View Full Version : smitfraud-c.888toolbar keeps being removed then reappearring on next scan
rudebadger
2007-06-15, 06:04
hi i have had some recent problems with smitfraud-c.888toolbar and virtumonde on my pc i managed to remove virtumonde manually with freefixer. but smitfraud consistently shows up in my spybot s&d results even though i have removed it then rescanned immediately. here is my hijackthis any help or advice would be much appreciated
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 05:00:50, on 15/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\devldr32.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\WINDOWS\System32\CTsvcCDA.EXE
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\WINDOWS\System32\MsPMSPSv.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\Program Files\Creative\ShareDLL\CtNotify.exe
D:\Program Files\Creative\SBLive\Program\CTAvTray.EXE
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\Program Files\Winamp\winampa.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Creative\ShareDLL\MediaDet.Exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Quicktime\qttask.exe
C:\SONICS~1\SsAAD.exe
D:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
D:\WINDOWS\system32\RUNDLL32.EXE
D:\WINDOWS\system32\wuaudit.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\DAEMON Tools\daemon.exe
D:\Program Files\Sitecom Wireless LAN\WLANUTL.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\MSN\MSNCoreFiles\msn6.exe
D:\WINDOWS\explorer.exe
C:\Downloads\HiJackThis_v2.exe
C:\MOZILL~1\FIREFOX.EXE
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3B459957-A1E3-446E-A19D-32C1314D8252} - D:\WINDOWS\system32\sstqp.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - D:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar3.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O2 - BHO: (no name) - {F4002052-AB29-4B33-8C8D-0E99084564EC} - D:\WINDOWS\system32\tuvwtut.dll (file missing)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Disc Detector] D:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [UpdReg] D:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] D:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [AudioHQ] D:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [CTAvTray] D:\Program Files\Creative\SBLive\Program\CTAvTray.EXE
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [WinampAgent] D:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SsAAD.exe] C:\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Microsoft] wuaudit.exe
O4 - HKLM\..\RunServices: [Microsoft] wuaudit.exe
O4 - HKLM\..\RunOnce: [CTAVTray] D:\Program Files\Creative\SBLive\Program\CTAvStub.EXE EAX.AVI
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] D:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Sitecom Wireless LAN Utility.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/257ec9422db632fccc05/netzip/RdxIE601.cab
O20 - Winlogon Notify: sstqp - D:\WINDOWS\system32\sstqp.dll (file missing)
O20 - Winlogon Notify: tuvwtut - tuvwtut.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - D:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - D:\WINDOWS\System32\browseui.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 7883 bytes
Hello rudebadger and welcome to the Forums :)
You're infected..
Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
rudebadger
2007-06-16, 02:19
hi mr jak3 :) thanks for your prompt reply i have run vundofix and it found and removed several files these are the logs from vundofix and hijackthis
VundoFix V6.5.0
Checking Java version...
Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.11
Scan started at 01:05:42 16/06/2007
Listing files found while scanning....
D:\windows\system32\bqdyqfcy.dll
D:\WINDOWS\system32\pqtss.bak1
D:\WINDOWS\system32\pqtss.bak2
D:\WINDOWS\system32\pqtss.ini
D:\WINDOWS\system32\sstqp.dll
Beginning removal...
Attempting to delete D:\windows\system32\bqdyqfcy.dll
D:\windows\system32\bqdyqfcy.dll Has been deleted!
Attempting to delete D:\WINDOWS\system32\pqtss.bak1
D:\WINDOWS\system32\pqtss.bak1 Has been deleted!
Attempting to delete D:\WINDOWS\system32\pqtss.bak2
D:\WINDOWS\system32\pqtss.bak2 Has been deleted!
Attempting to delete D:\WINDOWS\system32\pqtss.ini
D:\WINDOWS\system32\pqtss.ini Has been deleted!
Performing Repairs to the registry.
Done!
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 01:19:39, on 16/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\devldr32.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\WINDOWS\System32\CTsvcCDA.EXE
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\WINDOWS\System32\MsPMSPSv.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\Program Files\Creative\ShareDLL\CtNotify.exe
D:\Program Files\Creative\SBLive\Program\CTAvTray.EXE
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\Program Files\Winamp\winampa.exe
D:\Program Files\Creative\ShareDLL\MediaDet.Exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Quicktime\qttask.exe
C:\SONICS~1\SsAAD.exe
D:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
D:\WINDOWS\system32\RUNDLL32.EXE
D:\WINDOWS\system32\wuaudit.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\DAEMON Tools\daemon.exe
D:\Program Files\Sitecom Wireless LAN\WLANUTL.exe
D:\Program Files\MSN\MSNCoreFiles\msn6.exe
C:\Downloads\HiJackThis_v2.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3B459957-A1E3-446E-A19D-32C1314D8252} - D:\WINDOWS\system32\sstqp.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - D:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar3.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O2 - BHO: (no name) - {F4002052-AB29-4B33-8C8D-0E99084564EC} - D:\WINDOWS\system32\tuvwtut.dll (file missing)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Disc Detector] D:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [UpdReg] D:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] D:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [AudioHQ] D:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [CTAvTray] D:\Program Files\Creative\SBLive\Program\CTAvTray.EXE
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [WinampAgent] D:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SsAAD.exe] C:\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Microsoft] wuaudit.exe
O4 - HKLM\..\RunServices: [Microsoft] wuaudit.exe
O4 - HKLM\..\RunOnce: [CTAVTray] D:\Program Files\Creative\SBLive\Program\CTAvStub.EXE EAX.AVI
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] D:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Sitecom Wireless LAN Utility.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/257ec9422db632fccc05/netzip/RdxIE601.cab
O20 - Winlogon Notify: sstqp - D:\WINDOWS\system32\sstqp.dll (file missing)
O20 - Winlogon Notify: tuvwtut - tuvwtut.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - D:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - D:\WINDOWS\System32\browseui.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 7825 bytes
hi again :)
We'll continue..
Please download the Suspicious file Packer (http://www.safer-networking.org/files/sfp.zip) from Safer-Networking.Org and unzip it to your desktop.
Run SFP.exe.
Please copy the following lines into the Step 1: Paste Text window:
D:\WINDOWS\system32\wuaudit.exe
then click "Continue".
This will create a .cab file on your desktop named requested-files[Date/Time].cab
Please go to this forum (http://www.thespykiller.co.uk)
There's no need to register. Just start a new topic to the "Uploads" section, titled "File for Mr_JAk3".
Add the link of this topic to the message.
Use the Attachment box to upload the cab file from your desktop.
NOTE: You will not see the files that have been uploaded (including the ones you upload yourself) as they only show to the authorised users who can download them
Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.zip) and save it to your desktop.
Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
In Safe Mode, right click the SDFix.zip folder and choose Extract All,
Open the extracted folder and double click RunThis.bat to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log
rudebadger
2007-06-16, 17:02
ok i followed the instructions here are the logs
SDFix: Version 1.87
Run by Ric on 16/06/2007 at 15:32
Microsoft Windows XP [Version 5.1.2600]
Running From: D:\DOCUME~1\Ric\Desktop\SDFix
Safe Mode:
Checking Services:
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting...
Normal Mode:
Checking Files:
No Trojan Files Found
Removing Temp Files...
ADS Check:
Checking D:\WINDOWS\
D:\WINDOWS
No streams found.
Checking D:\WINDOWS\system32
D:\WINDOWS\system32
No streams found.
Checking D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
No streams found.
Checking D:\WINDOWS\system32\ntoskrnl.exe
D:\WINDOWS\system32\ntoskrnl.exe
No streams found.
Final Check:
Remaining Services:
------------------
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"D:\\Program Files\\MSN Messenger\\msnmsgr.exe"="D:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"
"D:\\Program Files\\Messenger\\msmsgs.exe"="D:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"D:\\Program Files\\MSN Messenger\\msnmsgr.exe"="D:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
Remaining Files:
---------------
Listing Files with Hidden Attributes:
D:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe
D:\Program Files\Messenger\msmsgs.exe
D:\WINDOWS\system32\wuaudit.exe
D:\Program Files\InterActual\InterActual Player\iti4.tmp
Listing User Accounts:
User accounts for \\RIXPC
Administrator Guest HelpAssistant
Ric SUPPORT_388945a0
Finished
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 16:02:21, on 16/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\devldr32.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\WINDOWS\System32\CTsvcCDA.EXE
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\WINDOWS\System32\MsPMSPSv.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\WINDOWS\system32\notepad.exe
D:\Program Files\Creative\ShareDLL\CtNotify.exe
D:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
D:\Program Files\Creative\SBLive\Program\CTAvTray.EXE
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\Program Files\Winamp\winampa.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Creative\ShareDLL\MediaDet.Exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Quicktime\qttask.exe
C:\SONICS~1\SsAAD.exe
D:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
D:\WINDOWS\system32\RUNDLL32.EXE
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\DAEMON Tools\daemon.exe
D:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe
D:\Program Files\Sitecom Wireless LAN\WLANUTL.exe
D:\Program Files\MSN\MSNCoreFiles\msn6.exe
D:\Documents and Settings\Ric\Desktop\HiJackThis_v2.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3B459957-A1E3-446E-A19D-32C1314D8252} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - D:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar3.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O2 - BHO: (no name) - {F4002052-AB29-4B33-8C8D-0E99084564EC} - (no file)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Disc Detector] D:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [UpdReg] D:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] D:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [AudioHQ] D:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [CTAvTray] D:\Program Files\Creative\SBLive\Program\CTAvTray.EXE
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [WinampAgent] D:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SsAAD.exe] C:\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\RunOnce: [CTAVTray] D:\Program Files\Creative\SBLive\Program\CTAvStub.EXE EAX.AVI
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] D:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [Uniblue RegistryBooster2] D:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Sitecom Wireless LAN Utility.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/257ec9422db632fccc05/netzip/RdxIE601.cab
O20 - Winlogon Notify: sstqp - D:\WINDOWS\
O20 - Winlogon Notify: tuvwtut - tuvwtut.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - D:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - D:\WINDOWS\System32\browseui.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 7827 bytes
Hi again :)
The wuaudit.exe is a pretty dangerous infection. It is a backdoor so it is able to steal information. If this system is used for online banking or has credit card information on it, all passwords should be changed immediately by using a different computer (not the infected one!) to make the changes. Banking and credit card institutions, if any, should be notified of the possible security breech. I suggest that you read this (http://www.dslreports.com/faq/10451) article too.
You should print these instructions or save these to a text file. Follow these instructions carefully.
Open HijackThis.
Open the Misc Tools section
Delete a file on Reboot
Copy the following line to the filenamebox and press Open; D:\WINDOWS\system32\wuaudit.exe
Answer Yes
Reboot the computer if it isn't restarted automatically
Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.
