Post by: berencam on October 21, 2006, 03:52:55 AM
hijackthis log
Logfile of HijackThis v1.99.1
Scan saved at 3:48:33 AM, on 10/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\WINDOWS\System32\drivers\crauto.exe
C:\WINDOWS\System32\drivers\IMountSRV.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\wltray.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\mm_tray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM\AIM Pro\aimpro.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ePlus48U\ScanPanel\ScnPanel.exe
C:\PROGRA~1\SHORTK~1\shklite.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\SwiftSwitch\SwiftSwitch.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\calc.exe
C:\Documents and Settings\user\Desktop\hijackthis.exe
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: RXResultTracker Class - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} - C:\Program Files\RXToolBar\sfcont.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [wltray.exe] C:\WINDOWS\System32\wltray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SemanticInsight] C:\Program Files\RXToolBar\Semantic Insight\SemanticInsight.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MMTray] C:\PROGRA~1\MUSICM~1\MUSICM~1\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Encrypted Disk Auto Mount] rundll32.exe edshell.dll,MountAll
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [CommServ] C:\WINDOWS\system32\XPAud\csrss.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [AIMPro] "C:\Program Files\AIM\AIM Pro\aimpro.exe"
O4 - HKLM\..\Run: [] C:\WINDOWS\system32\XPAud\
O4 - HKLM\..\RunServices: [MSN service] msnmgr16.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: ScanPanel.lnk = C:\Program Files\ePlus48U\ScanPanel\ScnPanel.exe
O4 - Global Startup: ShortKeys Lite.lnk = ?
O8 - Extra context menu item: Convert for CLIE - C:\Program Files\Sony\Image Converter\menu.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1157094774263 (http://\"http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1157094774263\")
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - C:\Program Files\RXToolBar\sfcont.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: crauto - Unknown owner - C:\WINDOWS\System32\drivers\crauto.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMountSRV - Unknown owner - C:\WINDOWS\System32\drivers\IMountSRV.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: PMounter - Unknown owner - C:\Paragon HDM\Ext2\PMounter.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
Post by: guestolo on October 21, 2006, 10:40:42 AM
I know one is bad, I'm sure the other is too, but can you scan them please
Go to either of these links
http://virusscan.jotti.org/ (http://\"http://virusscan.jotti.org/\")
OR
http://www.virustotal.com/flash/index_en.html (http://\"http://www.virustotal.com/flash/index_en.html\")
Use the browse button and navigate to the file on your harddrive if you can find it
C:\WINDOWS\system32\XPAud\csrss.exe <-this file
Right click on the file and choose Select
Then use the Submit button
Let it finish scanning
Could you post back the results of the scan back here please
Can you do the same with this file too please
C:\WINDOWS\system32\msnmgr16.exe
After you have done that, can you also do the following
Create a .bat file for me please
Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box, not including the word "code"
Paste it to the empty Notepad file
In Notepad click FILE>>SAVE AS
Change the Save as Type to All Files.
Name the file as find.bat
Save this file on the desktop
Code: [Select]
@echo off
cd C:\Windows\System32\XPAud
dir /s /a > C:\find.txt
notepad C:\find.txt
del /q C:\find.txt Double click on find.bat
A text file should open, copy>>paste back here the contents please
After the above is done
Can you also
==Download this file - Combofix.exe (http://\"http://download.bleepingcomputer.com/sUBs/combofix.exe\") and save it too desktop
Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Post the log from combofix please
Post by: berencam on October 21, 2006, 02:16:56 PM
Post by: guestolo on October 21, 2006, 02:26:07 PM
/tongue.gif\' class=\'bbc_emoticon\' alt=\':P\' />
Post by: berencam on October 22, 2006, 01:22:40 AM
File: csrss.exe
Status: INFECTED/MALWARE
MD5 a74f6db979bbd2084eedcc9d350c1cbb
Packers detected: -
Scanner results
AntiVir
Found SecurityPrivacyRisk/WinSpy.88.16 riskware
ArcaVir Found nothing
Avast Found Win32:WinSpy-Q
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found BackDoor.Generic.1198
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found not-a-virus:Monitor.Win32.WinSpy.88
NOD32 Found probably unknown NewHeur_PE (probable variant)
Norman Virus Control Found nothing
VirusBuster Found nothing
VBA32 Found nothing [/b][/quote]
2. msnmgr16.exe i could not find that file, i did a search for it and did not find it =[
3. results from the find.bat file
Volume in drive C has no label.
Volume Serial Number is DC65-31F1
Directory of C:\WINDOWS\system32\XPAud
10/21/2006 02:16 PM <DIR> .
10/21/2006 02:16 PM <DIR> ..
09/07/2006 02:03 PM 4,459,520 csrss.exe
1 File(s) 4,459,520 bytes
Total Files Listed:
1 File(s) 4,459,520 bytes
2 Dir(s) 21,542,416,384 bytes free
4. combofix log
user - 06-10-22 1:18:39.58 Service Pack 2
ComboFix 06.10.19 - Running from: "C:\Program Files\Mozilla Firefox"
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\cmd.com
C:\WINDOWS\system32\ping.com
C:\WINDOWS\system32\regedit.com
C:\WINDOWS\system32\tasklist.com
C:\WINDOWS\system32\tracert.com
C:\Program Files\winupdates
((((((((((((((((((((((((((((((( Files Created from 2006-09-22 to 2006-10-22 ))))))))))))))))))))))))))))))))))
2006-10-19 03:55 262,784 --------- C:\WINDOWS\system32\drivers\http.sys
2006-10-19 03:55 23,040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-10-19 03:55 16,896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-10-19 03:55 128,896 --------- C:\WINDOWS\system32\drivers\fltmgr.sys
2006-10-19 03:55 11,776 --------- C:\WINDOWS\system32\spnpinst.exe
2006-09-29 11:44 8,552 --a------ C:\WINDOWS\system32\drivers\asctrm.sys
2006-09-29 11:42 102,400 --a------ C:\WINDOWS\system32\SimpleRegistry.dll
2006-09-29 11:42 10,752 --a------ C:\WINDOWS\system32\aamd532.dll
2006-09-29 11:40 33,588 -ra------ C:\WINDOWS\system32\drivers\wanatw4.sys
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2006-10-22 01:18 -------- d-------- C:\Program Files\Mozilla Firefox
2006-10-22 00:56 -------- d-------- C:\Program Files\SwiftSwitch
2006-10-21 02:16 -------- d-------- C:\Program Files\ShortKeys2
2006-10-21 01:59 -------- d-------- C:\Program Files\Internet Explorer
2006-10-21 01:47 -------- d-------- C:\Program Files\MSN Messenger
2006-10-21 01:29 -------- d-------- C:\Program Files\Messenger
2006-10-21 01:29 -------- d-------- C:\Program Files\Common Files\System
2006-10-21 01:22 -------- d-------- C:\Program Files\Windows Media Player
2006-10-21 01:16 -------- d-------- C:\Program Files\Outlook Express
2006-10-19 23:35 96256 --a------ C:\WINDOWS\system32\drivers\sptd8829.sys
2006-10-19 23:25 -------- d-------- C:\Program Files\Movie Maker
2006-10-19 23:20 -------- d-------- C:\Program Files\Windows NT
2006-10-19 23:20 -------- d-------- C:\Program Files\NetMeeting
2006-10-18 23:22 -------- d-------- C:\Documents and Settings\user\Application Data\acccore
2006-10-18 23:21 -------- d-------- C:\Program Files\AIM
2006-10-18 23:21 -------- d-------- C:\Documents and Settings\user\Application Data\AIMPro
2006-10-18 23:21 -------- d-------- C:\Documents and Settings\user\Application Data\AIM
2006-10-18 23:20 -------- dr-h----- C:\Documents and Settings\user\Application Data\yahoo!
