Post by: ep0xy on January 16, 2007, 08:17:57 PM
My PC is sick, it's got a bad case of Win32/Parite.B and the worms
/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' /> called Win32/krepper.cWell what can i do about cleaning it doc ?
Is one of those a Key loger ?
My steam account was just hijacked yesterday while i was playing on it.
/sad.gif\' class=\'bbc_emoticon\' alt=\':(\' />i tryed loging in again and it said the pw was changed. and i cant get it to send me a email soo im guessing who ever stole it changed the contact address :\
Any wayz i went ahead and ran a hijackthis txt. here she is:
Logfile of HijackThis v1.99.1
Scan saved at 7:22:50 PM, on 1/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Panda Software\Panda Internet Security 2007\IFACE.EXE
C:\Program Files\Panda Software\Panda Internet Security 2007\PAVJOBS.EXE
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [nTrayFw] C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clear
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [winlog] winlog.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nvchost] C:\WINDOWS\winlogon.exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Internet Security 2007\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Internet Security 2007\Inicio.exe"
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - Global Startup: MultiMon Taskbar.lnk = C:\Program Files\MMTaskbar\MultiMon.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1159461737484 (http://\"http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1159461737484\")
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1159463988281 (http://\"http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159463988281\")
O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
Hope that helps and thanks in advance.
-p0x
Post by: guestolo on January 17, 2007, 08:21:51 PM
Download this file - Combofix.exe (http://\"http://download.bleepingcomputer.com/sUBs/combofix.exe\") and save it too desktop
Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Post the log from Combofix please
Post by: Mr Bell on January 17, 2007, 11:27:32 PM
The server encountered an internal error or misconfiguration and was unable to complete your request.
Please contact the server administrator, [email protected] and inform them of the time the error occurred, and anything you might have done that may have caused the error.
More information about this error may be available in the server error log.
Post by: guestolo on January 17, 2007, 11:31:29 PM
I'll check into the server error with Josetann if we continue with problems posting
Post by: guestolo on January 17, 2007, 11:38:14 PM
Post by: Mr Bell on January 17, 2007, 11:44:21 PM
Post by: guestolo on January 17, 2007, 11:47:21 PM
Can one of you email me the log to the below address
[color=\"#0000FF\"]Click HERE[/color] ([email protected])
Woops, I just edited the email addy to the correct one
Post by: Mr Bell on January 17, 2007, 11:51:54 PM
Post by: guestolo on January 17, 2007, 11:54:33 PM
I used the wrong address, keep forgetting I don't use hot mail, but msn instead, My bad
/blink.gif\' class=\'bbc_emoticon\' alt=\':blink:\' />
Post by: Mr Bell on January 17, 2007, 11:58:47 PM
Post by: guestolo on January 18, 2007, 12:02:21 AM
epOxy, can you reboot the computer, ensure you reboot into Normal windows
If you can, come back here, run a fresh scan and save logfile with Hijackthis and post it's log
Let's see what leftover
Post by: ep0xy on January 18, 2007, 12:07:43 AM
Post by: ep0xy on January 18, 2007, 12:12:49 AM
Scan saved at 12:10:20 AM, on 1/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\SYSTEM32\SWEEPER.EXE
C:\program files\steam\steam.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\MMTaskbar\MultiMon.exe
C:\Program Files\Belkin\Nostromo\nost_LM.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://localhost:3476/cgi-bin/ncgir.exe?menu/fwl_index.html (http://\"http://localhost:3476/cgi-bin/ncgir.exe?menu/fwl_index.html\")
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [nTrayFw] C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clear
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Internet Sweeper] C:\WINDOWS\SYSTEM32\SWEEPER.EXE /Q
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: Loadout Manager.lnk = C:\Program Files\Belkin\Nostromo\nost_LM.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: MultiMon Taskbar.lnk = C:\Program Files\MMTaskbar\MultiMon.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1159461737484 (http://\"http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1159461737484\")
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1159463988281 (http://\"http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159463988281\")
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
Post by: guestolo on January 18, 2007, 12:24:02 AM
Looks like it removed some bad registry entries and files/folders
Looks like you just removed Panda's and installed AVG
Seems as if one registry entry that is no longer in your hijackthis log was probably removed by AVG or Windows Defender
How are things running now?