Run SDFix again (in safe mode)
Restart normally and post new sdfix log and new hjt log :bigthumb:
rudebadger
2007-06-17, 17:14
ugh that sounds like a nasty virus fortunately i dont really use my pc fro anything like that, anyway here are the logs
SDFix: Version 1.87
Run by Ric on 17/06/2007 at 15:49
Microsoft Windows XP [Version 5.1.2600]
Running From: D:\DOCUME~1\Ric\Desktop\SDFix
Safe Mode:
Checking Services:
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting...
Normal Mode:
Checking Files:
No Trojan Files Found
Removing Temp Files...
ADS Check:
Checking D:\WINDOWS\
D:\WINDOWS
No streams found.
Checking D:\WINDOWS\system32
D:\WINDOWS\system32
No streams found.
Checking D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
No streams found.
Checking D:\WINDOWS\system32\ntoskrnl.exe
D:\WINDOWS\system32\ntoskrnl.exe
No streams found.
Final Check:
Remaining Services:
------------------
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"D:\\Program Files\\MSN Messenger\\msnmsgr.exe"="D:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"
"D:\\Program Files\\Messenger\\msmsgs.exe"="D:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"D:\\Program Files\\MSN Messenger\\msnmsgr.exe"="D:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
Remaining Files:
---------------
Listing Files with Hidden Attributes:
D:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe
D:\Program Files\Messenger\msmsgs.exe
D:\WINDOWS\system32\wuaudit.exe
D:\Program Files\InterActual\InterActual Player\iti4.tmp
Listing User Accounts:
User accounts for \\RIXPC
Administrator Guest HelpAssistant
Ric SUPPORT_388945a0
Finished
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 16:13:06, on 17/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\devldr32.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\WINDOWS\System32\CTsvcCDA.EXE
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\WINDOWS\System32\MsPMSPSv.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\Program Files\Creative\ShareDLL\CtNotify.exe
D:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
D:\Program Files\Creative\SBLive\Program\CTAvTray.EXE
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\Program Files\Creative\ShareDLL\MediaDet.Exe
D:\Program Files\Winamp\winampa.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Quicktime\qttask.exe
C:\SONICS~1\SsAAD.exe
D:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
D:\WINDOWS\system32\RUNDLL32.EXE
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\DAEMON Tools\daemon.exe
D:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe
D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
D:\Program Files\Sitecom Wireless LAN\WLANUTL.exe
D:\Program Files\MSN\MSNCoreFiles\msn6.exe
D:\Documents and Settings\Ric\Desktop\HiJackThis_v2.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3B459957-A1E3-446E-A19D-32C1314D8252} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - D:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar3.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O2 - BHO: (no name) - {F4002052-AB29-4B33-8C8D-0E99084564EC} - (no file)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Disc Detector] D:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [UpdReg] D:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] D:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [AudioHQ] D:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [CTAvTray] D:\Program Files\Creative\SBLive\Program\CTAvTray.EXE
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [WinampAgent] D:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SsAAD.exe] C:\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\RunOnce: [CTAVTray] D:\Program Files\Creative\SBLive\Program\CTAvStub.EXE EAX.AVI
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] D:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [Uniblue RegistryBooster2] D:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Sitecom Wireless LAN Utility.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/257ec9422db632fccc05/netzip/RdxIE601.cab
O20 - Winlogon Notify: sstqp - D:\WINDOWS\
O20 - Winlogon Notify: tuvwtut - tuvwtut.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - D:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - D:\WINDOWS\System32\browseui.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 7851 bytes
thanks for all the help :)
Hello :)
That file doesn't want to leave...
Let's try this
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once the scan is complete, Right Click inside the listbox (white box) and click add more files
Copy&Paste this to the first box
D:\WINDOWS\system32\wuaudit.exe
Click Add Files and Click Close Window
Click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
Please run a GMER Rootkit scan:
Download GMER's application from here:
http://www.gmer.net/gmer.zip
Unzip it and start the GMER.exe
Click the Rootkit tab and click the Scan button.
Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply.
Warning ! Please, do not select the "Show all" checkbox during the scan.
rudebadger
2007-06-18, 02:30
hehe yeah seems to be a tricky one to kill here are the logs you requested
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 01:08:16, on 18/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\devldr32.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\WINDOWS\System32\CTsvcCDA.EXE
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\WINDOWS\System32\MsPMSPSv.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\Program Files\Creative\ShareDLL\CtNotify.exe
D:\Program Files\Creative\SBLive\Program\CTAvTray.EXE
D:\Program Files\Creative\ShareDLL\MediaDet.Exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\Program Files\Winamp\winampa.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Quicktime\qttask.exe
C:\SONICS~1\SsAAD.exe
D:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
D:\WINDOWS\system32\RUNDLL32.EXE
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\DAEMON Tools\daemon.exe
D:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe
D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
D:\Program Files\Sitecom Wireless LAN\WLANUTL.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\WINDOWS\system32\NOTEPAD.EXE
D:\Documents and Settings\Ric\Desktop\HiJackThis_v2.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3B459957-A1E3-446E-A19D-32C1314D8252} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - D:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar3.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O2 - BHO: (no name) - {F4002052-AB29-4B33-8C8D-0E99084564EC} - (no file)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Disc Detector] D:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [UpdReg] D:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] D:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [AudioHQ] D:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [CTAvTray] D:\Program Files\Creative\SBLive\Program\CTAvTray.EXE
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [WinampAgent] D:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SsAAD.exe] C:\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\RunOnce: [CTAVTray] D:\Program Files\Creative\SBLive\Program\CTAvStub.EXE EAX.AVI
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] D:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [Uniblue RegistryBooster2] D:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Sitecom Wireless LAN Utility.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/257ec9422db632fccc05/netzip/RdxIE601.cab
O20 - Winlogon Notify: sstqp - D:\WINDOWS\
O20 - Winlogon Notify: tuvwtut - tuvwtut.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - D:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - D:\WINDOWS\System32\browseui.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 7922 bytes
---- EOF - GMER 1.0.12 ----
VundoFix V6.5.0
Checking Java version...
Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.11
Scan started at 01:05:42 16/06/2007
Listing files found while scanning....
D:\windows\system32\bqdyqfcy.dll
D:\WINDOWS\system32\pqtss.bak1
D:\WINDOWS\system32\pqtss.bak2
D:\WINDOWS\system32\pqtss.ini
D:\WINDOWS\system32\sstqp.dll
Beginning removal...
Attempting to delete D:\windows\system32\bqdyqfcy.dll
D:\windows\system32\bqdyqfcy.dll Has been deleted!
Attempting to delete D:\WINDOWS\system32\pqtss.bak1
D:\WINDOWS\system32\pqtss.bak1 Has been deleted!
Attempting to delete D:\WINDOWS\system32\pqtss.bak2
D:\WINDOWS\system32\pqtss.bak2 Has been deleted!
Attempting to delete D:\WINDOWS\system32\pqtss.ini
D:\WINDOWS\system32\pqtss.ini Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.5.0
Checking Java version...
Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.11
Scan started at 01:00:13 18/06/2007
Listing files found while scanning....
No infected files were found.
Beginning removal...
Attempting to delete D:\WINDOWS\system32\wuaudit.exe
D:\WINDOWS\system32\wuaudit.exe Has been deleted!
Performing Repairs to the registry.
Done!
GMER 1.0.12.12244 - http://www.gmer.net
Rootkit scan 2007-06-18 01:22:08
Windows 5.1.2600 Service Pack 2
---- System - GMER 1.0.12 ----
SSDT \SystemRoot\System32\vsdatant.sys ZwConnectPort
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateFile
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateKey
SSDT \SystemRoot\System32\vsdatant.sys ZwCreatePort
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcess
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcessEx
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateSection
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateWaitablePort
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteFile
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDuplicateObject
SSDT sptd.sys ZwEnumerateKey
SSDT sptd.sys ZwEnumerateValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwLoadKey
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenFile
SSDT sptd.sys ZwOpenKey
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenProcess
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenThread
SSDT sptd.sys ZwQueryKey
SSDT sptd.sys ZwQueryValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwReplaceKey
SSDT \SystemRoot\System32\vsdatant.sys ZwRequestWaitReplyPort
SSDT \SystemRoot\System32\vsdatant.sys ZwRestoreKey
SSDT \SystemRoot\System32\vsdatant.sys ZwSecureConnectPort
SSDT \SystemRoot\System32\vsdatant.sys ZwSetInformationFile
SSDT \SystemRoot\System32\vsdatant.sys ZwSetValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwTerminateProcess
---- Kernel code sections - GMER 1.0.12 ----
.text ntoskrnl.exe!_abnormal_termination + 104 804E2760 12 Bytes [ F0, A1, 0C, F5, 80, 04, 0D, ... ]
? D:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
? srescan.sys The system cannot find the file specified.
.text USBPORT.SYS!DllUnload F6FD062C 5 Bytes JMP 865C2400
? System32\Drivers\affcwezj.SYS The system cannot find the file specified.
