View Full Version : simfrad yet again x.x
yah i got it too....
i managed to get rid of some of it but the core won't go away.... the two core files in the drivers will not be deleted ... they say there in use and i don't know how to get rid of them while they are still in use
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 3:03:14 AM, on 5/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\1165726069\ee\AOLSoftware.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\{F8C8453C-0446-1033-0606-030807030001}\Update.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\Documents and Settings\Jason1\Desktop\VundoFix.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Jason1\Desktop\scanner.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1165726069\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Policies\Explorer\Run: [{F8C8453C-0446-1033-0606-030807030001}] "C:\Program Files\Common Files\{F8C8453C-0446-1033-0606-030807030001}\Update.exe" mc-110-12-0000137
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [{F8C8453C-0446-1033-0606-030807030001}] "C:\Program Files\Common Files\{F8C8453C-0446-1033-0606-030807030001}\Update.exe" mc-110-12-0000137 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [{F8C8453C-0446-1033-0606-030807030001}] "C:\Program Files\Common Files\{F8C8453C-0446-1033-0606-030807030001}\Update.exe" mc-110-12-0000137 (User 'Default user')
O4 - Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {87BE3784-6977-4E84-AA08-55A96B9CEAC5} (BL_Camera) - http://camera.altaica.org/bl_camera.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15028/CTPID.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Client IP-IPX - Unknown owner - C:\WINDOWS\system32\svchosts.exe (file missing)
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
--
End of file - 6968 bytes
miekiemoes
2007-05-21, 14:35
Hello,
You are dealing with a lot more malware than only the "core" files you are talking about. Actually, that doesn't suprise me since I notice that you do not seem to be running Antivirus software and a Firewall. This is somewhat suicidal in today's digital world.
That's why I want you to install them first!!
Avira (http://www.free-av.com/), AVG (http://free.grisoft.com/freeweb.php/doc/2/) OR Active Virus Shield (http://www.activevirusshield.com/antivirus/freeav/index.adp) (uncheck the Security Toolbar during install) are good FREE antivirus.
Never install more than one antivirusscanner or firewall on your system! Several together can give problems and decrease the reliability of it seriously!
Comodo (http://www.personalfirewall.comodo.com/) OR Kerio (http://www.sunbelt-software.com/Kerio.cfm) are FREE firewalls.
Understanding and using firewalls (http://www.bleepingcomputer.com/forums/index.php?showtutorial=60)
Reboot your computer afterwards.
After reboot, perform a full scan with your Antivirus and let it remove anything it is finding. Then reboot once again in order to delete files that were in use previously.
Post a new HijackThislog in your next reply - then we'll start from there, because it really makes no sense otherwise that we clean this up manually if an Antivirusscan is not present which should be able to deal with most and prevent further reinfection.
lol
wow
3000~5000 virus'
o.o
like each one a rar file with the name of some movie, program, game ect.... hidden away in a folder that the computer thinks don't exist (have it set so i can see EVERY file and folder and that one just wouldn't show up unles i typed it in manualy and then it showed it empty even though it wasnt'...)
and 20 or so malware..... including the sorce of the truble still around a hacked version of limwire
i think i got it all fixed not sure... turned off system restore... got a realy realy good antivirus .. the new one form the new company that use to be etrust wich i used and loved... now it's CA something or the other....
manualy deleted the core while i was in same mode and ran all the ani-virus and anti-spy ware i had
miekiemoes
2007-05-22, 20:03
Do you understand now why it is so important to have an Antivirus present?
Anyway, let it remove everything it is finding.
Then reboot and after reboot, post a new HijackThislog, then we'll deal with the rest.