Let me know please, and I'll still look over your combofix in more depth tomorrow
Post by: ep0xy on January 18, 2007, 12:29:09 AM
soo do u think Parite .B is what helped steal my steam account username and password ?
Post by: guestolo on January 18, 2007, 11:43:22 PM
I'm concerned about the entries in your hijackthis log pertaining to the infected .exe's and .scr's
Re>Parite.B
An infection you had/have infects those files
As in your combofix log here are the ones I'm talking about that were modified on one date
2007-01-16 00:27 8704 --a------ C:\WINDOWS\system32\wdfmgr.exe
2007-01-16 00:27 8704 --a------ C:\WINDOWS\system32\uwdf.exe
2007-01-16 00:27 65536 --a------ C:\WINDOWS\system32\wextract.exe
2007-01-16 00:27 5632 --a------ C:\WINDOWS\system32\winver.exe
2007-01-16 00:27 50176 --a------ C:\WINDOWS\system32\utilman.exe
2007-01-16 00:27 44544 --a------ C:\WINDOWS\system32\tscupgrd.exe
2007-01-16 00:27 433664 --a------ C:\WINDOWS\system32\wiaacmgr.exe
2007-01-16 00:27 347136 --a------ C:\WINDOWS\system32\tourstart.exe
2007-01-16 00:27 32256 --a------ C:\WINDOWS\system32\wpnpinst.exe
2007-01-16 00:27 32256 --a------ C:\WINDOWS\system32\wpabaln.exe
2007-01-16 00:27 30720 --a------ C:\WINDOWS\system32\xcopy.exe
2007-01-16 00:27 289792 --a------ C:\WINDOWS\system32\vssvc.exe
2007-01-16 00:27 28672 --a------ C:\WINDOWS\system32\verclsid.exe
2007-01-16 00:27 26112 --a------ C:\WINDOWS\system32\xpsp1hfm.exe
2007-01-16 00:27 24576 --a------ C:\WINDOWS\system32\userinit.exe
2007-01-16 00:27 206336 --a------ C:\WINDOWS\system32\winfxdocobj.exe
2007-01-16 00:27 18432 --a------ C:\WINDOWS\system32\ups.exe
2007-01-16 00:27 17408 --a------ C:\WINDOWS\system32\wpdshextautoplay.exe
2007-01-16 00:27 172544 --a------ C:\WINDOWS\system32\wuauclt1.exe
2007-01-16 00:27 172032 --a------ C:\WINDOWS\system32\wjview.exe
2007-01-16 00:27 16896 --a------ C:\WINDOWS\system32\upnpcont.exe
2007-01-16 00:27 146432 --a------ C:\WINDOWS\system32\wudfhost.exe
2007-01-16 00:27 13824 --a------ C:\WINDOWS\system32\wscntfy.exe
2007-01-16 00:27 12288 --a------ C:\WINDOWS\system32\tracert.exe
2007-01-16 00:27 114688 --a------ C:\WINDOWS\system32\wscript.exe
2007-01-16 00:26 89600 --a------ C:\WINDOWS\system32\smlogsvc.exe
2007-01-16 00:26 8192 --a------ C:\WINDOWS\system32\spdwnwxp.exe
2007-01-16 00:26 8192 --a------ C:\WINDOWS\system32\smbinst.exe
2007-01-16 00:26 75776 --a------ C:\WINDOWS\system32\telnet.exe
2007-01-16 00:26 704512 --a------ C:\WINDOWS\system32\ss3dfo.scr
2007-01-16 00:26 679936 --a------ C:\WINDOWS\system32\sstext3d.scr
2007-01-16 00:26 610304 --a------ C:\WINDOWS\system32\sspipes.scr
2007-01-16 00:26 538624 --a------ C:\WINDOWS\system32\spider.exe
2007-01-16 00:26 47104 --a------ C:\WINDOWS\system32\ssmypics.scr
2007-01-16 00:26 393216 --a------ C:\WINDOWS\system32\ssflwbox.scr
2007-01-16 00:26 36864 --a------ C:\WINDOWS\system32\slrundll.exe
2007-01-16 00:26 24064 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-01-16 00:26 21504 --a------ C:\WINDOWS\system32\spupdwxp.exe
2007-01-16 00:26 20992 --a------ C:\WINDOWS\system32\ssmarque.scr
2007-01-16 00:26 19968 --a------ C:\WINDOWS\system32\ssbezier.scr
2007-01-16 00:26 18944 --a------ C:\WINDOWS\system32\ssmyst.scr
2007-01-16 00:26 14848 --a------ C:\WINDOWS\system32\stimon.exe
2007-01-16 00:26 14336 --a------ C:\WINDOWS\system32\ssstars.scr
