 09:09 AM

I tried doing the scan a few times and it does the scan but never moves on to the next step, the page displays a 'this page cannot be displayed' type message...but I did notice when it was scanning that it found 84 'spyware' the last time I checked the progress...

#10 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Retired Staff
  • PipPipPipPipPip
  • 15,830 posts

Posted 11 November 2007 - 12:02 PM

OK, see if you have more luck with this one:

Please do the following:
Run a BitDefender Online scan Here and post the results.

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#11 p_a_t_t_y_k_i_n_s

p_a_t_t_y_k_i_n_s

    Member

  • Full Member
  • Pip
  • 31 posts

Posted 11 November 2007 - 09:00 PM

BitDefender Online Scanner







Scan report generated at: Sun, Nov 11, 2007 - 18:35:26









Scan path: C:\;D:\;E:\;















Statistics

Time


00:44:33

Files


173392

Folders


6556

Boot Sectors


2

Archives


1700

Packed Files


6202







Results

Identified Viruses


1

Infected Files


1

Suspect Files


0

Warnings


0

Disinfected


0

Deleted Files


1







Engines Info

Virus Definitions


866825

Engine build


AVCORE v1.0 (build 2422) (i386) (Sep 25 2007 08:26:36)

Scan plugins


14

Archive plugins


38

Unpack plugins


7

E-mail plugins


6

System plugins


1







Scan Settings

First Action


Disinfect

Second Action


Delete

Heuristics


Yes

Enable Warnings


Yes

Scanned Extensions


*;

Exclude Extensions




Scan Emails


Yes

Scan Archives


Yes

Scan Packed


Yes

Scan Files


Yes

Scan Boot


Yes








Scanned File


Status

C:\System Volume Information\_restore{0DAEC77B-4766-4037-AE16-4845F01AFE20}\RP260\A0031146.exe=>(RAR Sfx o)=>CFCleanUp.bat


Infected with: Trojan.Bat.Sdel.AC

C:\System Volume Information\_restore{0DAEC77B-4766-4037-AE16-4845F01AFE20}\RP260\A0031146.exe=>(RAR Sfx o)=>CFCleanUp.bat


Disinfection failed

C:\System Volume Information\_restore{0DAEC77B-4766-4037-AE16-4845F01AFE20}\RP260\A0031146.exe=>(RAR Sfx o)=>CFCleanUp.bat


Deleted

C:\System Volume Information\_restore{0DAEC77B-4766-4037-AE16-4845F01AFE20}\RP260\A0031146.exe=>(RAR Sfx o)


Update failed

#12 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Retired Staff
  • PipPipPipPipPip
  • 15,830 posts

Posted 12 November 2007 - 06:15 AM

Hi again,

OK, nothing to worry about there either, let's have a general cleanup and see if that improves matters:

Download: CCleaner (freeware)
http://www.majorgeek...wnload4191.html
Run the installer, and uncheck the option to install Yahoo toolbar (unless you want Yahoo toolbar).
Once installed, run CCleaner click the Windows [tab]
The following should be selected by default, if not, please select:
Posted Image
Next: click Options click the Settings tab
Uncheck: "Only delete files older than 48 hrs.", click Ok
Then click Run Cleaner (bottom right) then Exit

Next:

Do Start > My Computer.
Right-Click on Local Disk C.
Click Properties > Tools.
Under 'Error-Checking' click 'Check Now'.
Under 'Check Local Disk C’ check both boxes and click 'Start'. You will be prompted to restart. Do so. You will get a blue screen on restart, be patient, the error-check takes time, your PC will start normally when it is complete.

Next:

Do Start > My Computer.
Right-Click on Local Disk C.
Click Properties > Tools.
Click on 'Defragment now' and follow the prompts to defragment your disk.

Let me know if this improves matters.