well i use to have the EZ firewall... once i get some money i'll buy this CA security and optimization package
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 2:23:50 PM, on 5/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\Common Files\AOL\1165726069\ee\AOLSoftware.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.8.0\QOELoader.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\AOL 9.0\waol.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trillian\trillian.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\WINDOWS\System32\alg.exe
C:\Documents and Settings\Jason1\Desktop\scanner.exe
C:\Program Files\AOL 9.0\shellmon.exe
C:\Program Files\Common Files\AOL\Topspeed\3.0\aoltpsd3.exe
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\World of Warcraft\WoW.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1165726069\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.8.0\QOELoader.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [cafwc] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.0\AOL.EXE" -b
O4 - HKCU\..\Policies\Explorer\Run: [{F8C8453C-0446-1033-0606-030807030001}] "C:\Program Files\Common Files\{F8C8453C-0446-1033-0606-030807030001}\Update.exe" mc-110-12-0000137
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [{F8C8453C-0446-1033-0606-030807030001}] "C:\Program Files\Common Files\{F8C8453C-0446-1033-0606-030807030001}\Update.exe" mc-110-12-0000137 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [{F8C8453C-0446-1033-0606-030807030001}] "C:\Program Files\Common Files\{F8C8453C-0446-1033-0606-030807030001}\Update.exe" mc-110-12-0000137 (User 'Default user')
O4 - Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {87BE3784-6977-4E84-AA08-55A96B9CEAC5} (BL_Camera) - http://camera.altaica.org/bl_camera.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15028/CTPID.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: CaCCProvSP - Unknown owner - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
--
End of file - 9686 bytes
lol i got way to many running prosses... lol but no clue what is critical and what isn't
miekiemoes
2007-05-22, 20:36
All the extra processes are from your CA Internet Security Suite. A bit bloated imho, but you're not supposed to disable them, since you won't be protected anymore then.
Did you purchase it? Or is it a trial? Because keep in mind, once the trial expires, it won't be able to update anymore/work anymore - leaving your system unprotected.
Let's deal with the rest now..
* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
O4 - HKCU\..\Policies\Explorer\Run: [{F8C8453C-0446-1033-0606-030807030001}] "C:\Program Files\Common Files\{F8C8453C-0446-1033-0606-030807030001}\Update.exe" mc-110-12-0000137
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [{F8C8453C-0446-1033-0606-030807030001}] "C:\Program Files\Common Files\{F8C8453C-0446-1033-0606-030807030001}\Update.exe" mc-110-12-0000137 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [{F8C8453C-0446-1033-0606-030807030001}] "C:\Program Files\Common Files\{F8C8453C-0446-1033-0606-030807030001}\Update.exe" mc-110-12-0000137 (User 'Default user')
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!
Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java: Download the latest version of Java Runtime Environment (JRE) 6u1 (http://java.sun.com/javase/downloads/index.jsp).
Scroll down to where it says "Java Runtime Environment (JRE) 6u1".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation, Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
- Examples of older versions in Add or Remove Programs: Java 2 Runtime Environment, SE v1.4.2
J2SE Runtime Environment 5.0
J2SE Runtime Environment 5.0 Update 6
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6-windows-i586.exe to install the newest version.
Let me know in your next reply how things are now.
Keep in mind, since you installed CA and so many different related processes are running, it may slow down your system a bit more - this is normal.
yah i'm thinking this CA stuff is a bit to much for this computer... it is REALLY slowing it down at load up... and it is slower in general... but at start up.... GOOD LORD....
I'll work on that...
would you happen to know how i can get an update for my video driver...
windows update won't fix it becose it says some one else has a copy of my windows running..... and there company page don't seam to have drivers for it that i could find
it's a NVIDIA GeForce FX 5200
yah i know NVIDIA sucks... but thats not the only thing the person that built my computer screwed us over with.....
but getting the church's guy to build it was the only way i could get help paying for it...... becose they wouldn't trust anyone else ... bah... least they learned there lesson that just becose some one goes to your church they won't @^@#$@ you over....
miekiemoes
2007-05-23, 07:46
You have to understand that I cannot help you with the non genuine version of Windows and the fact that you cannot install updates from there. I don't know what updates you need, but you can check the nvidia site.
I know... i'm going to keep it till i get a new computer....
i TRIED to fix it before i knew that you can't get a computer with out getting the latest version of windows becose they made deals with all the PC mother board makers x.x
blarge...
but i spent 90 bucks on a new key.... and it turned out to be a update key wich the windows people said they can't do anything about it.... and that if i try and sell/trade/whatever now that it's open they would sue me o.o aprently it being rather agenst everyones agrements to do anything once the box is open to get the key.....