2007-01-16 00:26 135680 --a------ C:\WINDOWS\system32\taskmgr.exe
2007-01-16 00:26 131584 --a------ C:\WINDOWS\system32\sndrec32.exe
2007-01-16 00:26 11776 --a------ C:\WINDOWS\system32\spnpinst.exe
2007-01-16 00:26 105984 --a------ C:\WINDOWS\system32\sysocmgr.exe
2007-01-16 00:25 95744 --a------ C:\WINDOWS\system32\scardsvr.exe
2007-01-16 00:25 9319936 --a------ C:\WINDOWS\system32\rtlcpl.exe
2007-01-16 00:25 9216 --a------ C:\WINDOWS\system32\scrnsave.scr
2007-01-16 00:25 9216 --a------ C:\WINDOWS\system32\proxycfg.exe
2007-01-16 00:25 77824 --a------ C:\WINDOWS\system32\shrpubw.exe
2007-01-16 00:25 77312 --a------ C:\WINDOWS\system32\sdbinst.exe
2007-01-16 00:25 77312 --a------ C:\WINDOWS\system32\rtcshare.exe
2007-01-16 00:25 73728 --a------ C:\WINDOWS\system32\pv_c3.exe
2007-01-16 00:25 70144 --a------ C:\WINDOWS\system32\sigverif.exe
2007-01-16 00:25 67072 --a------ C:\WINDOWS\system32\rdshost.exe
2007-01-16 00:25 62464 --a------ C:\WINDOWS\system32\rdpclip.exe
2007-01-16 00:25 56832 --a------ C:\WINDOWS\system32\rasphone.exe
2007-01-16 00:25 50176 --a------ C:\WINDOWS\system32\reg.exe
2007-01-16 00:25 50176 --a------ C:\WINDOWS\system32\proquota.exe
2007-01-16 00:25 49152 --a------ C:\WINDOWS\system32\powercfg.exe
2007-01-16 00:25 42496 --a------ C:\WINDOWS\system32\shmgrate.exe
2007-01-16 00:25 40960 --a------ C:\WINDOWS\system32\renum.exe
2007-01-16 00:25 35840 --a------ C:\WINDOWS\system32\rcimlby.exe
2007-01-16 00:25 31232 --a------ C:\WINDOWS\system32\sethc.exe
2007-01-16 00:25 26112 --a------ C:\WINDOWS\system32\skeys.exe
2007-01-16 00:25 23040 --a------ C:\WINDOWS\system32\setup.exe
2007-01-16 00:25 21504 --a------ C:\WINDOWS\system32\rcp.exe
2007-01-16 00:25 20480 --a------ C:\WINDOWS\system32\qprocess.exe
2007-01-16 00:25 19456 --a------ C:\WINDOWS\system32\shutdown.exe
2007-01-16 00:25 163840 --a------ C:\WINDOWS\system32\prfact.exe
2007-01-16 00:25 14848 --a------ C:\WINDOWS\system32\rsh.exe
2007-01-16 00:25 14336 --a------ C:\WINDOWS\system32\runonce.exe
2007-01-16 00:25 140800 --a------ C:\WINDOWS\system32\sessmgr.exe
2007-01-16 00:25 13824 --a------ C:\WINDOWS\system32\rexec.exe
2007-01-16 00:25 13824 --a------ C:\WINDOWS\system32\rdsaddin.exe
2007-01-16 00:25 13312 --a------ C:\WINDOWS\system32\savedump.exe
2007-01-16 00:25 119296 --a------ C:\WINDOWS\system32\reg_c3.exe
2007-01-16 00:25 11776 --a------ C:\WINDOWS\system32\regsvr32.exe
2007-01-16 00:24 86016 --a------ C:\WINDOWS\system32\netsh.exe
2007-01-16 00:24 794624 --a------ C:\WINDOWS\system32\nvcplui.exe
2007-01-16 00:24 76800 --a------ C:\WINDOWS\system32\nslookup.exe
2007-01-16 00:24 69632 --a------ C:\WINDOWS\system32\odbcconf.exe
2007-01-16 00:24 6144 --a------ C:\WINDOWS\system32\msdtc.exe
2007-01-16 00:24 58368 --a------ C:\WINDOWS\system32\packager.exe
2007-01-16 00:24 53760 --a------ C:\WINDOWS\system32\narrator.exe
2007-01-16 00:24 442368 --a------ C:\WINDOWS\system32\nvappbar.exe
2007-01-16 00:24 42496 --a------ C:\WINDOWS\system32\net.exe
2007-01-16 00:24 419840 --a------ C:\WINDOWS\system32\ntvdm.exe
2007-01-16 00:24 4096 --a------ C:\WINDOWS\system32\nddeapir.exe
2007-01-16 00:24 407552 --a------ C:\WINDOWS\system32\mstsc.exe
2007-01-16 00:24 36864 --a------ C:\WINDOWS\system32\netstat.exe
2007-01-16 00:24 343040 --a------ C:\WINDOWS\system32\mspaint.exe