2006-10-18 23:18 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-10-18 23:05 3142 --a------ C:\WINDOWS\slog.dll
2006-10-18 23:04 -------- d-------- C:\Program Files\Common Files
2006-10-05 00:18 -------- d-------- C:\Documents and Settings\user\Application Data\Real
2006-10-05 00:16 -------- d-------- C:\Program Files\Common Files\xing shared
2006-10-05 00:15 -------- d-------- C:\Program Files\Common Files\Real
2006-10-05 00:09 774144 --a------ C:\Program Files\RngInterstitial.dll
2006-10-05 00:09 -------- d-------- C:\Program Files\Real
2006-10-01 16:18 -------- d-------- C:\Program Files\Common Files\aolshare
2006-10-01 16:18 -------- d-------- C:\Program Files\Common Files\AOL
2006-09-29 11:54 -------- d-------- C:\Documents and Settings\user\Application Data\AOL
2006-09-29 11:45 -------- d-------- C:\Program Files\Common Files\Nullsoft
2006-09-29 11:45 -------- d-------- C:\Documents and Settings\user\Application Data\You've Got Pictures Screensaver
2006-09-29 11:42 -------- d-------- C:\Program Files\Viewpoint
2006-09-29 11:39 -------- d-------- C:\Documents and Settings\user\Application Data\Mozilla
2006-09-26 16:46 -------- d-------- C:\Program Files\World of Warcraft
2006-09-26 01:34 -------- d-------- C:\Program Files\mIRC
2006-09-23 03:56 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-09-22 01:43 -------- d-------- C:\Documents and Settings\user\Application Data\FrostWire
2006-09-16 03:13 -------- d-------- C:\Program Files\ADShareit
2006-09-16 03:08 -------- d-------- C:\Documents and Settings\user\Application Data\Eltima Software
2006-09-16 03:07 -------- d-------- C:\Program Files\Eltima Software
2006-09-16 03:03 -------- d-------- C:\Program Files\Flash SWF to GIF AVI Converter
2006-09-15 14:07 -------- d-------- C:\Program Files\DAEMON Tools
2006-09-14 23:10 -------- d-------- C:\Program Files\Norton AntiVirus
2006-09-14 23:09 -------- d-------- C:\Program Files\Symantec
2006-09-14 02:36 -------- d-------- C:\Program Files\Common Files\Services
2006-09-14 02:27 -------- d-------- C:\Documents and Settings\user\Application Data\Symantec
2006-09-14 02:12 10344 --a------ C:\WINDOWS\system32\drivers\symlcbrd.sys
2006-09-14 02:11 -------- d-------- C:\Program Files\Yahoo!
2006-09-14 02:09 -------- d---s---- C:\Documents and Settings\user\Application Data\Microsoft
2006-09-14 02:07 -------- d-------- C:\Documents and Settings\user\Application Data\Lavasoft
2006-09-13 00:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-09-12 17:51 1245184 --a------ C:\WINDOWS\system32\msxml4.dll
2006-09-09 12:09 -------- d-------- C:\Program Files\Common Files\WhenU
2006-09-09 12:09 -------- d-------- C:\Documents and Settings\user\Application Data\WhenU
2006-09-09 12:08 223128 --a------ C:\WINDOWS\system32\drivers\dtscsi.sys
2006-09-09 03:56 643072 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2006-09-08 16:01 -------- d-------- C:\Program Files\LimeWire
2006-09-08 05:23 -------- d-------- C:\Program Files\Return to Castle Wolfenstein Multiplayer DEMO
2006-09-07 14:00 50176 --a------ C:\WINDOWS\rcdesk.exe
2006-09-07 04:05 419 --a------ C:\WINDOWS\winndm32.dll
2006-09-07 03:58 3 --a------ C:\WINDOWS\zclient.dll
2006-09-07 03:58 -------- d-------- C:\Program Files\Accessories
2006-09-07 03:42 82649 --a------ C:\WINDOWS\Generic Installer Uninstaller.exe
2006-09-01 02:05 -------- d--h----- C:\Program Files\Uninstall Information
2006-08-31 21:15 -------- d-------- C:\Program Files\MSXML 4.0
2006-08-25 10:45 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-19 15:56 102400 --a------ C:\WINDOWS\messanger.exe
2006-08-18 04:01 46080 --a------ C:\WINDOWS\msimn32.exe
2006-08-18 01:21 98304 --a------ C:\WINDOWS\system32\pspsvc.dll
2006-08-18 01:21 98304 --a------ C:\WINDOWS\pspsvc.dll
2006-08-16 06:58 100352 --a------ C:\WINDOWS\system32\6to4svc.dll
2006-08-07 16:02 534208 --a------ C:\WINDOWS\system32\SymNeti.dll
2006-08-07 16:02 161472 --a------ C:\WINDOWS\system32\SymRedir.dll
2006-08-03 03:04 337408 --a------ C:\WINDOWS\host32.exe
2006-07-29 19:32 48936 --a------ C:\WINDOWS\system32\sirenacm.dll
2006-07-27 08:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime -Delay"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"wltray.exe"="C:\\WINDOWS\\System32\\wltray.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_07\\bin\\jusched.exe"
"SiSUSBRG"="C:\\WINDOWS\\SiSUSBrg.exe"
"SemanticInsight"="C:\\Program Files\\RXToolBar\\Semantic Insight\\SemanticInsight.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"MMTray"="C:\\PROGRA~1\\MUSICM~1\\MUSICM~1\\mm_tray.exe"
"mmtask"="\"C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mmtask.exe\""
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"Encrypted Disk Auto Mount"="rundll32.exe edshell.dll,MountAll"
"EM_EXEC"="C:\\PROGRA~1\\Logitech\\MOUSEW~1\\SYSTEM\\EM_EXEC.EXE"
"DAEMON Tools"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"
"CommServ"="C:\\WINDOWS\\system32\\XPAud\\csrss.exe"
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"AdaptecDirectCD"="\"C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"AIMPro"="\"C:\\Program Files\\AIM\\AIM Pro\\aimpro.exe\""
@="C:\\WINDOWS\\system32\\XPAud\\"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"MSN service"="msnmgr16.exe"
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{6af69c4d-420a-4c95-b34f-e4635f84f53b}"="forevouched"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"wininet.dll"=""
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
"key"="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows"
"item"=" mousepen"
"hkey"="HKCU"
"command"=" mousepen.exe"
"inimapping"="1"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - user.job
Completion time: 06-10-22 1:20:09.02
C:\ComboFix.txt ... 06-10-22 01:20
Thanks for the help, and good luck analizing that log O_o
Post by: guestolo on October 22, 2006, 10:26:24 AM
This runs in stealth mode and monitors everything on your computer
We must remove it if you don't know nothing about it
It can be used remotely from another machine to log everything you do on your computer
It won't show in add/remove programs
Also
Download the latest version of [color=\"red\"]SmitfraudFix[/color] (http://\"http://siri.urz.free.fr/Fix/SmitfraudFix.zip\")[/url] (by S!Ri)
Extract the contents (a folder named SmitfraudFix) to your Desktop.
Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.
[color=\"#3366FF\"]Note[/color] : [color=\"#FF0000\"]process.exe[/color] [color=\"#3366FF\"]is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.[/color]
Post by: berencam on October 22, 2006, 10:57:14 AM
EDIT: i cannot find winspy on my computer....
SmitFraudFix v2.112
Scan done at 10:54:23.30, Sun 10/22/2006
Run from C:\Documents and Settings\user\My Documents\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
C:\WINDOWS\system32\ot.ico FOUND !
C:\WINDOWS\system32\1024\ FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\user
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\user\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\user\FAVORI~1
C:\DOCUME~1\user\FAVORI~1\Antivirus Test Online.url FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{6af69c4d-420a-4c95-b34f-e4635f84f53b}"="forevouched"
[HKEY_CLASSES_ROOT\CLSID\{6af69c4d-420a-4c95-b34f-e4635f84f53b}\InProcServer32]
@="C:\WINDOWS\System32\viwpzla.dll"
[HKEY_CURRENT_USER\Software\Classes\CLSID\{6af69c4d-420a-4c95-b34f-e4635f84f53b}\InProcServer32]
@="C:\WINDOWS\System32\viwpzla.dll"
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32
»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
Post by: jordonc2006 on October 22, 2006, 11:29:59 AM
btw while im on this thread, guestolo can u like add me on msn or summin plz its urgent i dnt wnt my main gettin abnend
/sad.gif\' class=\'bbc_emoticon\' alt=\':(\' />
Post by: guestolo on October 22, 2006, 11:30:37 AM
Can you do the following please
Download>>Install [color=\"#000099\"]AVG Anti-Spyware 7.5[/color] (http://\"http://www.ewido.net/en/download/\") from Ewido networks
- Load AVG-antispyware and then click the Update tab at the top. Under Manual Update click Start update.
- After the update finishes (the status bar at the bottom will display "Update successful")
- Close AVG antispyware as we will need it later
Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box, not including the word "code"
Paste it to the empty Notepad file
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix.reg
Save this file on the desktop
Ensure to copy Everything from REGEDIT4 and down in the code box
Code: [Select]
REGEDIT4
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"MSN service"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{25D8BACF-3DE2-4B48-AE22-D659B8D835B0}"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25D8BACF-3DE2-4B48-AE22-D659B8D835B0}]
[-HKEY_CLASSES_ROOT\clsid\{59879fa4-4790-461c-a1cc-4ec4de4ca483} ]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FB590D02-0A82-4F44-9FAD-517948DCF4F3}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{66B20295-DC57-42B6-ACDF-52D916E86464}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\RXToolBar.TBInfo]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\RXToolBar.TBInfo.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RXToolBar]
[-HKEY_CURRENT_USER\SOFTWARE\RX Toolbar]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime -Delay"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"wltray.exe"="C:\\WINDOWS\\System32\\wltray.exe"
"SiSUSBRG"="C:\\WINDOWS\\SiSUSBrg.exe"
"MMTray"="C:\\PROGRA~1\\MUSICM~1\\MUSICM~1\\mm_tray.exe"
"mmtask"="\"C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mmtask.exe\""
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"Encrypted Disk Auto Mount"="rundll32.exe edshell.dll,MountAll"
"EM_EXEC"="C:\\PROGRA~1\\Logitech\\MOUSEW~1\\SYSTEM\\EM_EXEC.EXE"
"DAEMON Tools"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"AdaptecDirectCD"="\"C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"AIMPro"="\"C:\\Program Files\\AIM\\AIM Pro\\aimpro.exe\""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1" We'll need this later
Print the rest of these instructions or save them too a text file on desktop
Close all browser windows
Access your add/remove programs and remove
RXToolbar if found
Reboot your computer into Safe Mode. To boot into Safe Mode, please restart your computer. Tap F8 before Windows loads. Select Safe Mode on the top of the screen that appears.
Sign in with your normal user account
In safe mode, do the following
* Clean your Cache and Cookies in IE:
- Go to Control Panel > Internet Options > General tab
- Click the "Delete Cookies" button
- Next to it, Click the "Delete Files" button
- When prompted, place a check in: "Delete all offline content", click OK
- Go to Tools > Options.
- Click Privacy in the menu on the left side of the Options window.
- Click the Clear button located to the right of each option (History, Cookies, Cache).
- Click OK to close the Options window
Alternatively, you can clear all information stored while browsing by clicking Clear All.
A confirmation dialog box will be shown before clearing the information.
[/list]* Clean other Temporary files + Recycle bin
- Go to start > run and type:
- Let it scan your system for files to remove.
- Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
- Press OK to remove them.
- Double-click smitfraudfix.cmd
- Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.
- You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.
- The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".
I'll need to see these later, by default they are also saved at C:\rapport.txt
If a reboot was required, allow windows to load normally, than later reboot back to safe mode
If a reboot is not required, Remain in safe mode
==Double click on fix.reg and allow to add/merge to the registry at the prompt
AVG-Antispyware Scan
- Load AVG and select the "Scanner" tab
- Click the "Settings" tab and then change the recommended action to Quarantine and ensure that Automatically generate report after every scan is selected
- Click back to the "Scan" tab and then click on Complete System Scan.
- Let this scan complete
- AVG will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. Ewido will display "All actions have been applied" on the right hand side.
- Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).
Can I see all the following please, even if it takes more than one reply to post everything
1. Post a fresh hijackthis log
2. Post the whole report from Avg Antispyware
3. Post the log from Smitfraudfix>>C:\Rapport.txt
Can you also do the following
From the bottom of this reply box
Download and save find.zip
then unzip the contents to desktop so you now have find.bat extracted
Double click on find.bat, a text file will open, copy>>Paste back the whole contents please
Post by: berencam on October 22, 2006, 11:28:00 PM
Logfile of HijackThis v1.99.1
Scan saved at 11:23:59 PM, on 10/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\drivers\crauto.exe
C:\WINDOWS\System32\drivers\IMountSRV.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\wltray.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\mm_tray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\AIM\AIM Pro\aimpro.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ePlus48U\ScanPanel\ScnPanel.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\SHORTK~1\shklite.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Norton AntiVirus\NAVW32.EXE
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\user\Desktop\hijackthis.exe
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [wltray.exe] C:\WINDOWS\System32\wltray.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [MMTray] C:\PROGRA~1\MUSICM~1\MUSICM~1\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Encrypted Disk Auto Mount] rundll32.exe edshell.dll,MountAll
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [AIMPro] "C:\Program Files\AIM\AIM Pro\aimpro.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: ScanPanel.lnk = C:\Program Files\ePlus48U\ScanPanel\ScnPanel.exe
O4 - Global Startup: ShortKeys Lite.lnk = ?