I don't have the money for that i'm working hard to save up the money for a new computer x.x
but in the mean time thise random crashes from driver failers is realy anoying me
if you know anyone that could find the latest driver for that card it would realy help
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 3:29:20 PM, on 5/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\Program Files\Common Files\AOL\1165726069\ee\AOLSoftware.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Jason1\Desktop\scanner.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.8.0\QOELoader.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AOL 9.0\waol.exe
C:\Program Files\AOL 9.0\shellmon.exe
C:\WINDOWS\system32\wuauclt.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1165726069\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.8.0\QOELoader.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [cafwc] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.0\AOL.EXE" -b
O4 - Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {87BE3784-6977-4E84-AA08-55A96B9CEAC5} (BL_Camera) - http://camera.altaica.org/bl_camera.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15028/CTPID.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: CaCCProvSP - Unknown owner - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
--
End of file - 8704 bytes
miekiemoes
2007-05-23, 21:48
if you know anyone that could find the latest driver for that card it would realy helpAs I already said in my previous post... already checked the nvidia site?
http://www.nvidia.com/content/drivers/drivers.asp
But let's deal with next first before you download/update any drivers..
By the way, the bloated CA Internet Security Suite may rather cause driver issues (especially the HIPS feature) since it's known that it has quite a lot compatibility issues with some software/hardware.
And since you are really suffering from a huge slowdown since you installed CA, I would consider another Antivirus imho - For example Avira which is free and great in detection.
Anyway, as a final checkup for malware, do next please..
* Download Combofix (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.
Post this log in your next reply.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.
Not needed to post a new HijackThislog.
crud... i downloaded the new driver getting rid of the old ones as it said to....
now things are worce.... windows don't scroll smothly and i can't run World of Warcraft..... and i still had a driver failer
And my other programs that need 3d rendering says the new vedio driver is out of date or not longer suported x.x
and wow says this:
This application has encountered a critical error:
ERROR #132 (0x85100084) Fatal Exception
Program: C:\Program Files\World of Warcraft\WoW.exe
Exception: 0xC0000005 (ACCESS_VIOLATION) at 001B:0060056F
The instruction at "0x0060056F" referenced memory at "0x00000054".
The memory could not be "read".
WoWBuild: 6692
---------------------------------------------
x.x
:thud:
miekiemoes
2007-05-24, 07:24
As I said in my previous post...
You had to perform my steps first before downloading/updating drivers :sad:
But let's deal with next first before you download/update any drivers..This is with a reason I told you this.
Looks like your Nvidia drivers got totally corrupted now.
You have to uninstall your drivers again and reinstall them again from the cd you have with your drivers on.
the guy didn't give me any CDs for drivers x.x
miekiemoes
2007-05-24, 08:09
That's a pity. That's why, if you decide to use pirated versions of XP, no cds, no recovery cds, nothing, then, when something goes bad, you're not even able to fix it since you don't have the cds.
Then get the right drivers from the Nvidia website... or contact Nvidia.
But make sure you uninstall the corrupted drivers first.
"Jason1" - 2007-05-24 1:49:03 Service Pack 2
ComboFix 07-05.24.4.V - Running from: "C:\Documents and Settings\Jason1\Desktop\"
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
"C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe"
"C:\Program Files\Common Files\Yazzle1396OinUninstaller.exe"
"C:\Program Files\Common Files\{38C84~1\Bar888.dll"
"C:\Program Files\Common Files\{38C84~1\UnInstall.exe"
"C:\Program Files\Common Files\{F8C84~1\Update.exe.lzma"
"C:\Temp\tn3"
"C:\Program Files\Common Files\{38C84~1"
"C:\Program Files\Common Files\{F8C84~1"
Purity Folders:
C:\WINDOWS\system32\MBOLS~1
C:\Program Files\Common Files\CROSOF~1
C:\Program Files\WNSXS~1
C:\DOCUME~1\Jason1\APPLIC~1\STEM~1
((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\LEGACY_CORE
-------\LEGACY_NETWORK_MONITOR
-------\core