2007-01-16 00:24 329728 --a------ C:\WINDOWS\system32\netsetup.exe
2007-01-16 00:24 32768 --a------ C:\WINDOWS\system32\odbcad32.exe
2007-01-16 00:24 215552 --a------ C:\WINDOWS\system32\osk.exe
2007-01-16 00:24 208896 --a------ C:\WINDOWS\system32\nvuninst.exe
2007-01-16 00:24 208896 --a------ C:\WINDOWS\system32\nvudisp.exe
2007-01-16 00:24 17920 --a------ C:\WINDOWS\system32\ping.exe
2007-01-16 00:24 1622016 --a------ C:\WINDOWS\system32\nwiz.exe
2007-01-16 00:24 15872 --a------ C:\WINDOWS\system32\perfmon.exe
2007-01-16 00:24 147456 --a------ C:\WINDOWS\system32\nvcolor.exe
2007-01-16 00:24 143360 --a------ C:\WINDOWS\system32\mobsync.exe
2007-01-16 00:24 1339392 --a------ C:\WINDOWS\system32\nvdspsch.exe
2007-01-16 00:24 124928 --a------ C:\WINDOWS\system32\net1.exe
2007-01-16 00:24 123392 --a------ C:\WINDOWS\system32\mplay32.exe
2007-01-16 00:24 122880 --a------ C:\WINDOWS\system32\nx.exe
2007-01-16 00:24 12288 --a------ C:\WINDOWS\system32\mstinit.exe
2007-01-16 00:24 12288 --a------ C:\WINDOWS\system32\msfeedssync.exe
2007-01-16 00:24 111104 --a------ C:\WINDOWS\system32\netdde.exe
2007-01-16 00:23 85504 --a------ C:\WINDOWS\system32\makecab.exe
2007-01-16 00:23 815104 --a------ C:\WINDOWS\system32\mmc.exe
2007-01-16 00:23 75264 --a------ C:\WINDOWS\system32\locator.exe
2007-01-16 00:23 72704 --a------ C:\WINDOWS\system32\magnify.exe
2007-01-16 00:23 59392 --a------ C:\WINDOWS\system32\logman.exe
2007-01-16 00:23 55808 --a------ C:\WINDOWS\system32\ipconfig.exe
2007-01-16 00:23 53248 --a------ C:\WINDOWS\system32\ipv6.exe
2007-01-16 00:23 51712 --a------ C:\WINDOWS\system32\migpwd.exe
2007-01-16 00:23 514560 --a------ C:\WINDOWS\system32\logonui.exe
2007-01-16 00:23 46592 --a------ C:\WINDOWS\system32\dxdllreg.exe
2007-01-16 00:23 45568 --a------ C:\WINDOWS\system32\extrac32.exe
2007-01-16 00:23 425984 --a------ C:\WINDOWS\system32\keystone.exe
2007-01-16 00:23 42496 --a------ C:\WINDOWS\system32\ftp.exe
2007-01-16 00:23 39424 --a------ C:\WINDOWS\system32\grpconv.exe
2007-01-16 00:23 32768 --a------ C:\WINDOWS\system32\mnmsrvc.exe
2007-01-16 00:23 27136 --a------ C:\WINDOWS\system32\findstr.exe
2007-01-16 00:23 23552 --a------ C:\WINDOWS\system32\ipxroute.exe
2007-01-16 00:23 220672 --a------ C:\WINDOWS\system32\logon.scr
2007-01-16 00:23 20992 --a------ C:\WINDOWS\system32\fontview.exe
2007-01-16 00:23 20992 --a------ C:\WINDOWS\system32\faxpatch.exe
2007-01-16 00:23 193024 --a------ C:\WINDOWS\system32\eudcedit.exe
2007-01-16 00:23 180224 --a------ C:\WINDOWS\system32\dwwin.exe
2007-01-16 00:23 172544 --a------ C:\WINDOWS\system32\jview.exe
2007-01-16 00:23 15360 --a------ C:\WINDOWS\system32\jdbgmgr.exe
2007-01-16 00:23 150016 --a------ C:\WINDOWS\system32\imapi.exe
2007-01-16 00:23 13312 --a------ C:\WINDOWS\system32\ieudinit.exe
2007-01-16 00:23 1298432 --a------ C:\WINDOWS\system32\dxdiag.exe
2007-01-16 00:23 114688 --a------ C:\WINDOWS\system32\iexpress.exe
2007-01-16 00:22 98304 --a------ C:\WINDOWS\system32\cscript.exe
2007-01-16 00:22 85504 --a------ C:\WINDOWS\system32\diantz.exe
2007-01-16 00:22 83456 --a------ C:\WINDOWS\system32\dpvsetup.exe
2007-01-16 00:22 82432 --a------ C:\WINDOWS\system32\dfrgfat.exe
2007-01-16 00:22 63488 --a------ C:\WINDOWS\system32\cmstp.exe