? D:\WINDOWS\System32\DRIVERS\update.sys
.text ntoskrnl.exe!_abnormal_termination + 104 804E2760 12 Bytes [ F0, A1, 0C, F5, 80, 04, 0D, ... ]
rudebadger
2007-06-18, 02:37
---- Devices - GMER 1.0.12 ----
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE 867D31E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE 867D31E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_READ 867D31E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE 867D31E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION 867D31E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION 867D31E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA 867D31E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA 867D31E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS 867D31E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION 867D31E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION 867D31E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL 867D31E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL 867D31E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL 867D31E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN 867D31E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL 867D31E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP 867D31E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY 867D31E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY 867D31E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA 867D31E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA 867D31E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_PNP 867D31E8
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [F50DB8A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [F50DB8A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [F50DB8A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F50DB8A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [F50DB8A0] vsdatant.sys
Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_CREATE 865CC1E8
Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_CLOSE 865CC1E8
Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_DEVICE_CONTROL 865CC1E8
Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_INTERNAL_DEVICE_CONTROL 865CC1E8
Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_POWER 865CC1E8
Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_SYSTEM_CONTROL 865CC1E8
Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_PNP 865CC1E8
Device \Driver\PCI_NTPNP4908 \Device\00000044 IRP_MJ_CREATE [F775CAD2] sptd.sys
Device \Driver\PCI_NTPNP4908 \Device\00000044 IRP_MJ_CREATE_NAMED_PIPE [F775CAD2] sptd.sys
Device \Driver\PCI_NTPNP4908 \Device\00000044 IRP_MJ_CLOSE [F775CAD2] sptd.sys
Device \Driver\PCI_NTPNP4908 \Device\00000044 IRP_MJ_READ [F775CAD2] sptd.sys
Device \Driver\PCI_NTPNP4908 \Device\00000044 IRP_MJ_WRITE [F775CAD2] sptd.sys
Device \Driver\PCI_NTPNP4908 \Device\00000044 IRP_MJ_QUERY_INFORMATION [F775CAD2] sptd.sys
Device \Driver\PCI_NTPNP4908 \Device\00000044 IRP_MJ_SET_INFORMATION [F775CAD2] sptd.sys
Device \Driver\PCI_NTPNP4908 \Device\00000044 IRP_MJ_QUERY_EA [F775CAD2] sptd.sys
Device \Driver\PCI_NTPNP4908 \Device\00000044 IRP_MJ_SET_EA [F775CAD2] sptd.sys
Device \Driver\PCI_NTPNP4908 \Device\00000044 IRP_MJ_FLUSH_BUFFERS [F775CAD2] sptd.sys
Device \Driver\PCI_NTPNP4908 \Device\00000044 IRP_MJ_QUERY_VOLUME_INFORMATION [F775CAD2] sptd.sys
Device \Driver\PCI_NTPNP4908 \Device\00000044 IRP_MJ_SET_VOLUME_INFORMATION [F775CAD2] sptd.sys
Device \Driver\PCI_NTPNP4908 \Device\00000044 IRP_MJ_DIRECTORY_CONTROL [F775CAD2] sptd.sys
Device \Driver\PCI_NTPNP4908 \Device\00000044 IRP_MJ_FILE_SYSTEM_CONTROL [F775CAD2] sptd.sys
Device \Driver\PCI_NTPNP4908 \Device\00000044 IRP_MJ_DEVICE_CONTROL [F775CAD2] sptd.sys
Device \Driver\PCI_NTPNP4908 \Device\00000044 IRP_MJ_INTERNAL_DEVICE_CONTROL [F775CAD2] sptd.sys
Device \Driver\PCI_NTPNP4908 \Device\00000044 IRP_MJ_SHUTDOWN [F775CAD2] sptd.sys
Device \Driver\PCI_NTPNP4908 \Device\00000044 IRP_MJ_LOCK_CONTROL [F775CAD2] sptd.sys
Device \Driver\PCI_NTPNP4908 \Device\00000044 IRP_MJ_CLEANUP [F775CAD2] sptd.sys
Device \Driver\PCI_NTPNP4908 \Device\00000044 IRP_MJ_CREATE_MAILSLOT [F775CAD2] sptd.sys
Device \Driver\PCI_NTPNP4908 \Device\00000044 IRP_MJ_QUERY_SECURITY [F775CAD2] sptd.sys
Device \Driver\PCI_NTPNP4908 \Device\00000044 IRP_MJ_SET_SECURITY [F775CAD2] sptd.sys
Device \Driver\PCI_NTPNP4908 \Device\00000044 IRP_MJ_POWER [F7736712] sptd.sys
Device \Driver\PCI_NTPNP4908 \Device\00000044 IRP_MJ_SYSTEM_CONTROL [F77592C8] sptd.sys
Device \Driver\PCI_NTPNP4908 \Device\00000044 IRP_MJ_DEVICE_CHANGE [F775CAD2] sptd.sys
Device \Driver\PCI_NTPNP4908 \Device\00000044 IRP_MJ_QUERY_QUOTA [F775CAD2] sptd.sys
Device \Driver\PCI_NTPNP4908 \Device\00000044 IRP_MJ_SET_QUOTA [F775CAD2] sptd.sys
Device \Driver\PCI_NTPNP4908 \Device\00000044 IRP_MJ_PNP [F775A238] sptd.sys
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_CREATE 865CC1E8
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_CLOSE 865CC1E8
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_DEVICE_CONTROL 865CC1E8
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_INTERNAL_DEVICE_CONTROL 865CC1E8
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_POWER 865CC1E8
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_SYSTEM_CONTROL 865CC1E8
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_PNP 865CC1E8
Device \Driver\usbuhci \Device\USBPDO-2 IRP_MJ_CREATE 865CC1E8
Device \Driver\usbuhci \Device\USBPDO-2 IRP_MJ_CLOSE 865CC1E8
Device \Driver\usbuhci \Device\USBPDO-2 IRP_MJ_DEVICE_CONTROL 865CC1E8
Device \Driver\usbuhci \Device\USBPDO-2 IRP_MJ_INTERNAL_DEVICE_CONTROL 865CC1E8
Device \Driver\usbuhci \Device\USBPDO-2 IRP_MJ_POWER 865CC1E8
Device \Driver\usbuhci \Device\USBPDO-2 IRP_MJ_SYSTEM_CONTROL 865CC1E8
Device \Driver\usbuhci \Device\USBPDO-2 IRP_MJ_PNP 865CC1E8
Device \Driver\usbehci \Device\USBPDO-3 IRP_MJ_CREATE 865921E8
Device \Driver\usbehci \Device\USBPDO-3 IRP_MJ_CLOSE 865921E8
Device \Driver\usbehci \Device\USBPDO-3 IRP_MJ_DEVICE_CONTROL 865921E8
Device \Driver\usbehci \Device\USBPDO-3 IRP_MJ_INTERNAL_DEVICE_CONTROL 865921E8
Device \Driver\usbehci \Device\USBPDO-3 IRP_MJ_POWER 865921E8
Device \Driver\usbehci \Device\USBPDO-3 IRP_MJ_SYSTEM_CONTROL 865921E8
Device \Driver\usbehci \Device\USBPDO-3 IRP_MJ_PNP 865921E8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [F50DB8A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [F50DB8A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [F50DB8A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F50DB8A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [F50DB8A0] vsdatant.sys
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CREATE 867671E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_READ 867671E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_WRITE 867671E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_FLUSH_BUFFERS 867671E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_DEVICE_CONTROL 867671E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_INTERNAL_DEVICE_CONTROL 867671E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SHUTDOWN 867671E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CLEANUP 867671E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_POWER 867671E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SYSTEM_CONTROL 867671E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_PNP 867671E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_CREATE 867671E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_READ 867671E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_WRITE 867671E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_FLUSH_BUFFERS 867671E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_DEVICE_CONTROL 867671E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_INTERNAL_DEVICE_CONTROL 867671E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_SHUTDOWN 867671E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_CLEANUP 867671E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_POWER 867671E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_SYSTEM_CONTROL 867671E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_PNP
rudebadger
2007-06-18, 02:39
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE 865851E8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLOSE 865851E8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_READ 865851E8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_WRITE 865851E8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FLUSH_BUFFERS 865851E8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CONTROL 865851E8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_INTERNAL_DEVICE_CONTROL 865851E8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SHUTDOWN 865851E8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_POWER 865851E8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SYSTEM_CONTROL 865851E8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_PNP 865851E8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE 865851E8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CLOSE 865851E8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_READ 865851E8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_WRITE 865851E8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_FLUSH_BUFFERS 865851E8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DEVICE_CONTROL 865851E8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_INTERNAL_DEVICE_CONTROL 865851E8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SHUTDOWN 865851E8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_POWER 865851E8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SYSTEM_CONTROL 865851E8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_PNP 865851E8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CREATE 867D41E8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CLOSE 867D41E8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_DEVICE_CONTROL 867D41E8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_INTERNAL_DEVICE_CONTROL 867D41E8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_POWER 867D41E8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SYSTEM_CONTROL 867D41E8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_PNP 867D41E8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_CREATE 867D41E8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_CLOSE 867D41E8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_DEVICE_CONTROL 867D41E8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_INTERNAL_DEVICE_CONTROL 867D41E8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_POWER 867D41E8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_SYSTEM_CONTROL 867D41E8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_PNP 867D41E8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CREATE 867D41E8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CLOSE 867D41E8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_DEVICE_CONTROL 867D41E8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_INTERNAL_DEVICE_CONTROL 867D41E8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_POWER 867D41E8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SYSTEM_CONTROL 867D41E8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_PNP 867D41E8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_CREATE 867D41E8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_CLOSE 867D41E8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_DEVICE_CONTROL 867D41E8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_INTERNAL_DEVICE_CONTROL 867D41E8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_POWER 867D41E8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_SYSTEM_CONTROL 867D41E8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_PNP 867D41E8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_CREATE 867D41E8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_CLOSE 867D41E8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_DEVICE_CONTROL 867D41E8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_INTERNAL_DEVICE_CONTROL 867D41E8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_POWER 867D41E8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_SYSTEM_CONTROL 867D41E8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_PNP 867D41E8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_CREATE 867D41E8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_CLOSE 867D41E8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_DEVICE_CONTROL 867D41E8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_INTERNAL_DEVICE_CONTROL 867D41E8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_POWER 867D41E8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_SYSTEM_CONTROL 867D41E8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_PNP 867D41E8
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CREATE 865851E8
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CLOSE 865851E8
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_READ 865851E8
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_WRITE 865851E8
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_FLUSH_BUFFERS 865851E8
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_DEVICE_CONTROL 865851E8
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_INTERNAL_DEVICE_CONTROL 865851E8
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SHUTDOWN 865851E8