((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-24 ))))))))))))))))))))))))))))))))))
2007-05-24 01:17 208,896 --a------ C:\WINDOWS\system32\nvudisp.exe
2007-05-24 01:17 <DIR> d-------- C:\WINDOWS\nview
2007-05-24 01:10 <DIR> d-------- C:\DOCUME~1\Jason1\APPLIC~1\VersionTracker Pro
2007-05-24 00:55 28,160 -ra------ C:\WINDOWS\system32\nvmdcoi.dll
2007-05-24 00:55 20,224 -ra------ C:\WINDOWS\system32\drivers\nvidesm.sys
2007-05-23 23:33 208,896 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2007-05-22 13:55 <DIR> d-------- C:\d0306f02d7d2751ab2
2007-05-22 05:37 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-05-21 07:29 630,464 --a------ C:\WINDOWS\system32\drivers\vetefile.sys
2007-05-21 07:29 108,656 --a------ C:\WINDOWS\system32\drivers\veteboot.sys
2007-05-21 07:22 99,904 --a------ C:\WINDOWS\system32\isafeif.dll
2007-05-21 07:22 79,424 --a------ C:\WINDOWS\system32\vetredir.dll
2007-05-21 07:22 75,280 --a------ C:\WINDOWS\system32\isafprod.dll
2007-05-21 07:22 32,528 --a------ C:\WINDOWS\system32\drivers\vetmonnt.sys
2007-05-21 07:22 26,640 --a------ C:\WINDOWS\system32\drivers\vet-filt.sys
2007-05-21 07:22 21,648 --a------ C:\WINDOWS\system32\drivers\vetfddnt.sys
2007-05-21 07:22 21,392 --a------ C:\WINDOWS\system32\drivers\vet-rec.sys
2007-05-21 07:21 <DIR> d-------- C:\Program Files\Common Files\Scanner
2007-05-21 07:21 <DIR> d-------- C:\Program Files\CA
2007-05-21 07:21 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\CA
2007-05-21 02:51 <DIR> d-------- C:\VundoFix Backups
2007-05-20 00:28 <DIR> d-------- C:\Program Files\Yahoo! Games
2007-05-15 16:31 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-04-30 18:39 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2007-04-28 23:00 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-04-28 13:40 <DIR> d-------- C:\WINDOWS\qqir
2007-04-28 13:40 <DIR> d-------- C:\Program Files\Common Files\qqir
2007-04-28 13:03 <DIR> d--hs---- C:\WINDOWS\SmFzb24
2007-04-28 12:42 167 --a------ C:\WINDOWS\system32\5665.bat
2007-04-28 12:41 94,021 --a------ C:\WINDOWS\system32\app.exe
2007-04-28 12:41 32,768 --a------ C:\WINDOWS\system32\setup9x.exe
2007-04-28 12:41 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-05-24 05:36:01 1,324 ----a-w C:\WINDOWS\system32\d3d9caps.dat
2007-05-24 03:56:21 -------- d-----w C:\Program Files\Trillian
2007-05-22 16:41:42 -------- d-----w C:\Program Files\World of Warcraft
2007-05-22 04:29:54 -------- d-----w C:\DOCUME~1\Jason1\APPLIC~1\U3
2007-05-22 02:17:09 1,100 ----a-w C:\WINDOWS\system32\d3d8caps.dat
2007-05-21 09:43:35 -------- d-----w C:\Program Files\Call of Duty Game of the Year Edition
2007-05-21 09:43:18 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-04 18:10:28 256,784 ----a-w C:\WINDOWS\system32\UmxSbxw.dll
2007-04-04 18:10:28 120,080 ----a-w C:\WINDOWS\system32\drivers\KmxCF.sys
2007-04-04 18:10:28 117,520 ----a-w C:\WINDOWS\system32\UmxSbxExw.dll
2007-03-27 14:32:10 93,968 ----a-w C:\WINDOWS\system32\drivers\KmxStart.sys
2007-03-27 14:32:10 116,496 ----a-w C:\WINDOWS\system32\drivers\KmxFw.sys
2007-03-26 19:48:41 -------- d-----w C:\Program Files\Musicmatch
2007-03-26 19:47:57 -------- d-----w C:\DOCUME~1\Jason1\APPLIC~1\Musicmatch
2007-03-26 06:36:28 -------- d--h--r C:\DOCUME~1\Jason1\APPLIC~1\SecuROM
2007-03-26 06:36:27 108,144 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-03-26 06:34:12 -------- d-----w C:\Program Files\Jade Empire
2007-03-26 06:29:57 82,774 ----a-w C:\WINDOWS\Uninstall Jade Empire.exe
2007-03-23 10:07:56 1,683,280 ------w C:\WINDOWS\system32\XpsSvcs.dll
2007-03-23 10:07:54 583,504 ------w C:\WINDOWS\system32\XPSSHHDR.dll
2007-03-23 00:25:02 124,928 ------w C:\WINDOWS\system32\prntvpt.dll
2007-03-21 22:57:32 61,960 ----a-w C:\WINDOWS\system32\drivers\KmxAgent.sys
2007-03-21 20:31:20 63,496 ----a-w C:\WINDOWS\system32\drivers\KmxSbx.sys
2007-03-19 23:06:12 89,096 ----a-w C:\WINDOWS\system32\drivers\KmxCfg.sys
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-16 08:39:30 45,064 ----a-w C:\WINDOWS\system32\drivers\KmxFile.sys
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
2007-03-06 16:27:46 -------- d-----w C:\Program Files\Ubisoft
2007-03-06 16:27:27 1 -c--a-w C:\WINDOWS\system32\SI.bin
2007-02-05 20:17:02 185,344 ----a-w C:\WINDOWS\system32\upnphost.dll
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-11-03 15:17]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}=C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll [2005-07-22 18:01]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{B56A7D7D-6927-48C8-A975-17DF180C71AC}=C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll [2005-04-15 18:01]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50]