O8 - Extra context menu item: Convert for CLIE - C:\Program Files\Sony\Image Converter\menu.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1157094774263 (http://\"http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1157094774263\")
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - C:\Program Files\RXToolBar\sfcont.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: crauto - Unknown owner - C:\WINDOWS\System32\drivers\crauto.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMountSRV - Unknown owner - C:\WINDOWS\System32\drivers\IMountSRV.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: PMounter - Unknown owner - C:\Paragon HDM\Ext2\PMounter.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
2. Post the whole report from Avg Antispyware
--------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 11:10:03 PM 10/22/2006
+ Scan result:
HKLM\SOFTWARE\Classes\CLSID\{59879FA4-4790-461c-A1CC-4EC4DE4CA483} -> Adware.RXToolbar : Cleaned.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{59879FA4-4790-461c-A1CC-4EC4DE4CA483} -> Adware.RXToolbar : Cleaned.
HKU\S-1-5-21-1123561945-706699826-1060284298-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\
{59879FA4-4790-461C-A1CC-4EC4DE4CA483} -> Adware.RXToolbar : Cleaned.
C:\WINDOWS\system32\atl32.dll -> Not-A-Virus.Monitor.Win32.EliteKeylogger.30 : Cleaned with backup (quarantined).
C:\WINDOWS\system32\drivers\acpi2k.sys -> Not-A-Virus.Monitor.Win32.EliteKeylogger.30 : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dmadmsvr.exe -> Not-A-Virus.Monitor.Win32.EliteKeylogger.3019 : Cleaned with backup (quarantined).
C:\Documents and Settings\user\Desktop\Unused Desktop Shortcuts\Win-Spy Eval Setup.exe/10.txt -> Not-A-Virus.Monitor.Win32.WinSpy.88 : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{BF343766-BF71-4C2D-90A7-CE2DD9119F7A}\RP237\A0070669.exe -> Not-A-Virus.Monitor.Win32.WinSpy.88 : Cleaned with backup (quarantined).
:mozilla.103:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.104:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.106:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.107:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.108:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.17:C:\Documents and Settings\user_2\Application Data\Mozilla\Firefox\Profiles\2idtd1yk.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Will\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\user_2\Cookies\user_2@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.84:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.85:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.86:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.87:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.88:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.11:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.12:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.6:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.7:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.8:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\user_2\Cookies\user_2@advertising[1].txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.47:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\user_2\Cookies\user_2@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.50:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned.
:mozilla.51:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned.
:mozilla.52:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned.
:mozilla.53:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned.
:mozilla.25:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.26:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.27:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\user_2\Cookies\[email protected][2].txt -> TrackingCookie.Dbbsrv : Cleaned.
C:\Documents and Settings\user_2\Cookies\[email protected][2].txt -> TrackingCookie.Dbbsrv : Cleaned.
:mozilla.29:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\user_2\Cookies\user_2@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.28:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.30:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.33:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\user_2\Cookies\[email protected][1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\user_2\Cookies\user_2@hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.12:C:\Documents and Settings\user_2\Application Data\Mozilla\Firefox\Profiles\2idtd1yk.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.92:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Will\Cookies\[email protected][1].txt -> TrackingCookie.Overture : Cleaned.
C:\MSWORKS\Local Disk (D)\WINDOWS\Cookies\[email protected] -> TrackingCookie.Paycounter : Cleaned.
:mozilla.73:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.74:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.75:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\user_2\Cookies\user_2@revenue[2].txt -> TrackingCookie.Revenue : Cleaned.
:mozilla.100:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.101:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.102:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.105:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.99:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
C:\Documents and Settings\user_2\Cookies\[email protected][2].txt -> TrackingCookie.Sexcounter : Cleaned.
C:\Documents and Settings\user_2\Cookies\[email protected][1].txt -> TrackingCookie.Sextracker : Cleaned.
C:\Documents and Settings\user_2\Cookies\user_2@sextracker[1].txt -> TrackingCookie.Sextracker : Cleaned.
C:\Documents and Settings\user_2\Cookies\user_2@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.64:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.65:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.66:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.67:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.68:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.69:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.70:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.119:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.Valueclick : Cleaned.
:mozilla.76:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.77:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.78:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.79:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.80:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\user_2\Cookies\[email protected][2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\user_2\Cookies\user_2@zedo[2].txt -> TrackingCookie.Zedo : Cleaned.
C:\Program Files\thriXXX\3D SexVilla\Binaries\3DSexVilla-017-001-start.exe -> Trojan.QQPass.ly : Cleaned with backup (quarantined).
C:\Program Files\thriXXX\VirtuallyJenna\Binaries\VirtuallyJenna-017.002-start.exe -> Trojan.QQPass.ly : Cleaned with backup (quarantined).