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_POWER 865851E8
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SYSTEM_CONTROL 865851E8
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_PNP 865851E8
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CREATE 85F3B1E8
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CLOSE 85F3B1E8
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_DEVICE_CONTROL 85F3B1E8
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_INTERNAL_DEVICE_CONTROL 85F3B1E8
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CLEANUP 85F3B1E8
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_PNP 85F3B1E8
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CREATE 85F3B1E8
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CLOSE 85F3B1E8
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_DEVICE_CONTROL 85F3B1E8
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_INTERNAL_DEVICE_CONTROL 85F3B1E8
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CLEANUP 85F3B1E8
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_PNP 85F3B1E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{C8A05013-127E-48DE-B672-156C8B182EFB} IRP_MJ_CREATE 85F3B1E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{C8A05013-127E-48DE-B672-156C8B182EFB} IRP_MJ_CLOSE 85F3B1E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{C8A05013-127E-48DE-B672-156C8B182EFB} IRP_MJ_DEVICE_CONTROL 85F3B1E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{C8A05013-127E-48DE-B672-156C8B182EFB} IRP_MJ_INTERNAL_DEVICE_CONTROL 85F3B1E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{C8A05013-127E-48DE-B672-156C8B182EFB} IRP_MJ_CLEANUP 85F3B1E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{C8A05013-127E-48DE-B672-156C8B182EFB} IRP_MJ_PNP 85F3B1E8
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [F50DB8A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [F50DB8A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [F50DB8A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [F50DB8A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [F50DB8A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [F50DB8A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [F50DB8A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [F50DB8A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [F50DB8A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [F50DB8A0] vsdatant.sys
Device \Driver\usbuhci \Device\USBFDO-0 IRP_MJ_CREATE 865CC1E8
Device \Driver\usbuhci \Device\USBFDO-0 IRP_MJ_CLOSE 865CC1E8
Device \Driver\usbuhci \Device\USBFDO-0 IRP_MJ_DEVICE_CONTROL 865CC1E8
Device \Driver\usbuhci \Device\USBFDO-0 IRP_MJ_INTERNAL_DEVICE_CONTROL 865CC1E8
Device \Driver\usbuhci \Device\USBFDO-0 IRP_MJ_POWER 865CC1E8
Device \Driver\usbuhci \Device\USBFDO-0 IRP_MJ_SYSTEM_CONTROL 865CC1E8
Device \Driver\usbuhci \Device\USBFDO-0 IRP_MJ_PNP 865CC1E8
Device \Driver\usbuhci \Device\USBFDO-1 IRP_MJ_CREATE 865CC1E8
Device \Driver\usbuhci \Device\USBFDO-1 IRP_MJ_CLOSE 865CC1E8
Device \Driver\usbuhci \Device\USBFDO-1 IRP_MJ_DEVICE_CONTROL 865CC1E8
Device \Driver\usbuhci \Device\USBFDO-1 IRP_MJ_INTERNAL_DEVICE_CONTROL 865CC1E8
Device \Driver\usbuhci \Device\USBFDO-1 IRP_MJ_POWER 865CC1E8
Device \Driver\usbuhci \Device\USBFDO-1 IRP_MJ_SYSTEM_CONTROL 865CC1E8
Device \Driver\usbuhci \Device\USBFDO-1 IRP_MJ_PNP 865CC1E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE 85F3D7A0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE_NAMED_PIPE 85F3D7A0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CLOSE 85F3D7A0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_READ 85F3D7A0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_WRITE 85F3D7A0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_INFORMATION 85F3D7A0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_INFORMATION 85F3D7A0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_EA 85F3D7A0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_EA 85F3D7A0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_FLUSH_BUFFERS 85F3D7A0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_VOLUME_INFORMATION 85F3D7A0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_VOLUME_INFORMATION 85F3D7A0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DIRECTORY_CONTROL 85F3D7A0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_FILE_SYSTEM_CONTROL 85F3D7A0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DEVICE_CONTROL 85F3D7A0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_INTERNAL_DEVICE_CONTROL 85F3D7A0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SHUTDOWN 85F3D7A0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_LOCK_CONTROL 85F3D7A0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CLEANUP 85F3D7A0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE_MAILSLOT 85F3D7A0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_SECURITY 85F3D7A0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_SECURITY 85F3D7A0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_POWER 85F3D7A0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SYSTEM_CONTROL 85F3D7A0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DEVICE_CHANGE 85F3D7A0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_QUOTA 85F3D7A0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_QUOTA 85F3D7A0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_PNP
rudebadger
2007-06-18, 02:40
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE [F50DB8A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSE [F50DB8A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL [F50DB8A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [F50DB8A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLEANUP [F50DB8A0] vsdatant.sys
Device \Driver\usbuhci \Device\USBFDO-2 IRP_MJ_CREATE 865CC1E8
Device \Driver\usbuhci \Device\USBFDO-2 IRP_MJ_CLOSE 865CC1E8
Device \Driver\usbuhci \Device\USBFDO-2 IRP_MJ_DEVICE_CONTROL 865CC1E8
Device \Driver\usbuhci \Device\USBFDO-2 IRP_MJ_INTERNAL_DEVICE_CONTROL 865CC1E8
Device \Driver\usbuhci \Device\USBFDO-2 IRP_MJ_POWER 865CC1E8
Device \Driver\usbuhci \Device\USBFDO-2 IRP_MJ_SYSTEM_CONTROL 865CC1E8
Device \Driver\usbuhci \Device\USBFDO-2 IRP_MJ_PNP 865CC1E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE 85F3D7A0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE_NAMED_PIPE 85F3D7A0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CLOSE 85F3D7A0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_READ 85F3D7A0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_WRITE 85F3D7A0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_INFORMATION 85F3D7A0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_INFORMATION 85F3D7A0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_EA 85F3D7A0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_EA 85F3D7A0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_FLUSH_BUFFERS 85F3D7A0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_VOLUME_INFORMATION 85F3D7A0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_VOLUME_INFORMATION 85F3D7A0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DIRECTORY_CONTROL 85F3D7A0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_FILE_SYSTEM_CONTROL 85F3D7A0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DEVICE_CONTROL 85F3D7A0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_INTERNAL_DEVICE_CONTROL 85F3D7A0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SHUTDOWN 85F3D7A0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_LOCK_CONTROL 85F3D7A0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CLEANUP 85F3D7A0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE_MAILSLOT 85F3D7A0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_SECURITY 85F3D7A0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_SECURITY 85F3D7A0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_POWER 85F3D7A0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SYSTEM_CONTROL 85F3D7A0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DEVICE_CHANGE 85F3D7A0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_QUOTA 85F3D7A0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_QUOTA 85F3D7A0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_PNP 85F3D7A0
Device \Driver\usbehci \Device\USBFDO-3 IRP_MJ_CREATE 865921E8
Device \Driver\usbehci \Device\USBFDO-3 IRP_MJ_CLOSE 865921E8
Device \Driver\usbehci \Device\USBFDO-3 IRP_MJ_DEVICE_CONTROL 865921E8
Device \Driver\usbehci \Device\USBFDO-3 IRP_MJ_INTERNAL_DEVICE_CONTROL 865921E8
Device \Driver\usbehci \Device\USBFDO-3 IRP_MJ_POWER 865921E8
Device \Driver\usbehci \Device\USBFDO-3 IRP_MJ_SYSTEM_CONTROL 865921E8
Device \Driver\usbehci \Device\USBFDO-3 IRP_MJ_PNP 865921E8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_CREATE 867671E8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_READ 867671E8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_WRITE 867671E8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_FLUSH_BUFFERS 867671E8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_DEVICE_CONTROL 867671E8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_INTERNAL_DEVICE_CONTROL 867671E8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_SHUTDOWN 867671E8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_CLEANUP 867671E8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_POWER 867671E8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_SYSTEM_CONTROL 867671E8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_PNP 867671E8
Device \Driver\affcwezj \Device\Scsi\affcwezj1 IRP_MJ_CREATE 86484590
Device \Driver\affcwezj \Device\Scsi\affcwezj1 IRP_MJ_CLOSE 86484590
Device \Driver\affcwezj \Device\Scsi\affcwezj1 IRP_MJ_DEVICE_CONTROL 86484590
Device \Driver\affcwezj \Device\Scsi\affcwezj1 IRP_MJ_INTERNAL_DEVICE_CONTROL 86484590
Device \Driver\affcwezj \Device\Scsi\affcwezj1 IRP_MJ_POWER 86484590
Device \Driver\affcwezj \Device\Scsi\affcwezj1 IRP_MJ_SYSTEM_CONTROL 86484590
Device \Driver\affcwezj \Device\Scsi\affcwezj1 IRP_MJ_PNP 86484590
Device \Driver\affcwezj \Device\Scsi\affcwezj1Port2Path0Target0Lun0 IRP_MJ_CREATE 86484590
Device \Driver\affcwezj \Device\Scsi\affcwezj1Port2Path0Target0Lun0 IRP_MJ_CLOSE 86484590
Device \Driver\affcwezj \Device\Scsi\affcwezj1Port2Path0Target0Lun0 IRP_MJ_DEVICE_CONTROL 86484590
Device \Driver\affcwezj \Device\Scsi\affcwezj1Port2Path0Target0Lun0 IRP_MJ_INTERNAL_DEVICE_CONTROL 86484590
Device \Driver\affcwezj \Device\Scsi\affcwezj1Port2Path0Target0Lun0 IRP_MJ_POWER 86484590
Device \Driver\affcwezj \Device\Scsi\affcwezj1Port2Path0Target0Lun0 IRP_MJ_SYSTEM_CONTROL 86484590
Device \Driver\affcwezj \Device\Scsi\affcwezj1Port2Path0Target0Lun0 IRP_MJ_PNP 86484590
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CREATE 85D637A0
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CLOSE 85D637A0
Device \FileSystem\Cdfs \Cdfs IRP_MJ_READ 85D637A0
Device \FileSystem\Cdfs \Cdfs IRP_MJ_QUERY_INFORMATION 85D637A0
Device \FileSystem\Cdfs \Cdfs IRP_MJ_SET_INFORMATION 85D637A0
Device \FileSystem\Cdfs \Cdfs IRP_MJ_QUERY_VOLUME_INFORMATION 85D637A0
Device \FileSystem\Cdfs \Cdfs IRP_MJ_DIRECTORY_CONTROL 85D637A0
Device \FileSystem\Cdfs \Cdfs IRP_MJ_FILE_SYSTEM_CONTROL 85D637A0
Device \FileSystem\Cdfs \Cdfs IRP_MJ_DEVICE_CONTROL 85D637A0
Device \FileSystem\Cdfs \Cdfs IRP_MJ_SHUTDOWN 85D637A0
Device \FileSystem\Cdfs \Cdfs IRP_MJ_LOCK_CONTROL 85D637A0
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CLEANUP 85D637A0
Device \FileSystem\Cdfs \Cdfs IRP_MJ_PNP 85D637A0
---- EOF - GMER 1.0.12 ----
OK good we'll continue :)
Generate a HijackThis Startup list:
Open HijackThis: Click on "Open the Misc Tools Section"
Check the following boxes to the right of "Generate StartupList Log": List also minor sections (Full)
List empty sections (Complete)
Click "Generate StartupListLog"
Click "Yes" at the prompt.
A Notepad window will open with the contents of the HijackThis Startup list displayed
Copy & Paste that log to here
1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
rudebadger
2007-06-18, 19:46
more logs
StartupList report, 18/06/2007, 18:30:27
StartupList version: 1.52.2
Started from : D:\Documents and Settings\Ric\Desktop\HiJackThis_v2.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\devldr32.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\WINDOWS\System32\CTsvcCDA.EXE
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\WINDOWS\System32\MsPMSPSv.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\Program Files\Creative\ShareDLL\CtNotify.exe
D:\Program Files\Creative\SBLive\Program\CTAvTray.EXE
D:\Program Files\Creative\ShareDLL\MediaDet.Exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\Program Files\Winamp\winampa.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Quicktime\qttask.exe
C:\SONICS~1\SsAAD.exe
D:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
D:\WINDOWS\system32\RUNDLL32.EXE
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\DAEMON Tools\daemon.exe
D:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe
D:\Program Files\Sitecom Wireless LAN\WLANUTL.exe
C:\Azureus\Azureus.exe
D:\Program Files\MSN\MSNCoreFiles\msn6.exe
D:\Documents and Settings\Ric\Desktop\HiJackThis_v2.exe
--------------------------------------------------
Listing of startup folders:
Shell folders Startup:
[D:\Documents and Settings\Ric\Start Menu\Programs\Startup]
Sitecom Wireless LAN Utility.lnk = ?