"HostManager"="C:\Program Files\Common Files\AOL\1165726069\ee\AOLSoftware.exe" [2006-09-25 20:52]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-12-26 22:06]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2007-05-21 07:28]
"QOELOADER"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.8.0\QOELoader.exe" [2007-05-21 07:22]
"CAVRID"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2007-05-21 07:28]
"cafwc"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe" [2007-05-21 07:28]
"capfasem"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe" [2007-05-21 07:28]
"@"="" []
"capfupgrade"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe" [2007-05-21 07:28]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"Cmaudio"="cmicnfg.cpl" []
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22]
"nwiz"="nwiz.exe" [2006-10-22 12:22 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 12:22]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2005-02-01 10:55]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
UmxWnp.Dll
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
"WhenUSave"="C:\Program Files\Save\Save.exe"
"AOL Fast Start"="C:\Program Files\AOL 9.0\AOL.EXE" -b
"PowerBar"=
"Dpho"="C:\PROGRA~1\COMMON~1\MANTEC~1\spoolsv.exe" -vt ndrv
"Mjg"="C:\Documents and Settings\Jason1\Application Data\??stem\l?gonui.exe"
"qqir"=C:\PROGRA~1\COMMON~1\qqir\qqirm.exe
"Owkcgim"="C:\Program Files\Common Files\??crosoft\r?ndll.exe"
"Jrv"=C:\WINDOWS\system32\??mbols\j?vaw.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"MimBoot"=C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
"nwiz"=nwiz.exe /install
"InCD"=C:\Program Files\Ahead\InCD\InCD.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- D:\AutoRun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\autorun.exe -auto
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
AutoRun\command- F:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9679b442-4fdf-11d9-82a1-806d6172696f}]
AutoRun\command- D:\setup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f34450c8-87a9-11db-9a0d-806d6172696f}]
AutoRun\command- E:\Autorun.exe
~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
backup-20070523-001234-804
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????=??
backup-20070523-001234-772
O4 - HKCU\..\Policies\Explorer\Run: [{F8C8453C-0446-1033-0606-030807030001}] "C:\Program Files\Common Files\{F8C8453C-0446-1033-0606-030807030001}\Update.exe" mc-110-12-0000137
backup-20070523-001234-535
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
backup-20070523-001234-982
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [{F8C8453C-0446-1033-0606-030807030001}] "C:\Program Files\Common Files\{F8C8453C-0446-1033-0606-030807030001}\Update.exe" mc-110-12-0000137 (User 'Default user')
backup-20070523-001234-167
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [{F8C8453C-0446-1033-0606-030807030001}] "C:\Program Files\Common Files\{F8C8453C-0446-1033-0606-030807030001}\Update.exe" mc-110-12-0000137 (User 'SYSTEM')
Contents of the 'Scheduled Tasks' folder
2007-05-21 11:22:02 C:\WINDOWS\tasks\CAAntiSpywareScan_Daily as Jason1 at 7 22 AM.job
********************************************************************
catchme 0.3.681 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-24 02:01:46
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
********************************************************************
Completion time: 2007-05-24 2:13:17 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-24 02:13
--- E O F ---
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
"C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe"
"C:\Program Files\Common Files\Yazzle1396OinUninstaller.exe"
"C:\Program Files\Common Files\{38C84~1\Bar888.dll"
"C:\Program Files\Common Files\{38C84~1\UnInstall.exe"
"C:\Program Files\Common Files\{F8C84~1\Update.exe.lzma"
"C:\Temp\tn3"
"C:\Program Files\Common Files\{38C84~1"
"C:\Program Files\Common Files\{F8C84~1"
Purity Folders:
C:\WINDOWS\system32\MBOLS~1
C:\Program Files\Common Files\CROSOF~1
C:\Program Files\WNSXS~1
C:\DOCUME~1\Jason1\APPLIC~1\STEM~1
Purity Folders:
C:\WINDOWS\system32\MBOLS~1
C:\Program Files\Common Files\CROSOF~1
C:\Program Files\WNSXS~1
C:\DOCUME~1\Jason1\APPLIC~1\STEM~1
((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\LEGACY_CORE
-------\LEGACY_NETWORK_MONITOR
-------\core
((((((((((((((((((((((((((((((( Files Created from 05/2-01-07 to 05/24/2007 ))))))))))))))))))))))))))))))))))
I didn't deside to use pirated softare
the guy from church that made my computer apprently did...