2007-01-16 00:22 49664 --a------ C:\WINDOWS\system32\clspack.exe
2007-01-16 00:22 47104 --a------ C:\WINDOWS\system32\cmdl32.exe
2007-01-16 00:22 39936 --a------ C:\WINDOWS\system32\cmmon32.exe
2007-01-16 00:22 388608 --a------ C:\WINDOWS\system32\cmd.exe
2007-01-16 00:22 30208 --a------ C:\WINDOWS\system32\dplaysvr.exe
2007-01-16 00:22 30208 --a------ C:\WINDOWS\system32\ddeshare.exe
2007-01-16 00:22 27648 --a------ C:\WINDOWS\system32\conime.exe
2007-01-16 00:22 25088 --a------ C:\WINDOWS\system32\defrag.exe
2007-01-16 00:22 249856 --a------ C:\WINDOWS\system32\drmupgds.exe
2007-01-16 00:22 224768 --a------ C:\WINDOWS\system32\dmadmin.exe
2007-01-16 00:22 18432 --a------ C:\WINDOWS\system32\dpnsvr.exe
2007-01-16 00:22 17920 --a------ C:\WINDOWS\system32\dvdupgrd.exe
2007-01-16 00:22 163840 --a------ C:\WINDOWS\system32\diskpart.exe
2007-01-16 00:22 15872 --a------ C:\WINDOWS\system32\dmremote.exe
2007-01-16 00:22 10752 --a------ C:\WINDOWS\system32\dumprep.exe
2007-01-16 00:21 98304 --a------ C:\WINDOWS\system32\ahui.exe
2007-01-16 00:21 71680 --a------ C:\WINDOWS\system32\blastcln.exe
2007-01-16 00:21 64000 --a------ C:\WINDOWS\system32\cleanmgr.exe
2007-01-16 00:21 5632 --a------ C:\WINDOWS\system32\cisvc.exe
2007-01-16 00:21 454656 --a------ C:\WINDOWS\system32\capabilitytable.exe
2007-01-16 00:21 40960 --a------ C:\WINDOWS\system32\chcfg.exe
2007-01-16 00:21 4096 --a------ C:\WINDOWS\system32\actmovie.exe
2007-01-16 00:21 33280 --a------ C:\WINDOWS\system32\clipsrv.exe
2007-01-16 00:21 25088 --a------ C:\WINDOWS\system32\at.exe
2007-01-16 00:21 20480 --a------ C:\WINDOWS\system32\cliconfg.exe
2007-01-16 00:21 183808 --a------ C:\WINDOWS\system32\accwiz.exe
2007-01-16 00:21 14336 --a------ C:\WINDOWS\system32\auditusr.exe
2007-01-16 00:21 11264 --a------ C:\WINDOWS\system32\atmadm.exe
2007-01-16 00:21 102912 --a------ C:\WINDOWS\system32\clipbrd.exe
Read more here
http://www.pandasoftware.com/com/virus_inf...epanda=empresas (http://\"http://www.pandasoftware.com/com/virus_info/encyclopedia/overview.aspx?idvirus=18181&sitepanda=empresas\")
the best route in ensuring that the infection is totally gone is reformatting
But, NOD32 and other virus scanners have been taught how to disinfect
This is the route that you may want to try, although formatting and starting clean is alternative
Let's make sure that your clean please
I know you already had Panda installed, but it may have been infected before running
Can you do the following
Use Internet Explorer and Run the online Panda ActiveScan (http://\"http://www.pandasoftware.com/products/activescan?NRMODE=Published&NRORIGINALURL=%2factivescan.htm&NRNODEGUID=%7b3B202047-35D4-4DA2-B310-B1DBEC2971F2%7d&NRCACHEHINT=Guest\")
* Once you are on the Panda site click the Scan your PC button at the bottom of the page
* A new window will open...click the big Check Now button.
* Enter your Country.
* Enter your State/Province.
* Enter your e-mail address.
* Select either "Home User or Company."
* Click the big Scan Now button.
* Allow the ActiveX component to install and download the files required for the scan. This may take a couple of minutes.
* Click on Local Disks to start the scan.
When the scan is complete
click See Report, then click Save Report and save it to your Desktop.
Post a fresh hijacthis log afterwards and the Full report from Panda's please