Shell folders AltStartup:
*Folder not found*
User shell folders Startup:
*Folder not found*
User shell folders AltStartup:
*Folder not found*
Shell folders Common Startup:
[D:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
Shell folders Common AltStartup:
*Folder not found*
User shell folders Common Startup:
*Folder not found*
User shell folders Alternate Common Startup:
*Folder not found*
--------------------------------------------------
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = D:\WINDOWS\system32\userinit.exe,
[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*
[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*
[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
NvCplDaemon = RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
Disc Detector = D:\Program Files\Creative\ShareDLL\CtNotify.exe
UpdReg = D:\WINDOWS\Updreg.exe
AHQInit = D:\Program Files\Creative\SBLive\Program\AHQInit.exe
AudioHQ = D:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
CTAvTray = D:\Program Files\Creative\SBLive\Program\CTAvTray.EXE
avast! = D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
WinampAgent = D:\Program Files\Winamp\winampa.exe
TkBellExe = "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
Zone Labs Client = "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
QuickTime Task = "C:\Quicktime\qttask.exe" -atboottime
SsAAD.exe = C:\SONICS~1\SsAAD.exe
SunJavaUpdateSched = "D:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
NeroFilterCheck = D:\WINDOWS\system32\NeroCheck.exe
ZoneAlarm Client = "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
NvMediaCenter = RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
CTAVTray = D:\Program Files\Creative\SBLive\Program\CTAvStub.EXE EAX.AVI
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
CTFMON.EXE = D:\WINDOWS\system32\ctfmon.exe
MsnMsgr = "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
swg = D:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
DAEMON Tools = "C:\DAEMON Tools\daemon.exe" -lang 1033
Uniblue RegistryBooster2 = D:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*
--------------------------------------------------
File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command
(Default) = "%1" %*
--------------------------------------------------
File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command
(Default) = "%1" %*
--------------------------------------------------
File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command
(Default) = "%1" %*
--------------------------------------------------
File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command
(Default) = "%1" %*
--------------------------------------------------
File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command
(Default) = "%1" /S
--------------------------------------------------
File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command
(Default) = C:\WINDOWS\system32\mshta.exe "%1" %*
--------------------------------------------------
File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command
(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1
--------------------------------------------------
Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)
[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = D:\WINDOWS\inf\unregmp2.exe /ShowWMP
[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE
[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE
[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection D:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
[{4b218e3e-bc98-4770-93d3-2731b9329278}] *
StubPath = %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf
[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection D:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection D:\WINDOWS\INF\wmp.inf,PerUserStub
[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll
[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe
[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = D:\WINDOWS\system32\Rundll32.exe D:\WINDOWS\system32\mscories.dll,Install
--------------------------------------------------
Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps
*Registry key not found*
--------------------------------------------------
Load/Run keys from D:\WINDOWS\WIN.INI:
load=*INI section not found*
run=*INI section not found*
Load/Run keys from Registry:
HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=
--------------------------------------------------
Shell & screensaver key from D:\WINDOWS\SYSTEM.INI:
Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*
Shell & screensaver key from Registry:
Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*
Policies Shell key:
HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*
--------------------------------------------------
Checking for EXPLORER.EXE instances:
D:\WINDOWS\Explorer.exe: PRESENT!
C:\Explorer.exe: not present
D:\WINDOWS\Explorer\Explorer.exe: not present
D:\WINDOWS\System\Explorer.exe: not present
D:\WINDOWS\System32\Explorer.exe: not present
D:\WINDOWS\Command\Explorer.exe: not present
D:\WINDOWS\Fonts\Explorer.exe: not present
--------------------------------------------------
Checking for superhidden extensions:
.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden
--------------------------------------------------
Verifying REGEDIT.EXE integrity:
- Regedit.exe found in D:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'
Registry check passed
--------------------------------------------------
Enumerating Browser Helper Objects:
(no name) - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - (no file) - {3B459957-A1E3-446E-A19D-32C1314D8252}
(no name) - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
(no name) - D:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll - {9394EDE7-C8B5-483E-8773-474BF36AF6E4}
(no name) - d:\program files\google\googletoolbar3.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}
(no name) - D:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}
(no name) - (no file) - {F4002052-AB29-4B33-8C8D-0E99084564EC}
rudebadger
2007-06-18, 19:47
--------------------------------------------------
Enumerating Task Scheduler jobs:
AppleSoftwareUpdate.job
--------------------------------------------------
Enumerating Download Program Files:
[QuickTime Object]
InProcServer32 = C:\Quicktime\QTPlugin.ocx
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab
[{3334504D-9980-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/0/C/8/0C8EDFAB-30BC-4792-898E-2DABE27B2C4D/mp43dmo.CAB
[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
[{56336BCB-3D8A-11D6-A00B-0050DA18DE71}]
CODEBASE = http://software-dl.real.com/257ec9422db632fccc05/netzip/RdxIE601.cab
[Java Plug-in 1.6.0_01]
InProcServer32 = D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
[Java Plug-in 1.5.0_06]
InProcServer32 = D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
[Java Plug-in 1.5.0_11]
InProcServer32 = D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
[Java Plug-in 1.6.0_01]
InProcServer32 = D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
[Java Plug-in 1.6.0_01]
InProcServer32 = D:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
CODEBASE = http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
[Shockwave Flash Object]
InProcServer32 = D:\WINDOWS\system32\Macromed\Flash\Flash9b.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
--------------------------------------------------
Enumerating Winsock LSP files:
NameSpace #1: D:\WINDOWS\System32\mswsock.dll
NameSpace #2: D:\WINDOWS\System32\winrnr.dll
NameSpace #3: D:\WINDOWS\System32\mswsock.dll
Protocol #1: D:\WINDOWS\system32\mswsock.dll
Protocol #2: D:\WINDOWS\system32\mswsock.dll
Protocol #3: D:\WINDOWS\system32\mswsock.dll
Protocol #4: D:\WINDOWS\system32\rsvpsp.dll
Protocol #5: D:\WINDOWS\system32\rsvpsp.dll
Protocol #6: D:\WINDOWS\system32\mswsock.dll
Protocol #7: D:\WINDOWS\system32\mswsock.dll
Protocol #8: D:\WINDOWS\system32\mswsock.dll
Protocol #9: D:\WINDOWS\system32\mswsock.dll
Protocol #10: D:\WINDOWS\system32\mswsock.dll
Protocol #11: D:\WINDOWS\system32\mswsock.dll
Protocol #12: D:\WINDOWS\system32\mswsock.dll
Protocol #13: D:\WINDOWS\system32\mswsock.dll
--------------------------------------------------
Enumerating Windows NT/2000/XP services
Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (system)
Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (disabled)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
AMD K7 Processor Driver: System32\DRIVERS\amdk7.sys (system)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (manual start)
avast! iAVS4 Control Service: "D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe" (autostart)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
avast! Antivirus: "D:\Program Files\Alwil Software\Avast4\ashServ.exe" (autostart)
avast! Mail Scanner: "D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (manual start)
avast! Web Scanner: "D:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (manual start)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
.NET Runtime Optimization Service v2.0.50727_X86: D:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (manual start)
COM+ System Application: D:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Creative Service for CDROM Access: D:\WINDOWS\System32\CTsvcCDA.EXE (autostart)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Creative SBLive! Gameport: System32\DRIVERS\ctljystk.sys (manual start)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
dmio: System32\drivers\dmio.sys (disabled)
dmload: System32\drivers\dmload.sys (disabled)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
Creative SB Live! series(WDM): system32\drivers\emu10k1f.sys (manual start)
Creative Interface Manager Driver (WDM): system32\drivers\ctlface.sys (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: D:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver: System32\DRIVERS\fetnd5.sys (manual start)
FltMgr: system32\drivers\fltmgr.sys (system)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
Game Port Enumerator: System32\DRIVERS\gameenum.sys (manual start)
gmer: System32\DRIVERS\gmer.sys (manual start)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
Google Updater Service: "D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe" (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
HID Input Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft HID Class Driver: System32\DRIVERS\hidusb.sys (manual start)
HTTP: System32\Drivers\HTTP.sys (manual start)
HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
CD-Burning Filter Driver: System32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: D:\WINDOWS\System32\imapi.exe (manual start)
IPv6 Windows Firewall Driver: system32\drivers\ip6fw.sys (manual start)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Keyboard HID Driver: system32\DRIVERS\kbdhid.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
mdxgthkn: \??\D:\DOCUME~1\Ric\LOCALS~1\Temp\mdxgthkn.sys (manual start)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: D:\WINDOWS\System32\mnmsrvc.exe (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
Mouse HID Driver: System32\DRIVERS\mouhid.sys (manual start)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
MSCSPTISRV: "D:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe" (manual start)
Distributed Transaction Coordinator: D:\WINDOWS\System32\msdtc.exe (manual start)