::Report end
3. Post the log from Smitfraudfix>>C:\Rapport.txt
SmitFraudFix v2.112
Scan done at 13:14:42.24, Sun 10/22/2006
Run from C:\Documents and Settings\user\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{6af69c4d-420a-4c95-b34f-e4635f84f53b}"="forevouched"
[HKEY_CLASSES_ROOT\CLSID\{6af69c4d-420a-4c95-b34f-e4635f84f53b}\InProcServer32]
@="C:\WINDOWS\System32\viwpzla.dll"
[HKEY_CURRENT_USER\Software\Classes\CLSID\{6af69c4d-420a-4c95-b34f-e4635f84f53b}\InProcServer32]
@="C:\WINDOWS\System32\viwpzla.dll"
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
C:\WINDOWS\system32\ot.ico Deleted
C:\WINDOWS\system32\1024\ Deleted
C:\DOCUME~1\user\FAVORI~1\Antivirus Test Online.url Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url Deleted
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
4. find.bat results
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\OLE]
"MSN service"="msnmgr16.exe"
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"DefaultLaunchPermission"=hex:01,00,04,80,64,00,00,00,80,00,00,00,00,00,00,00,\
14,00,00,00,02,00,50,00,03,00,00,00,00,00,18,00,01,00,00,00,01,01,00,00,00,\
00,00,05,12,00,00,00,00,00,00,00,00,00,18,00,01,00,00,00,01,01,00,00,00,00,\
00,05,04,00,00,00,00,00,00,00,00,00,18,00,01,00,00,00,01,02,00,00,00,00,00,\
05,20,00,00,00,20,02,00,00,01,05,00,00,00,00,00,05,15,00,00,00,a0,5f,84,1f,\
5e,2e,6b,49,ce,12,03,03,f4,01,00,00,01,05,00,00,00,00,00,05,15,00,00,00,a0,\
5f,84,1f,5e,2e,6b,49,ce,12,03,03,f4,01,00,00
"EnableDCOM"="Y"
"MachineLaunchRestriction"=hex:01,00,04,80,48,00,00,00,58,00,00,00,00,00,00,00,\
14,00,00,00,02,00,34,00,02,00,00,00,00,00,18,00,1f,00,00,00,01,02,00,00,00,\
00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,0b,00,00,00,01,01,00,00,00,00,\
00,01,00,00,00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,\
00,00,00,00,05,20,00,00,00,20,02,00,00
"MachineAccessRestriction"=hex:01,00,04,80,44,00,00,00,54,00,00,00,00,00,00,00,\
14,00,00,00,02,00,30,00,02,00,00,00,00,00,14,00,03,00,00,00,01,01,00,00,00,\
00,00,05,07,00,00,00,00,00,14,00,07,00,00,00,01,01,00,00,00,00,00,01,00,00,\
00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,\
05,20,00,00,00,20,02,00,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList]
"{A50398B8-9075-4FBF-A7A1-456BF21937AD}"="1"
"{AD65A69D-3831-40D7-9629-9B0B50A93843}"="1"
"{0040D221-54A1-11D1-9DE0-006097042D69}"="1"
"{2A6D72F1-6E7E-4702-B99C-E40D3DED33C3}"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\NONREDIST]
"System.EnterpriseServices.Thunk.dll"=""
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,00,\
00
"Bounds"=hex:00,30,00,00,00,20,00,00
"Security Packages"=hex(7):6b,00,65,00,72,00,62,00,65,00,72,00,6f,00,73,00,00,\
00,6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,73,00,63,00,68,00,61,00,6e,00,\
6e,00,65,00,6c,00,00,00,77,00,64,00,69,00,67,00,65,00,73,00,74,00,00,00,00,\
00
"LsaPid"=dword:000002fc
"SecureBoot"=dword:00000001
"auditbaseobjects"=dword:00000000
"crashonauditfail"=dword:00000000
"disabledomaincreds"=dword:00000000
"everyoneincludesanonymous"=dword:00000000
"fipsalgorithmpolicy"=dword:00000000
"forceguest"=dword:00000001
"fullprivilegeauditing"=hex:00
"limitblankpassworduse"=dword:00000001
"lmcompatibilitylevel"=dword:00000000
"nodefaultadminowner"=dword:00000001
"nolmhash"=dword:00000000
"restrictanonymous"=dword:00000000
"restrictanonymoussam"=dword:00000001
"Notification Packages"=hex(7):00,00,73,00,63,00,65,00,63,00,6c,00,69,00,00,00,\
73,00,63,00,65,00,63,00,6c,00,69,00,00,00,00,00
"ImpersonatePrivilegeUpgradeToolHasRun"=dword:00000001
"enabledcom"="y"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders]
"ProviderOrder"=hex(7):57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,4e,00,\
54,00,20,00,41,00,63,00,63,00,65,00,73,00,73,00,20,00,50,00,72,00,6f,00,76,\
00,69,00,64,00,65,00,72,00,00,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider]
"ProviderPath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
6e,00,74,00,6d,00,61,00,72,00,74,00,61,00,2e,00,64,00,6c,00,6c,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\System]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Data]
"Pattern"=hex:d3,4c,b4,c6,6e,df,77,e8,a5,7b,0b,dc,85,82,0b,66,65,66,66,64,30,\
61,35,35,00,68,07,00,01,00,00,00,dc,00,00,00,e0,00,00,00,48,fa,06,00,97,55,\
5a,74,04,00,00,00,a0,fd,06,00,b8,fd,06,00,83,74,32,6b
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\GBG]
"GrafBlumGroup"=hex:b3,60,71,97,28,b3,ec,75,f9
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\JD]
"Lookup"=hex:76,4c,b9,87,c8,de
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\SidCache]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\msv1_0]
"ntlmminclientsec"=dword:00000000
"ntlmminserversec"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Skew1]
"SkewMatrix"=hex:07,f2,6c,ed,8a,b8,af,7d,93,c1,94,ae,87,b6,ba,6c
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\Passport1.4]
"SSOURL"="http://www.passport.com"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache]
"Time"=hex:60,64,b6,a2,9b,cd,c6,01
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll]
"Name"="Digest"
"Comment"="Digest SSPI Authentication Package"
"Capabilities"=dword:00004050
"RpcId"=dword:0000ffff
"Version"=dword:00000001
"TokenSize"=dword:0000ffff
"Time"=hex:00,d9,4a,94,f8,79,c4,01
"Type"=dword:00000031
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll]
"Name"="DPA"
"Comment"="DPA Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000011
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:00,d9,4a,94,f8,79,c4,01
"Type"=dword:00000031
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll]
"Name"="MSN"
"Comment"="MSN Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000012
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:80,6f,e3,94,f8,79,c4,01
i did get your message, and i used the new fix.reg.
Post by: guestolo on October 23, 2006, 12:11:29 AM
I removed your signatures ONLY in this thread
and removed some of the quote boxes and bolds
It all reduced the size of this thread a bit
Can you do one more log for me please
Run Combofix again and post the new log in a new reply please
Let's see what we have leftover
I may not see it till tomorrow, but we'll get the rest of this
Post by: berencam on October 23, 2006, 11:31:38 AM
ComboFix 06.10.19 - Running from: "C:\Documents and Settings\user\Desktop"
((((((((((((((((((((((((((((((( Files Created from 2006-09-23 to 2006-10-23 ))))))))))))))))))))))))))))))))))
2006-10-22 23:22 8,506 --a------ C:\cp.reg
2006-10-22 12:44 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-10-22 10:54 53,248 --a------ C:\WINDOWS\system32\Process.exe
2006-10-22 10:54 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2006-10-22 10:54 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2006-10-22 10:54 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2006-10-19 03:55 262,784 --------- C:\WINDOWS\system32\drivers\http.sys
2006-10-19 03:55 23,040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-10-19 03:55 16,896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-10-19 03:55 128,896 --------- C:\WINDOWS\system32\drivers\fltmgr.sys
2006-10-19 03:55 11,776 --------- C:\WINDOWS\system32\spnpinst.exe
2006-09-29 11:44 8,552 --a------ C:\WINDOWS\system32\drivers\asctrm.sys
2006-09-29 11:42 102,400 --a------ C:\WINDOWS\system32\SimpleRegistry.dll
2006-09-29 11:42 10,752 --a------ C:\WINDOWS\system32\aamd532.dll
2006-09-29 11:40 33,588 -ra------ C:\WINDOWS\system32\drivers\wanatw4.sys
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2006-10-23 03:39 -------- d-------- C:\Program Files\Incomplete
2006-10-23 03:39 -------- d-------- C:\Program Files\FrostWire
2006-10-23 03:38 -------- d-------- C:\Program Files\SwiftSwitch
2006-10-23 03:29 -------- d-------- C:\Program Files\Mozilla Firefox
2006-10-23 00:37 -------- d-------- C:\Program Files\ShortKeys2
2006-10-22 12:51 208907534 --a------ C:\WINDOWS\system32\WINcache.DLL
2006-10-22 12:44 -------- d-------- C:\Program Files\Grisoft
2006-10-21 01:59 -------- d-------- C:\Program Files\Internet Explorer
2006-10-21 01:47 -------- d-------- C:\Program Files\MSN Messenger
2006-10-21 01:29 -------- d-------- C:\Program Files\Messenger
2006-10-21 01:29 -------- d-------- C:\Program Files\Common Files\System
2006-10-21 01:22 -------- d-------- C:\Program Files\Windows Media Player
2006-10-21 01:16 -------- d-------- C:\Program Files\Outlook Express
2006-10-19 23:35 96256 --a------ C:\WINDOWS\system32\drivers\sptd8829.sys
2006-10-19 23:25 -------- d-------- C:\Program Files\Movie Maker
2006-10-19 23:20 -------- d-------- C:\Program Files\Windows NT
2006-10-19 23:20 -------- d-------- C:\Program Files\NetMeeting
2006-10-18 23:22 -------- d-------- C:\Documents and Settings\user\Application Data\acccore
2006-10-18 23:21 -------- d-------- C:\Program Files\AIM
2006-10-18 23:21 -------- d-------- C:\Documents and Settings\user\Application Data\AIMPro
2006-10-18 23:21 -------- d-------- C:\Documents and Settings\user\Application Data\AIM
2006-10-18 23:20 -------- dr-h----- C:\Documents and Settings\user\Application Data\yahoo!