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#13 p_a_t_t_y_k_i_n_s

p_a_t_t_y_k_i_n_s

    Member

  • Full Member
  • Pip
  • 31 posts

Posted 13 November 2007 - 09:12 AM

it seems to have gotten rid of the jukebox problem...but some websites are painfully slow to load..any ideas?? I use Firefox and IE

UPDATE: ok I guess I was wrong..still getting the svchost.exe warnings from comodo when jukebox is running..just a bit less frequent....aaaaaahhhhhhhh

Edited by p_a_t_t_y_k_i_n_s, 13 November 2007 - 09:18 AM.


#14 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Retired Staff
  • PipPipPipPipPip
  • 15,830 posts

Posted 13 November 2007 - 10:16 AM

Hi again,

Can you get me the exact error notice or alert that you're getting please?

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#15 p_a_t_t_y_k_i_n_s

p_a_t_t_y_k_i_n_s

    Member

  • Full Member
  • Pip
  • 31 posts

Posted 13 November 2007 - 12:15 PM

something usually along the lines of

YMJ Imported music identifier is trying to connect to the internet. what would you like to do ?

Application: ymusicid.exe
Remote: IP: (there are a bunch of different ones I keep seeing)
Parent: svchost.exe

C:\Program Files\Yahoo!\Yahoo! Music Jukebox\Yahoo!MusicEngine.exe has tried to use ymusicid.exe through OLE Automation

.....and the few times I 'allowed' the message (before I noticed something odd) random somgs would add themselves to my playlist multiple times ...thus annoying the crap out of me lol

#16 p_a_t_t_y_k_i_n_s

p_a_t_t_y_k_i_n_s

    Member

  • Full Member
  • Pip
  • 31 posts

Posted 13 November 2007 - 12:15 PM

something usually along the lines of

YMJ Imported music identifier is trying to connect to the internet. what would you like to do ?

Application: ymusicid.exe
Remote: IP: (there are a bunch of different ones I keep seeing)
Parent: svchost.exe

C:\Program Files\Yahoo!\Yahoo! Music Jukebox\Yahoo!MusicEngine.exe has tried to use ymusicid.exe through OLE Automation

.....and the few times I 'allowed' the message (before I noticed something odd) random somgs would add themselves to my playlist multiple times ...thus annoying the crap out of me lol

#17 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Retired Staff
  • PipPipPipPipPip
  • 15,830 posts

Posted 13 November 2007 - 04:21 PM

Hi again,

YMJ Imported music identifier is part of Yahoo Music Jukebox, but it's task is supposedly to identify newly added or as yet unidentified tracks in your library. It's not supposed to add to them as far as I can tell. I don't use Yahoo Music Jukebox myself so I don't know if there's an option to disable it, but I did find this, from Yahoo Music Blog:

YMJ does have some community playlist features available now. If you want to make a playlist public to the whole YMJ community, go to one of your playlists and select ‘make it public’ in the upper-right hand corner.

You can also select ‘Playlists’ in the search drop-down to find other people’s playlists by artist/song content, username of the playlist creator or keyword (like ‘dance’, ‘workout’ or ‘party’).


So I wonder if the adding of tracks is something to do with one of those settings. But I note another comment:

I think that the performance has gotten worse in 2.0.1.037
YMJ Imported music identifier &
Yahoo! AV Media Server
Are still spinning out of control and consuming 1 full processor a piece.

so you're not the only one getting bugs.
My advice is to have a play around with the settings, and see if you can either disable the Imported music identifier or stop it from searching out and adding tracks, or it may be simpler just to create a rule for your firewall to permanently deny it access to the internet.
It's not Spyware anyway, and as far as I can make out it's more an annoying feature of YMJ than a serious problem, however, it may well be the cause of the internet slowdown, if it's active when you're on line.
If you can't work out the settings you need, it might be worth asking here:
http://mb.music.yaho...mus-ymefeedback

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#18 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Retired Staff
  • PipPipPipPipPip
  • 15,830 posts

Posted 08 December 2007 - 05:40 AM

Since the issue appears to be resolved this Topic is closed.

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.




Member of UNITE
Support SpywareInfo Forum - click the button