Windows Installer: D:\WINDOWS\System32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft System Management BIOS Driver: System32\DRIVERS\mssmbios.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
nv: System32\DRIVERS\nv4_mini.sys (manual start)
NVIDIA Display Driver Service: %SystemRoot%\system32\nvsvc32.exe (autostart)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
PACSPTISVR: "D:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe" (manual start)
Parallel port driver: System32\DRIVERS\parport.sys (manual start)
PCANDIS5 Protocol Driver: \??\D:\WINDOWS\System32\PCANDIS5.SYS (manual start)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
PfModNT: \??\D:\WINDOWS\System32\PfModNT.sys (autostart)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Processor Driver: System32\DRIVERS\processr.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
PxHelp20: System32\Drivers\PxHelp20.sys (system)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Remote Desktop Help Session Manager: D:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (autostart)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
Creative SoundFont Manager Driver (WDM): system32\drivers\sfman.sys (manual start)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
sptd: System32\Drivers\sptd.sys (system)
Sony SPTI Service: "D:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe" (manual start)
System Restore Filter Driver: System32\DRIVERS\sr.sys (system)
srescan: System32\ZoneLabs\srescan.sys (system)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
SonicStage SCSI Service: D:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe (manual start)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (manual start)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: D:\WINDOWS\System32\dllhost.exe /Processid:{B05FA158-1728-4495-9A36-517F7990EEB2} (manual start)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Sitecom 802.11g Wireless Adapter: System32\DRIVERS\wlannds.sys (manual start)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows User Mode Driver Framework: D:\WINDOWS\System32\wdfmgr.exe (autostart)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
USB Audio Driver (WDM): system32\drivers\usbaudio.sys (manual start)
Microsoft USB Generic Parent Driver: system32\DRIVERS\usbccgp.sys (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: System32\DRIVERS\usbehci.sys (manual start)
USB2 Enabled Hub: System32\DRIVERS\usbhub.sys (manual start)
USB Mass Storage Driver: System32\DRIVERS\USBSTOR.SYS (manual start)
Microsoft USB Universal Host Controller Miniport Driver: System32\DRIVERS\usbuhci.sys (manual start)
VGA Display Controller.: \SystemRoot\System32\drivers\vga.sys (system)
ViaIde: System32\DRIVERS\viaide.sys (system)
vsdatant: System32\vsdatant.sys (system)
TrueVector Internet Monitor: D:\WINDOWS\system32\ZoneLabs\vsmon.exe -service (autostart)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Logitech Virtual Bus Enumerator Driver: system32\drivers\WmBEnum.sys (manual start)
WMDM PMSP Service: D:\WINDOWS\System32\MsPMSPSv.exe (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Logitech WingMan HID Filter Driver: system32\drivers\WmFilter.sys (manual start)
WMI Performance Adapter: D:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
Logitech Virtual Hid Device Driver: system32\drivers\WmVirHid.sys (manual start)
Logitech WingMan Translation Layer Driver: system32\drivers\WmXlCore.sys (manual start)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
--------------------------------------------------
Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*
Windows NT checkdisk command:
BootExecute = autocheck autochk *
Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*
--------------------------------------------------
Enumerating ShellServiceObjectDelayLoad items:
PostBootReminder: D:\WINDOWS\system32\SHELL32.dll
CDBurn: D:\WINDOWS\system32\SHELL32.dll
WebCheck: D:\WINDOWS\System32\webcheck.dll
SysTray: D:\WINDOWS\System32\stobject.dll
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
*Registry key not found*
--------------------------------------------------
End of report, 35,151 bytes
Report generated in 0.532 seconds
Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
rudebadger
2007-06-18, 19:48
ComboFix 07-06-17 - D:\Documents and Settings\Ric\Desktop\ComboFix.exe
"Ric" - 2007-06-18 18:32:52 - Service Pack 2 NTFS
(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))
D:\WINDOWS\system32\ohrdlttc.dll
D:\WINDOWS\system32\cttldrho.ini
* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
D:\DOCUME~1\Ric\APPLIC~1.\macromedia\Flash Player\#SharedObjects\RE9HMDES\www.broadcaster.com
D:\DOCUME~1\Ric\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
D:\DOCUME~1\Ric\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
D:\DOCUME~1\Ric\Desktop\internet.lnk
D:\Program Files\install.log
((((((((((((((((((((((((( Files Created from 2007-05-18 to 2007-06-18 )))))))))))))))))))))))))))))))
2007-06-18 18:31 49,152 --a------ D:\WINDOWS\nircmd.exe
2007-06-16 04:58 <DIR> d-------- D:\DOCUME~1\Ric\APPLIC~1\Media Player Classic
2007-06-16 04:57 740,442 --a------ D:\WINDOWS\system32\divx.dll
2007-06-16 04:57 73,728 --a------ D:\WINDOWS\system32\dpl100.dll
2007-06-16 04:57 630,784 --a------ D:\WINDOWS\system32\vp7vfw.dll
2007-06-16 04:57 593,920 --a------ D:\WINDOWS\system32\xvidcore.dll
2007-06-16 04:57 564,224 --a------ D:\WINDOWS\system32\x264vfw.dll
2007-06-16 04:57 438,272 --a------ D:\WINDOWS\system32\vp6vfw.dll
2007-06-16 04:57 39,936 --a------ D:\WINDOWS\system32\huffyuv.dll
2007-06-16 04:57 3,596,288 --a------ D:\WINDOWS\system32\qt-dx331.dll
2007-06-16 04:57 217,088 --a------ D:\WINDOWS\system32\yv12vfw.dll
2007-06-16 04:57 217,088 --a------ D:\WINDOWS\system32\i420vfw.dll
2007-06-16 04:57 180,224 --a------ D:\WINDOWS\system32\xvidvfw.dll
2007-06-16 04:57 144,384 --a------ D:\WINDOWS\system32\Iacenc.dll
2007-06-16 04:57 <DIR> d-------- D:\Program Files\K-Lite Codec Pack
2007-06-16 02:06 <DIR> d-------- D:\Program Files\Uniblue
2007-06-16 02:06 <DIR> d-------- D:\DOCUME~1\Ric\APPLIC~1\Uniblue
2007-06-16 01:05 <DIR> d-------- D:\VundoFix Backups
2007-06-15 04:31 7,680 --a------ D:\WINDOWS\system32\ffnd.exe
2007-06-15 03:54 <DIR> d-------- D:\Program Files\FreeFixer
2007-06-12 03:39 <DIR> d-------- D:\Program Files\Bazooka Scanner
2007-06-07 14:05 55,316 --a------ D:\WINDOWS\system32\vwdxlkyt.dll
2007-05-18 03:51 1,227 --a------ D:\WINDOWS\mozver.dat
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-06-18 17:37:55 -------- d-----w D:\DOCUME~1\Ric\APPLIC~1\Azureus
2007-05-20 23:41:52 -------- d-----w D:\DOCUME~1\Ric\APPLIC~1\EVEMon
2007-05-20 23:41:50 -------- d-----w D:\Program Files\EVEMon
2007-05-16 15:12:02 683,520 ----a-w D:\WINDOWS\system32\inetcomm.dll
2007-05-13 09:27:52 -------- d-----w D:\DOCUME~1\Ric\APPLIC~1\Talkback
2007-05-13 09:27:14 0 ----a-w D:\WINDOWS\nsreg.dat
2007-05-09 03:14:18 -------- d--h--w D:\Program Files\InstallShield Installation Information
2007-05-09 03:01:15 682,232 ----a-w D:\WINDOWS\system32\drivers\sptd.sys
2007-04-28 01:38:02 -------- d-----w D:\DOCUME~1\Ric\APPLIC~1\Command & Conquer 3 Tiberium Wars Demo
2007-04-28 01:30:09 -------- d-----w D:\Program Files\Electronic Arts
2007-04-26 03:49:58 98,304 ----a-w D:\WINDOWS\system32\CmdLineExt.dll
2007-04-25 14:21:15 144,896 ----a-w D:\WINDOWS\system32\schannel.dll
2007-04-20 05:05:19 -------- d-----w D:\Program Files\Hitman Pro
2007-04-18 16:12:23 2,854,400 ----a-w D:\WINDOWS\system32\msi.dll
2007-04-03 04:04:17 4,212 ---h--w D:\WINDOWS\system32\zllictbl.dat
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-01-12 20:38]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{9394EDE7-C8B5-483E-8773-474BF36AF6E4}=D:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll [2004-08-13 17:42]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=d:\program files\google\googletoolbar3.dll [2007-01-20 00:55]
{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}=D:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll [2006-01-17 16:04]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Disc Detector"="D:\Program Files\Creative\ShareDLL\CtNotify.exe" [1999-08-30 01:55]
"AHQInit"="D:\Program Files\Creative\SBLive\Program\AHQInit.exe" [2001-05-10 17:49]
"AudioHQ"="D:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE" [2001-08-17 17:01]
"CTAvTray"="D:\Program Files\Creative\SBLive\Program\CTAvTray.EXE" [2000-09-01 01:00]
"avast!"="D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-01-15 18:28]
"WinampAgent"="D:\Program Files\Winamp\winampa.exe" [2006-03-10 18:45]
"TkBellExe"="D:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-05-25 14:39]
"Zone Labs Client"="D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 00:02]
"QuickTime Task"="C:\Quicktime\qttask.exe" [2007-02-16 10:54]
"SsAAD.exe"="C:\SONICS~1\SsAAD.exe" [2006-01-07 02:36]
"SunJavaUpdateSched"="D:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"ZoneAlarm Client"="D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 00:02]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="D:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:56]
"MsnMsgr"="D:\Program Files\MSN Messenger\MsnMsgr.exe" [2006-01-24 11:37]
"swg"="D:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-02-22 20:22]
"DAEMON Tools"="C:\DAEMON Tools\daemon.exe" [2007-04-03 23:29]
"Uniblue RegistryBooster2"="D:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [2007-06-13 10:30]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"CTAVTray"=D:\Program Files\Creative\SBLive\Program\CTAvStub.EXE EAX.AVI
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
@=
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sstqp]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvwtut]
tuvwtut.dll
Contents of the 'Scheduled Tasks' folder
2007-06-11 19:33:03 D:\WINDOWS\tasks\AppleSoftwareUpdate.job
**************************************************************************
catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-18 18:39:35
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Disc Detector = D:\Program Files\Creative\ShareDLL\CtNotify.exe?X???????????????? C?????Disc Detector?B???A???????A?? ????B???@?$?@?? C?????U?@?????????@?B???A???????A???????B???@?????P???$?@?? ????????A~??????????@???????????????????B???????????????????????????????????B
CTAvTray = D:\Program Files\Creative\SBLive\Program\CTAvTray.EXE??s$?????A~????$???Z?A~????*?A~????@?a?T?a???????????????????????????@?????????????????d???????W?D~???sx??s@????????L2?D??sh??s$??????????s????(????&?s?????L2??L2?????(????B?s?92? @@????? @@??L2??B?s??
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
CTAVTray = D:\Program Files\Creative\SBLive\Program\CTAvStub.EXE EAX.AVI?A~????$???Z?A~????*?A~????@?a?T?a???????????????????????????@?????????????????d???????W?D~???sx??s@????????L2?D??sh??s$??????????s????(????&?s?????L2??L2?????(????B?s?92? @@????? @@??L2??B?s??
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-06-18 18:42:12 - machine was rebooted
D:\ComboFix-quarantined-files.txt ... 2007-06-18 18:41
--- E O F ---
Ok we'll scan a few files...
Go to virustotal.com (http://www.virustotal.com)
Copy the following to the box next to "Browse" button:
D:\WINDOWS\system32\ffnd.exe
Click on Send
Wait for the scan to end.
Scan this too D:\WINDOWS\system32\vwdxlkyt.dll
Copy & Paste the scan results to here.
rudebadger
2007-06-20, 02:46
ok here is the results of my scan
STATUS: FINISHEDComplete scanning result of "ffnd.exe", received in VirusTotal at 06.20.2007, 02:38:41 (CET).