2006-10-18 23:18 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-10-18 23:05 3142 --a------ C:\WINDOWS\slog.dll
2006-10-18 23:04 -------- d-------- C:\Program Files\Common Files
2006-10-05 00:18 -------- d-------- C:\Documents and Settings\user\Application Data\Real
2006-10-05 00:16 -------- d-------- C:\Program Files\Common Files\xing shared
2006-10-05 00:15 -------- d-------- C:\Program Files\Common Files\Real
2006-10-05 00:09 774144 --a------ C:\Program Files\RngInterstitial.dll
2006-10-05 00:09 -------- d-------- C:\Program Files\Real
2006-10-01 16:18 -------- d-------- C:\Program Files\Common Files\aolshare
2006-10-01 16:18 -------- d-------- C:\Program Files\Common Files\AOL
2006-09-29 11:54 -------- d-------- C:\Documents and Settings\user\Application Data\AOL
2006-09-29 11:45 -------- d-------- C:\Program Files\Common Files\Nullsoft
2006-09-29 11:45 -------- d-------- C:\Documents and Settings\user\Application Data\You've Got Pictures Screensaver
2006-09-29 11:42 -------- d-------- C:\Program Files\Viewpoint
2006-09-29 11:39 -------- d-------- C:\Documents and Settings\user\Application Data\Mozilla
2006-09-26 16:46 -------- d-------- C:\Program Files\World of Warcraft
2006-09-26 01:34 -------- d-------- C:\Program Files\mIRC
2006-09-23 03:56 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-09-22 01:43 -------- d-------- C:\Documents and Settings\user\Application Data\FrostWire
2006-09-16 03:13 -------- d-------- C:\Program Files\ADShareit
2006-09-16 03:08 -------- d-------- C:\Documents and Settings\user\Application Data\Eltima Software
2006-09-16 03:07 -------- d-------- C:\Program Files\Eltima Software
2006-09-16 03:03 -------- d-------- C:\Program Files\Flash SWF to GIF AVI Converter
2006-09-15 14:07 -------- d-------- C:\Program Files\DAEMON Tools
2006-09-14 23:10 -------- d-------- C:\Program Files\Norton AntiVirus
2006-09-14 23:09 -------- d-------- C:\Program Files\Symantec
2006-09-14 02:36 -------- d-------- C:\Program Files\Common Files\Services
2006-09-14 02:27 -------- d-------- C:\Documents and Settings\user\Application Data\Symantec
2006-09-14 02:12 10344 --a------ C:\WINDOWS\system32\drivers\symlcbrd.sys
2006-09-14 02:11 -------- d-------- C:\Program Files\Yahoo!
2006-09-14 02:09 -------- d---s---- C:\Documents and Settings\user\Application Data\Microsoft
2006-09-14 02:07 -------- d-------- C:\Documents and Settings\user\Application Data\Lavasoft
2006-09-13 00:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-09-12 17:51 1245184 --a------ C:\WINDOWS\system32\msxml4.dll
2006-09-09 12:09 -------- d-------- C:\Program Files\Common Files\WhenU
2006-09-09 12:09 -------- d-------- C:\Documents and Settings\user\Application Data\WhenU
2006-09-09 12:08 223128 --a------ C:\WINDOWS\system32\drivers\dtscsi.sys
2006-09-09 03:56 643072 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2006-09-08 16:01 -------- d-------- C:\Program Files\LimeWire
2006-09-08 05:23 -------- d-------- C:\Program Files\Return to Castle Wolfenstein Multiplayer DEMO
2006-09-07 14:00 50176 --a------ C:\WINDOWS\rcdesk.exe
2006-09-07 04:05 419 --a------ C:\WINDOWS\winndm32.dll
2006-09-07 03:58 3 --a------ C:\WINDOWS\zclient.dll
2006-09-07 03:58 -------- d-------- C:\Program Files\Accessories
2006-09-07 03:42 82649 --a------ C:\WINDOWS\Generic Installer Uninstaller.exe
2006-09-01 02:05 -------- d--h----- C:\Program Files\Uninstall Information
2006-08-31 21:15 -------- d-------- C:\Program Files\MSXML 4.0
2006-08-25 10:45 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-19 15:56 102400 --a------ C:\WINDOWS\messanger.exe
2006-08-18 04:01 46080 --a------ C:\WINDOWS\msimn32.exe
2006-08-18 01:21 98304 --a------ C:\WINDOWS\system32\pspsvc.dll
2006-08-18 01:21 98304 --a------ C:\WINDOWS\pspsvc.dll
2006-08-16 06:58 100352 --a------ C:\WINDOWS\system32\6to4svc.dll
2006-08-07 16:02 534208 --a------ C:\WINDOWS\system32\SymNeti.dll
2006-08-07 16:02 161472 --a------ C:\WINDOWS\system32\SymRedir.dll
2006-08-03 03:04 337408 --a------ C:\WINDOWS\host32.exe
2006-07-29 19:32 48936 --a------ C:\WINDOWS\system32\sirenacm.dll
2006-07-27 08:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime -Delay"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"wltray.exe"="C:\\WINDOWS\\System32\\wltray.exe"
"SiSUSBRG"="C:\\WINDOWS\\SiSUSBrg.exe"
"MMTray"="C:\\PROGRA~1\\MUSICM~1\\MUSICM~1\\mm_tray.exe"
"mmtask"="\"C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mmtask.exe\""
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"Encrypted Disk Auto Mount"="rundll32.exe edshell.dll,MountAll"
"EM_EXEC"="C:\\PROGRA~1\\Logitech\\MOUSEW~1\\SYSTEM\\EM_EXEC.EXE"
"DAEMON Tools"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"AdaptecDirectCD"="\"C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"AIMPro"="\"C:\\Program Files\\AIM\\AIM Pro\\aimpro.exe\""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\XPAud\\"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ccApp"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CommServ]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="csrss"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\XPAud\\csrss.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
"key"="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows"
"item"=" mousepen"
"hkey"="HKCU"
"command"=" mousepen.exe"
"inimapping"="1"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - user.job
Completion time: 06-10-23 3:41:31.71
C:\ComboFix.txt ... 06-10-23 03:41
C:\ComboFix2.txt ... 06-10-22 01:20
Post by: guestolo on October 23, 2006, 11:37:33 PM
Can you do the following please
Unfortunately, before you ran fix.reg, you disabled some items on startup with msconfig
I need everything enabled on startup
Can you ensure that you still have fix.reg saved to desktop, we'll need it later
Go to START>>RUN>>Type in
msconfig
Hit OK
Under the STARTUP tab>>Enable ALL>>Apply it
Under the General tab>>select NORMAL startup
APPLY it and CLOSE
DO NOT Restart the computer yet
Instead
Download The Avenger.zip (http://\"http://swandog46.geekstogo.com/avenger.zip\") by Swandog46 to your Desktop.