Post by: ep0xy on January 19, 2007, 07:05:24 AM
Scan saved at 7:03:03 AM, on 1/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\program files\steam\steam.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MMTaskbar\MultiMon.exe
C:\Program Files\Belkin\Nostromo\nost_LM.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Excursion9.5\mIRC.ExCurSioN.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://localhost:3476/cgi-bin/ncgir.exe?menu/fwl_index.html (http://\"http://localhost:3476/cgi-bin/ncgir.exe?menu/fwl_index.html\")
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM\..\Run: [nTrayFw] C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clear
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Internet Sweeper] C:\WINDOWS\SYSTEM32\SWEEPER.EXE /Q
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: Loadout Manager.lnk = C:\Program Files\Belkin\Nostromo\nost_LM.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: MultiMon Taskbar.lnk = C:\Program Files\MMTaskbar\MultiMon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1159461737484 (http://\"http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1159461737484\")
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1159463988281 (http://\"http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159463988281\")
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab (http://\"http://acs.pandasoftware.com/activescan/as5free/asinst.cab\")
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
Post by: ep0xy on January 19, 2007, 11:37:51 AM
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\jtt4h8oq.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\jtt4h8oq.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\jtt4h8oq.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\ep0xy\Application Data\Mozilla\Firefox\Profiles\7o8920gh.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\ep0xy\Application Data\Mozilla\Firefox\Profiles\7o8920gh.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\ep0xy\Application Data\Mozilla\Firefox\Profiles\7o8920gh.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\ep0xy\Application Data\Mozilla\Firefox\Profiles\7o8920gh.default\cookies.txt[.adrevolver.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\ep0xy\Application Data\Mozilla\Firefox\Profiles\7o8920gh.default\cookies.txt[.atwola.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\ep0xy\Application Data\Mozilla\Firefox\Profiles\7o8920gh.default\cookies.txt[.com.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\ep0xy\Application Data\Mozilla\Firefox\Profiles\7o8920gh.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\ep0xy\Application Data\Mozilla\Firefox\Profiles\7o8920gh.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\ep0xy\Application Data\Mozilla\Firefox\Profiles\7o8920gh.default\cookies.txt[.advertising.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\ep0xy\Application Data\Mozilla\Firefox\Profiles\7o8920gh.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\ep0xy\Application Data\Mozilla\Firefox\Profiles\7o8920gh.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Coremetrics Not disinfected C:\Documents and Settings\ep0xy\Application Data\Mozilla\Firefox\Profiles\7o8920gh.default\cookies.txt[data.coremetrics.com/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\ep0xy\Application Data\Mozilla\Firefox\Profiles\7o8920gh.default\cookies.txt[.trafficmp.