Antivirus Version Update Result
AhnLab-V3 2007.6.16.0 06.19.2007 no virus found
AntiVir 7.4.0.34 06.19.2007 no virus found
Authentium 4.93.8 06.19.2007 no virus found
Avast 4.7.997.0 06.19.2007 no virus found
AVG 7.5.0.467 06.19.2007 no virus found
BitDefender 7.2 06.20.2007 no virus found
CAT-QuickHeal 9.00 06.19.2007 no virus found
ClamAV devel-20070416 06.20.2007 no virus found
DrWeb 4.33 06.19.2007 no virus found
eSafe 7.0.15.0 06.19.2007 no virus found
eTrust-Vet 30.7.3727 06.19.2007 no virus found
Ewido 4.0 06.19.2007 no virus found
FileAdvisor 1 06.20.2007 no virus found
Fortinet 2.91.0.0 06.19.2007 no virus found
F-Prot 4.3.2.48 06.19.2007 no virus found
F-Secure 6.70.13030.0 06.19.2007 no virus found
Ikarus T3.1.1.8 06.19.2007 no virus found
Kaspersky 4.0.2.24 06.19.2007 no virus found
McAfee 5056 06.19.2007 no virus found
Microsoft 1.2607 06.19.2007 no virus found
NOD32v2 2339 06.19.2007 no virus found
Norman 5.80.02 06.19.2007 no virus found
Panda 9.0.0.4 06.20.2007 no virus found
Prevx1 V2 06.20.2007 no virus found
Sophos 4.18.0 06.12.2007 no virus found
Sunbelt 2.2.907.0 06.16.2007 no virus found
Symantec 10 06.20.2007 no virus found
TheHacker 6.1.6.134 06.18.2007 no virus found
VBA32 3.12.0.2 06.19.2007 no virus found
VirusBuster 4.3.23:9 06.19.2007 no virus found
Webwasher-Gateway 6.0.1 06.19.2007 no virus found
Aditional Information
File size: 7680 bytes
MD5: fde5a623021c23d7a17ed5144ee0e5e3
SHA1: 610bdc9d0cef2c593f312ee18ca103fc1de84882
STATUS: FINISHEDComplete scanning result of "vwdxlkyt.dll", received in VirusTotal at 06.20.2007, 02:33:31 (CET).
Antivirus Version Update Result
AhnLab-V3 2007.6.16.0 06.19.2007 no virus found
AntiVir 7.4.0.34 06.19.2007 TR/BHO.O.5
Authentium 4.93.8 06.19.2007 no virus found
Avast 4.7.997.0 06.19.2007 no virus found
AVG 7.5.0.467 06.19.2007 Generic4.XZM
BitDefender 7.2 06.20.2007 Trojan.BHO.BP
CAT-QuickHeal 9.00 06.19.2007 Trojan.BHO.o
ClamAV devel-20070416 06.20.2007 Trojan.BHO-67
DrWeb 4.33 06.19.2007 Trojan.Juan
eSafe 7.0.15.0 06.19.2007 Suspicious Trojan/Worm
eTrust-Vet 30.7.3727 06.19.2007 no virus found
Ewido 4.0 06.19.2007 no virus found
FileAdvisor 1 06.20.2007 no virus found
Fortinet 2.91.0.0 06.19.2007 no virus found
F-Prot 4.3.2.48 06.19.2007 no virus found
F-Secure 6.70.13030.0 06.19.2007 Trojan.Win32.BHO.o
Ikarus T3.1.1.8 06.19.2007 Trojan.Win32.BHO.o
Kaspersky 4.0.2.24 06.19.2007 Trojan.Win32.BHO.o
McAfee 5056 06.19.2007 Generic.dx
Microsoft 1.2607 06.19.2007 no virus found
NOD32v2 2339 06.19.2007 Win32/BHO.G
Norman 5.80.02 06.19.2007 W32/BHO.dam
Panda 9.0.0.4 06.20.2007 Spyware/Vundo
Prevx1 V2 06.20.2007 no virus found
Sophos 4.18.0 06.12.2007 Troj/BHO-CE
Sunbelt 2.2.907.0 06.16.2007 VIPRE.Suspicious
Symantec 10 06.20.2007 Trojan.Metajuan
TheHacker 6.1.6.134 06.18.2007 Trojan/BHO.o
VBA32 3.12.0.2 06.19.2007 Trojan.Win32.BHO.o
VirusBuster 4.3.23:9 06.19.2007 Trojan.BHO.GR
Webwasher-Gateway 6.0.1 06.19.2007 Trojan.BHO.O.5
Aditional Information
File size: 55316 bytes
MD5: a57dbe2a890c5fe195bbc20f682aeb40
SHA1: 26e5eadfb57eb6523792ade0bfe1e6e86e662c6b
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.
Hi again, we'll continue :)
You should print these instructions or save these to a text file. Follow these instructions carefully.
Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
Click on Change state next to Resident shield. It should now change to inactive.
Click on Change state next to Automatic updates. It should now change to inactive.
Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates (http://www.ewido.net/en/download/updates/).
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.
Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
Do NOT run yet.
Make your hidden files visible:
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Uncheck "Hide protected operating system files"
Click Apply and then the OK and close My Computer.
=================
Disable the bad service
Start
Run
Type services.msc to the field and press enter.
A window opens, scroll down to mdxgthkn
Rightclick it and choose Stop
Then choose Properties
Set Startup to Disabled
Click Apply and OK.
Then, open HijackThis.
Open the Misc Tools section
Delete an NT service
Copy the following line to the box and press OK; mdxgthkn
Answer Yes
Close HIjackThis
Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.
O2 - BHO: (no name) - {3B459957-A1E3-446E-A19D-32C1314D8252} - (no file)
O2 - BHO: (no name) - {F4002052-AB29-4B33-8C8D-0E99084564EC} - (no file)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/257ec942...p/RdxIE601.cab
O20 - Winlogon Notify: sstqp - D:\WINDOWS\
O20 - Winlogon Notify: tuvwtut - tuvwtut.dll (file missing)
Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.
Go to the My Computer and delete the following files (if present):
D:\WINDOWS\system32\huffyuv.dll
D:\WINDOWS\system32\vwdxlkyt.dll
D:\Documents and Settings\Ric\Local Settings\Temp\mdxgthkn.sys
Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
Click on Scanner on the toolbar.
Click on the Settings tab.
Under How to act?
Click on Recommended Action and choose Quarantine from the popup menu.
Under How to scan?
All checkboxes should be ticked.
Under Possibly unwanted software:
All checkboxes should be ticked.
Under Reports:
Select Automatically generate report after every scan and uncheck Only if threats were found.
Under What to scan?
Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
At the bottom of the window click on the Apply all Actions button. (3)
http://img509.imageshack.us/img509/4851/scanavgjk2.jpg
When done, click the Save Scan Report button. (4)
Click the Save Report as button.
Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.
Rightclick this file; D:\WINDOWS\system32\ffnd.exe
Choose "Properties"
What does it say on Version, Copyrigth and Company sections?
================
When you're ready, please post the following logs to here:
- AVG's report
- a fresh HijackThis log
rudebadger
2007-06-22, 00:42
ok i have a problem here i got as far as removing the bad service but it does not appear under my services.msc list. also i am due to go abroad on vacation tomorrow so i will be away for approximately 2 weeks but will continue with this once i return. thanks for all your help so far :)
Ok, let me know when we'll continue :bigthumb:
rudebadger
2007-07-09, 06:52
hi im back from my vacation now so would like to continue removing these viruses :)
Ok please post a fresh HijackThis log and we'll continue :bigthumb:
rudebadger
2007-07-10, 20:48
hiya this is my latest hijackthis log
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 19:48:37, on 10/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\devldr32.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\WINDOWS\System32\CTsvcCDA.EXE
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\WINDOWS\System32\MsPMSPSv.exe
D:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\Program Files\Creative\ShareDLL\CtNotify.exe
D:\Program Files\Creative\SBLive\Program\CTAvTray.EXE
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Quicktime\qttask.exe
C:\SONICS~1\SsAAD.exe
D:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\DAEMON Tools\daemon.exe
D:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe
D:\Program Files\Sitecom Wireless LAN\WLANUTL.exe
D:\Program Files\MSN\MSNCoreFiles\msn6.exe
c:\Azureus\Azureus.exe
D:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe
C:\Downloads\HiJackThis_v2.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3B459957-A1E3-446E-A19D-32C1314D8252} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - D:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - D:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Disc Detector] D:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [AHQInit] D:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [AudioHQ] D:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [CTAvTray] D:\Program Files\Creative\SBLive\Program\CTAvTray.EXE
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SsAAD.exe] C:\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunOnce: [CTAVTray] D:\Program Files\Creative\SBLive\Program\CTAvStub.EXE EAX.AVI
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [Uniblue RegistryBooster2] D:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Sitecom Wireless LAN Utility.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/257ec9422db632fccc05/netzip/RdxIE601.cab
O20 - Winlogon Notify: sstqp - D:\WINDOWS\
O20 - Winlogon Notify: tuvwtut - tuvwtut.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - D:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - D:\WINDOWS\System32\browseui.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 7718 bytes
Hi again :)
This is how we continue....
You should print these instructions or save these to a text file. Follow these instructions carefully.
Open AVG Anti-Spyware:
On the main screen under Your Computer's security.
Click on Change state next to Resident shield. It should now change to inactive.
Click on Change state next to Automatic updates. It should now change to inactive.
Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates (http://www.ewido.net/en/download/updates/).
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.
Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
Do NOT run yet.
Make your hidden files visible:
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Uncheck "Hide protected operating system files"
Click Apply and then the OK and close My Computer.
=================
Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.
O2 - BHO: (no name) - {3B459957-A1E3-446E-A19D-32C1314D8252} - (no file)
O2 - BHO: (no name) - {F4002052-AB29-4B33-8C8D-0E99084564EC} - (no file)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/257ec942...p/RdxIE601.cab
O20 - Winlogon Notify: sstqp - D:\WINDOWS\
O20 - Winlogon Notify: tuvwtut - tuvwtut.dll (file missing)
Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.
Go to the My Computer and delete the following files (if present):
D:\WINDOWS\system32\huffyuv.dll
D:\WINDOWS\system32\vwdxlkyt.dll
D:\Documents and Settings\Ric\Local Settings\Temp\mdxgthkn.sys
Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
Reboot to the normal mode.
Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
Click on Scanner on the toolbar.
Click on the Settings tab.
Under How to act?
Click on Recommended Action and choose Quarantine from the popup menu.
Under How to scan?
All checkboxes should be ticked.
Under Possibly unwanted software:
All checkboxes should be ticked.
Under Reports:
Select Automatically generate report after every scan and uncheck Only if threats were found.