* Click on Avenger.zip to open the file
* Extract avenger.exe to your desktop
Copy ALL the text contained in [color=\"#3333FF\"]blue[/color] below to your Clipboard by highlighting it and pressing the (Ctrl+C) on your keyboard,
=============================================================
[color=\"#3333FF\"]files to delete:
C:\WINDOWS\host32.exe
C:\WINDOWS\pspsvc.dll
C:\WINDOWS\system32\pspsvc.dll
C:\WINDOWS\msimn32.exe
C:\WINDOWS\messanger.exe
C:\WINDOWS\Generic Installer Uninstaller.exe
C:\WINDOWS\zclient.dll
C:\WINDOWS\winndm32.dll
C:\WINDOWS\rcdesk.exe
C:\WINDOWS\system32\XPAud\csrss.exe
C:\WINDOWS\system32\msnmgr16.exe
Folders to delete:
C:\WINDOWS\system32\XPAud[/color]
==========================================================================
Now, start The Avenger program by clicking on its icon on your desktop
* Under "Script file to execute" choose "Input Script Manually".
* Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
* Paste the text copied to clipboard into this window by pressing (Ctrl+V).
* Click Done
* Now click on the [color=\"#00FF00\"]Green Light[/color] to begin execution of the script
* Answer "Yes" twice when prompted.
Avenger should now Reboot your computer
Back in Windows
Double click on fix.reg and allow to add/merge to the registry
Reboot the computer again
Back in Windows
Can you run these files thru either Jotti's online scanner OR Virustotal please and post the results
C:\WINDOWS\slog.dll
C:\WINDOWS\system32\WINcache.DLL
C:\WINDOWS\system32\drivers\sptd8829.sys
C:\WINDOWS\system32\aamd532.dll
Here's the link's again
http://virusscan.jotti.org/ (http://\"http://virusscan.jotti.org/\")
OR
http://www.virustotal.com/flash/index_en.html (http://\"http://www.virustotal.com/flash/index_en.html\")
Also, can you search for this file on your drive
mousepen.exe
If you find it can you scan it too please
Can you post the above scans please
Also, Post a fresh hijackthis log along with the log from Avenger, found here>>C:\Avenger.txt
Let me know how things are running
Post by: berencam on October 24, 2006, 11:06:37 PM
C:\WINDOWS\system32\WINcache.DLL-----is 200mbs so i couldnt upload it and scan it
C:\WINDOWS\system32\drivers\sptd8829.sys-----is in use cant be scanned
C:\WINDOWS\system32\aamd532.dll-----found nothing
mousepen---found nothing
=============================================================================
Logfile of HijackThis v1.99.1
Scan saved at 11:00:13 PM, on 10/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\drivers\crauto.exe
C:\WINDOWS\System32\drivers\IMountSRV.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\wltray.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\mm_tray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\AIM\AIM Pro\aimpro.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ePlus48U\ScanPanel\ScnPanel.exe
C:\PROGRA~1\SHORTK~1\shklite.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
c:\progra~1\mozill~1\firefox.exe
C:\Program Files\SwiftSwitch\SwiftSwitch.exe
C:\Documents and Settings\user\Desktop\hijackthis.exe
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [wltray.exe] C:\WINDOWS\System32\wltray.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [MMTray] C:\PROGRA~1\MUSICM~1\MUSICM~1\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Encrypted Disk Auto Mount] rundll32.exe edshell.dll,MountAll
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [AIMPro] "C:\Program Files\AIM\AIM Pro\aimpro.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: ScanPanel.lnk = C:\Program Files\ePlus48U\ScanPanel\ScnPanel.exe
O4 - Global Startup: ShortKeys Lite.lnk = ?
O8 - Extra context menu item: Convert for CLIE - C:\Program Files\Sony\Image Converter\menu.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1157094774263 (http://\"http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1157094774263\")
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - C:\Program Files\RXToolBar\sfcont.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: crauto - Unknown owner - C:\WINDOWS\System32\drivers\crauto.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMountSRV - Unknown owner - C:\WINDOWS\System32\drivers\IMountSRV.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: PMounter - Unknown owner - C:\Paragon HDM\Ext2\PMounter.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
=============================================================================
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\mhdwopxi
*******************
Script file located at: \??\C:\WINDOWS\jbqtxrpj.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
File C:\WINDOWS\host32.exe deleted successfully.
File C:\WINDOWS\pspsvc.dll deleted successfully.
File C:\WINDOWS\system32\pspsvc.dll deleted successfully.
File C:\WINDOWS\msimn32.exe deleted successfully.
File C:\WINDOWS\messanger.exe deleted successfully.
File C:\WINDOWS\Generic Installer Uninstaller.exe deleted successfully.
File C:\WINDOWS\zclient.dll deleted successfully.
File C:\WINDOWS\winndm32.dll deleted successfully.
File C:\WINDOWS\rcdesk.exe deleted successfully.
File C:\WINDOWS\system32\XPAud\csrss.exe deleted successfully.
File C:\WINDOWS\system32\msnmgr16.exe not found!
Deletion of file C:\WINDOWS\system32\msnmgr16.exe failed!
Could not process line:
C:\WINDOWS\system32\msnmgr16.exe
Status: 0xc0000034
Folder C:\WINDOWS\system32\XPAud deleted successfully.
Completed script processing.
*******************
Finished! Terminate.
Post by: berencam on October 24, 2006, 11:14:24 PM
Post by: berencam on October 25, 2006, 11:20:12 PM
Post by: guestolo on October 26, 2006, 06:49:15 PM
Delete fix.reg on desktop
Make a new fix.reg
Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box, not including the word "code"
Paste it to the empty Notepad file
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix.reg
Save this file on the desktop
Ensure to copy from REGEDIT4 and down in the code box
Code: [Select]
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\OLE]
"MSN service"=- Double click on fix.reg and allow to add/merge to the registry at the prompt
I'm don't think Wincache.dll is a good guy, but to be safe
Can you navigate to C:\WINDOWS\system32\WINcache.DLL
Right click on Wincache.dll and rename it to
WINcache.dl_
We MUST update your version of Sun Java to plug up security holes that malware can exploit
==Download the latest version of Java Runtime Environment (JRE) 5.0 Update 9 (http://\"http://java.sun.com/javase/downloads/index.jsp\")
- Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
- Click the "Download" button to the right.