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\ep0xy\Application Data\Mozilla\Firefox\Profiles\7o8920gh.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\ep0xy\Application Data\Mozilla\Firefox\Profiles\7o8920gh.default\cookies.txt[.2o7.net/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\ep0xy\Application Data\Mozilla\Firefox\Profiles\7o8920gh.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\ep0xy\Application Data\Mozilla\Firefox\Profiles\7o8920gh.default\cookies.txt[.hitbox.com/]
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\ep0xy\Application Data\Mozilla\Firefox\Profiles\7o8920gh.default\cookies.txt[.adtech.de/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\ep0xy\Cookies\ep0xy@atwola[1].txt
Potentially unwanted tool:Application/MotherboardMonitor.A
Post by: guestolo on January 19, 2007, 12:13:36 PM
It only identifed some cookies, this looks very promising
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' /> One last step if you could epOxy
Do you have other computers sharing this Network?
If so, including this computer
Can you do the following
Download >> save then unzip to desktop [color=\"#0000FF\"]f-parite.zip[/color] (http://\"ftp://ftp.f-secure.com/anti-virus/tools/f-parite.zip\") from F-Secure
Do this on each computer in the household
After unzipping to desktop
Disconnect from the Net, close all unnecessary running programs
Double click on f-parite.com
It will scan your drives for infected files, if any are found it will proceed with disinfection
Reboot the computer when it's done
Let me know what it finds, if anything
Post by: ep0xy on January 19, 2007, 05:19:00 PM
some are system restore files.
Also what is O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
that appears a ton in the hijack this log what is the unknownfile in my Winsock LSP: c:\windows\system32\nvappfilter.dll
also what bit defender do you use?
Post by: ep0xy on January 19, 2007, 10:00:42 PM
Post by: guestolo on January 19, 2007, 10:13:22 PM
Do the following also
We should flush all your restore points as they may be infected
- Go to START>>RUN>>In the open field
Type in
Click OK
Click the "Launch System Restore" button
On the Left hand side click on "System Restore Settings"
Put a Check in "Turn off System Restore"
Apply it and OK out of there>>Reboot your computer
[/list]
Back in Windows, Go back and take the check out of "Turn off system restore"
This will reenable the System Restore feature
No need to reboot afterwards
Then run a scan with your AV and let me know how it goes
Post by: Mr Bell on January 20, 2007, 12:29:03 AM
All after you said you didn't have any spyware or anti virus protection and you didn't need all that crap.
L
O
L
Well now that you have some protection I'll say it again. Still do NOT down load anything off those gaming sites. ie movies, demos ect. Their probably made by the same people that make hacks. I heard that's how they steal accts to.
hmmmm? Interesting
Post by: ep0xy on January 22, 2007, 04:53:47 PM
also my monitor when a internet page is open full screen it puts my monitor to sleep flashing orange light when the page is smaller its fine and dont go into sleep mode this is a new problem