and some stuff i don't even know what the heck it is
i have a cyberlink multymida and CPU-Z aplliction CPUID file in a cpu-z-126 folder o.O
no clue what that is about
z.z he also wired the computer compleatly wrong and had a bad old short serciting power supply in it
ok i removed the drivers and put them back and they still don't work
could be it's only running an older version...
i try and run the newest driver and it just says:
The NVIDA setup program could not locate any drivers that are compatible with your current hardware. Setup will now exit.
miekiemoes
2007-05-24, 13:18
Apparantely you downloaded and tried to install the wrong drivers for nvidia.
What I suggest is, register at the nvidia forums and explain your problem there. Because they know perfectly how to deal with these issues:
http://forums.nvidia.com/
As a sidenote, if I were you, and you want to reinstall/uninstall drivers, I suggest you temporary uninstall your CA Internet Security. Because as I already explained previously, some related CA components may interfere with installing drivers.
Anyway, let's deal with the rest of the malware now..
Please set your system to show all files.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.
Please hide your hidden files and folders afterwards again, when we are done with this thread and your problems are solved, because above instructions to set your system to show all files, unhide legit files and folders as well.
And I don't want you to delete them because they may look suspicious. To hide them again, just perform the above instructions in the opposite way.
Delete next files and folders:
C:\Qoobox <= folder
C:\VundoFix Backups <== folder
C:\WINDOWS\qqir <== folder
C:\Program Files\Common Files\qqir <== folder
C:\WINDOWS\SmFzb24 <== folder
C:\WINDOWS\system32\5665.bat
C:\WINDOWS\system32\app.exe
C:\WINDOWS\system32\setup9x.exe
C:\WINDOWS\system32\vbzip10.dll
Then, Open notepad and copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)
REGEDIT4
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"WhenUSave"=-
"PowerBar"=-
"Dpho"=-
"Mjg"=-
"qqir"=-
"Owkcgim"=-
"Jrv"=-
Save this as fix.reg Choose to save as *all files and place it on your desktop.
It should look like this: http://users.telenet.be/bluepatchy/miekiemoes/images/reg.gif
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.
(In case you are unsure how to create a reg file, take a look here (http://www.nellie2.co.uk/file.htm#How_to_Make_a_.Reg_File_) with screenshots.)
Also, the guy from church who sold you the computer - you really have to ask him for the cds though, because after all, you paid for it and you didn't get any necessary cds :(
i have a cyberlink multymida and CPU-Z aplliction CPUID file in a cpu-z-126 folder o.O
no clue what that is about It's related with this: http://www.cpuid.com/cpuz.php :)
thats all done do i need to reset the system restore again?
miekiemoes
2007-05-24, 22:02
Hi,
You were not supposed to disable System Restore in the first place. I never recommend to disable System Restore when your system is infected, this because, when something goes wrong during malware removal, and you disabled system restore, then you have no restore point to roll back to. So it's better to have an infected system restore point than no restore point at all. If you revert to an infected restore point, we still can clean this up.
The only time when I recommend to disable system restore, reboot and enable it again is when malware has been cleaned. Then you actually "flush" your system restore points and a new clean one will be created.
Anyway, yes, enable System restore again. :)
Please read my Prevention page (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html) with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here (http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html).
I am sure they will help you with your video card issues at nvidia forums.
Happy Surfing again!
yah they helped and now everhthing works right i think
lol
miekiemoes
2007-05-25, 09:50
Glad to hear. :)
Now make sure this won't happen again and make sure your computer stays clean. :)