- Check the box that says: "Accept License Agreement[/i]".
- The page will refresh.
- Click on the link to download Windows Offline Installation Multi-language
Don't install it yet
Access your Add/remove programs via Control Panel
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
eg..J2SE Runtime Environment 5.0 Update 7
They should have the following icon next to it: <img src="http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif" border="0" class="linked-image" />
Select it and click Remove them
Do a "System scan only" with Hijackthis and put a check next to these entries:
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O18 - Filter: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - C:\Program Files\RXToolBar\sfcont.dll
After you have ticked the above entries, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
REboot your computer
Find and delete this folder if found
C:\Program Files\RXToolBar <-this folder
Go ahead and install the latest version of Sun java from the installer on your desktop
After installation you can delete the installer
You had a keylogger on your computer
I recommend you change the passwords on your computer
This includes email>>banking>>Gaming>>IM>>etc...
Post a fresh Hijackthis log
Can I also see the following from Hijackthis
Close Hijackthis>>Reopen it
Click on Misc tools section
Open Hosts file manager
Click on "Open in Notepad"
Copy>>Paste back here the whole contents please
Could you also navigate to C:\cp.reg
RIGHT CLICK on cp.reg and choose EDIT
Can you copy and paste the contents back here
just close it out after
Post by: berencam on October 28, 2006, 11:27:39 PM
Logfile of HijackThis v1.99.1
Scan saved at 11:23:01 PM, on 10/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\drivers\crauto.exe
C:\WINDOWS\System32\drivers\IMountSRV.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\wltray.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\mm_tray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\AIM\AIM Pro\aimpro.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ePlus48U\ScanPanel\ScnPanel.exe
C:\PROGRA~1\SHORTK~1\shklite.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\System32\msiexec.exe
C:\Documents and Settings\user\Desktop\hijackthis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [wltray.exe] C:\WINDOWS\System32\wltray.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [MMTray] C:\PROGRA~1\MUSICM~1\MUSICM~1\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Encrypted Disk Auto Mount] rundll32.exe edshell.dll,MountAll
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [AIMPro] "C:\Program Files\AIM\AIM Pro\aimpro.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: ScanPanel.lnk = C:\Program Files\ePlus48U\ScanPanel\ScnPanel.exe
O4 - Global Startup: ShortKeys Lite.lnk = ?
O8 - Extra context menu item: Convert for CLIE - C:\Program Files\Sony\Image Converter\menu.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1157094774263 (http://\"http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1157094774263\")
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: crauto - Unknown owner - C:\WINDOWS\System32\drivers\crauto.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMountSRV - Unknown owner - C:\WINDOWS\System32\drivers\IMountSRV.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: PMounter - Unknown owner - C:\Paragon HDM\Ext2\PMounter.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
=============================================================================
hosts file manager
# Copyright © 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
127.0.0.1 localhost
=============================================================================
cp.reg
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,00,\
00
"Bounds"=hex:00,30,00,00,00,20,00,00
"Security Packages"=hex(7):6b,00,65,00,72,00,62,00,65,00,72,00,6f,00,73,00,00,\
00,6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,73,00,63,00,68,00,61,00,6e,00,\
6e,00,65,00,6c,00,00,00,77,00,64,00,69,00,67,00,65,00,73,00,74,00,00,00,00,\
00
"LsaPid"=dword:000002fc
"SecureBoot"=dword:00000001
"auditbaseobjects"=dword:00000000
"crashonauditfail"=dword:00000000
"disabledomaincreds"=dword:00000000
"everyoneincludesanonymous"=dword:00000000
"fipsalgorithmpolicy"=dword:00000000
"forceguest"=dword:00000001
"fullprivilegeauditing"=hex:00
"limitblankpassworduse"=dword:00000001
"lmcompatibilitylevel"=dword:00000000
"nodefaultadminowner"=dword:00000001
"nolmhash"=dword:00000000
"restrictanonymous"=dword:00000000
"restrictanonymoussam"=dword:00000001
"Notification Packages"=hex(7):00,00,73,00,63,00,65,00,63,00,6c,00,69,00,00,00,\
73,00,63,00,65,00,63,00,6c,00,69,00,00,00,00,00
"ImpersonatePrivilegeUpgradeToolHasRun"=dword:00000001
"enabledcom"="y"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders]
"ProviderOrder"=hex(7):57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,4e,00,\
54,00,20,00,41,00,63,00,63,00,65,00,73,00,73,00,20,00,50,00,72,00,6f,00,76,\
00,69,00,64,00,65,00,72,00,00,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider]
"ProviderPath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
6e,00,74,00,6d,00,61,00,72,00,74,00,61,00,2e,00,64,00,6c,00,6c,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\System]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Data]
"Pattern"=hex:d3,4c,b4,c6,6e,df,77,e8,a5,7b,0b,dc,85,82,0b,66,65,66,66,64,30,\
61,35,35,00,68,07,00,01,00,00,00,dc,00,00,00,e0,00,00,00,48,fa,06,00,97,55,\
5a,74,04,00,00,00,a0,fd,06,00,b8,fd,06,00,83,74,32,6b
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\GBG]
"GrafBlumGroup"=hex:b3,60,71,97,28,b3,ec,75,f9
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\JD]
"Lookup"=hex:76,4c,b9,87,c8,de
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\SidCache]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\msv1_0]
"ntlmminclientsec"=dword:00000000
"ntlmminserversec"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Skew1]
"SkewMatrix"=hex:07,f2,6c,ed,8a,b8,af,7d,93,c1,94,ae,87,b6,ba,6c
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\Passport1.4]
"SSOURL"="http://www.passport.com"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache]
"Time"=hex:60,64,b6,a2,9b,cd,c6,01
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll]
"Name"="Digest"
"Comment"="Digest SSPI Authentication Package"
"Capabilities"=dword:00004050
"RpcId"=dword:0000ffff
"Version"=dword:00000001
"TokenSize"=dword:0000ffff
"Time"=hex:00,d9,4a,94,f8,79,c4,01
"Type"=dword:00000031
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll]
"Name"="DPA"
"Comment"="DPA Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000011
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:00,d9,4a,94,f8,79,c4,01
"Type"=dword:00000031
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll]
"Name"="MSN"
"Comment"="MSN Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000012
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:80,6f,e3,94,f8,79,c4,01
"Type"=dword:00000031
=============================================================================
could not rename WINcache.dll it was in use by another program.....
Post by: guestolo on October 29, 2006, 01:43:14 AM
/blink.gif\' class=\'bbc_emoticon\' alt=\':blink:\' /> You can delete it
Can you restart into safe mode and rename WinCache.dll
How's everything