Under What to scan?
Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
At the bottom of the window click on the Apply all Actions button. (3)
http://img509.imageshack.us/img509/4851/scanavgjk2.jpg
When done, click the Save Scan Report button. (4)
Click the Save Report as button.
Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Rightclick this file; D:\WINDOWS\system32\ffnd.exe
Choose "Properties"
What does it say on Version, Copyrigth and Company sections?
================
When you're ready, please post the following logs to here:
- AVG's report
- a fresh HijackThis log
rudebadger
2007-07-12, 02:21
hi here are my logs
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 01:18:15, on 12/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\devldr32.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\WINDOWS\System32\CTsvcCDA.EXE
D:\WINDOWS\system32\nvsvc32.exe
D:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
D:\WINDOWS\System32\MsPMSPSv.exe
D:\Program Files\Creative\ShareDLL\CtNotify.exe
D:\Program Files\Creative\SBLive\Program\CTAvTray.EXE
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Quicktime\qttask.exe
C:\SONICS~1\SsAAD.exe
D:\Program Files\Creative\ShareDLL\MediaDet.Exe
D:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\DAEMON Tools\daemon.exe
D:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe
D:\Program Files\Sitecom Wireless LAN\WLANUTL.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\Program Files\MSN\MSNCoreFiles\msn6.exe
D:\Documents and Settings\Ric\Desktop\HiJackThis_v2.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - D:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - D:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Disc Detector] D:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [AHQInit] D:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [AudioHQ] D:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [CTAvTray] D:\Program Files\Creative\SBLive\Program\CTAvTray.EXE
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SsAAD.exe] C:\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunOnce: [CTAVTray] D:\Program Files\Creative\SBLive\Program\CTAvStub.EXE EAX.AVI
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [Uniblue RegistryBooster2] D:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Sitecom Wireless LAN Utility.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - D:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - D:\WINDOWS\System32\browseui.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 7347 bytes
i made a mistake with the avg instructions and the action was set to delete rather quarantine also it would not let me save a log :oops:
i could not find the version, copyrightor company for this file D:\WINDOWS\system32\ffnd.exe under the properties
Hello :)
Ok the D:\WINDOWS\system32\ffnd.exe seems to belong to a program called "freefixer"...
Please do an online scan with Kaspersky WebScanner (http://www.kaspersky.com/virusscanner)
Click on Kaspersky Online Scanner
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.
Also let me know how the computer is running :bigthumb:
rudebadger
2007-07-14, 01:23
ok here is the report from kaspersky
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, July 14, 2007 12:18:14 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 13/07/2007
Kaspersky Anti-Virus database records: 361981
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
Scan Statistics:
Total number of scanned objects: 136473
Number of viruses found: 6
Number of infected objects: 19 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:41:13
Infected Object Name / Virus Name / Last Action
C:\Downloads\bsplayer141.832.exe/data0011 Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
C:\Downloads\bsplayer141.832.exe NSIS: infected - 1 skipped
C:\Downloads\Cdvd.exe/stream/data0013 Infected: not-a-virus:AdWare.Win32.MyWay.j skipped
C:\Downloads\Cdvd.exe/stream/data0014 Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
C:\Downloads\Cdvd.exe/stream Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
C:\Downloads\Cdvd.exe NSIS: infected - 3 skipped
C:\Downloads\DVDSanta.v4.5.Cracked.Retail-XRAY.rar/DVDSanta.v4.5.Cracked.Retail-XRAY/setup.exe/data.rar/install.exe Infected: Backdoor.Win32.Rbot.cij skipped
C:\Downloads\DVDSanta.v4.5.Cracked.Retail-XRAY.rar/DVDSanta.v4.5.Cracked.Retail-XRAY/setup.exe/data.rar Infected: Backdoor.Win32.Rbot.cij skipped
C:\Downloads\DVDSanta.v4.5.Cracked.Retail-XRAY.rar/DVDSanta.v4.5.Cracked.Retail-XRAY/setup.exe Infected: Backdoor.Win32.Rbot.cij skipped
C:\Downloads\DVDSanta.v4.5.Cracked.Retail-XRAY.rar RAR: infected - 3 skipped
C:\Downloads\mirc621.exe/stream/data0008 Infected: not-a-virus:Client-IRC.Win32.mIRC.621 skipped
C:\Downloads\mirc621.exe/stream Infected: not-a-virus:Client-IRC.Win32.mIRC.621 skipped
C:\Downloads\mirc621.exe NSIS: infected - 2 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
D:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
D:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
D:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
D:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
D:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
D:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
D:\Documents and Settings\Ric\Cookies\index.dat Object is locked skipped
D:\Documents and Settings\Ric\Desktop\requested-files[2007-06-16_15_20].cab/D:/WINDOWS/system32/wuaudit.exe Infected: Backdoor.Win32.Rbot.cij skipped
D:\Documents and Settings\Ric\Desktop\requested-files[2007-06-16_15_20].cab CAB: infected - 1 skipped
D:\Documents and Settings\Ric\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\Documents and Settings\Ric\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\Documents and Settings\Ric\Local Settings\History\History.IE5\index.dat Object is locked skipped
D:\Documents and Settings\Ric\Local Settings\Temp\msn3444.fdr Object is locked skipped
D:\Documents and Settings\Ric\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
D:\Documents and Settings\Ric\NTUSER.DAT Object is locked skipped
D:\Documents and Settings\Ric\ntuser.dat.LOG Object is locked skipped
D:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
D:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
D:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped
D:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
D:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
D:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
D:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
D:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.621 skipped
D:\Program Files\MSN\MSNCoreFiles\market.mar Object is locked skipped
D:\Program Files\MSN\MSNCoreFiles\market32.mar Object is locked skipped
D:\Program Files\MSN\MSNCoreFiles\themedef32.mar Object is locked skipped
D:\Program Files\MSN\MSNCoreFiles\ui.mar Object is locked skipped
D:\Program Files\Sitecom Wireless LAN\sitecom_new.avi Object is locked skipped
D:\Program Files\Sitecom Wireless LAN\Step1_Name.AVI Object is locked skipped
D:\Program Files\Sitecom Wireless LAN\Step2_Infra.AVI Object is locked skipped
D:\Program Files\Sitecom Wireless LAN\Step3_InfraNoWep.AVI Object is locked skipped
D:\Program Files\Sitecom Wireless LAN\Step5_NoSetIP.AVI Object is locked skipped
D:\Program Files\Sitecom Wireless LAN\Step6_SetIP.AVI Object is locked skipped
D:\QooBox\Quarantine\D\WINDOWS\system32\ohrdlttc.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{0A52B77A-3EA0-4AF1-B589-F06E39564B2F}\RP452\change.log Object is locked skipped
D:\VundoFix Backups\bqdyqfcy.dll.bad Infected: Trojan.Win32.BHO.bd skipped
D:\VundoFix Backups\wuaudit.exe.bad Infected: Backdoor.Win32.Rbot.cij skipped
D:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
D:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
D:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
D:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
D:\WINDOWS\Internet Logs\RIXPC.ldb Object is locked skipped
D:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
D:\WINDOWS\SchedLgU.Txt Object is locked skipped
D:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
D:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
D:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
D:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
D:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
D:\WINDOWS\system32\config\default Object is locked skipped
D:\WINDOWS\system32\config\default.LOG Object is locked skipped
D:\WINDOWS\system32\config\SAM Object is locked skipped
D:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
D:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
D:\WINDOWS\system32\config\SECURITY Object is locked skipped
D:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
D:\WINDOWS\system32\config\software Object is locked skipped
D:\WINDOWS\system32\config\software.LOG Object is locked skipped
D:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
D:\WINDOWS\system32\config\system Object is locked skipped
D:\WINDOWS\system32\config\system.LOG Object is locked skipped
D:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
D:\WINDOWS\system32\h323log.txt Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
D:\WINDOWS\Temp\Perflib_Perfdata_764.dat Object is locked skipped
D:\WINDOWS\Temp\ZLT00d39.TMP Object is locked skipped
D:\WINDOWS\Temp\ZLT00d3c.TMP Object is locked skipped
D:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
D:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
freefixer was some software that i downloaded just before i came to you guys for help. the link to it came from an online database of viruses and spyware although i cannot remember the website address.
the pc seems to be running a bit quicker now, the bootup is quite alot faster although the internet is still slow but that is probably because i now have someone sharing the connection with me.
Hello :)
C:\Downloads\DVDSanta.v4.5.Cracked.Retail-XRAY.rar/DVDSanta.v4.5.Cracked.Retail-XRAY/setup.exe/data.rar/install.exe Infected: Backdoor.Win32.Rbot.cij skipped
C:\Downloads\DVDSanta.v4.5.Cracked.Retail-XRAY.rar/DVDSanta.v4.5.Cracked.Retail-XRAY/setup.exe/data.rar Infected: Backdoor.Win32.Rbot.cij skipped
C:\Downloads\DVDSanta.v4.5.Cracked.Retail-XRAY.rar/DVDSanta.v4.5.Cracked.Retail-XRAY/setup.exe Infected: Backdoor.Win32.Rbot.cij skipped
C:\Downloads\DVDSanta.v4.5.Cracked.Retail-XRAY.rar RAR: infected - 3 skipped
Cracks, keygens etc are illegal but as you can see they'll get you infected :sick:
Please post a fresh HijackThis log and I'll have a look :bigthumb:
rudebadger
2007-07-14, 16:47
hmmmmm not sure how they got there :red:
this is the latest hijackthis log
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 15:46:34, on 14/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\devldr32.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\WINDOWS\System32\CTsvcCDA.EXE
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\WINDOWS\System32\MsPMSPSv.exe
D:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
D:\Program Files\Creative\ShareDLL\CtNotify.exe
D:\Program Files\Creative\SBLive\Program\CTAvTray.EXE
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Quicktime\qttask.exe
C:\SONICS~1\SsAAD.exe
D:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\DAEMON Tools\daemon.exe
D:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\Program Files\Sitecom Wireless LAN\WLANUTL.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\MSN\MSNCoreFiles\msn6.exe
D:\Documents and Settings\Ric\Desktop\HiJackThis_v2.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - D:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - D:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Disc Detector] D:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [AHQInit] D:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [AudioHQ] D:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [CTAvTray] D:\Program Files\Creative\SBLive\Program\CTAvTray.EXE
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SsAAD.exe] C:\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunOnce: [CTAVTray] D:\Program Files\Creative\SBLive\Program\CTAvStub.EXE EAX.AVI
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [Uniblue RegistryBooster2] D:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Sitecom Wireless LAN Utility.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - D:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - D:\WINDOWS\System32\browseui.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 7526 bytes
Hello :)
Looking all good now. Still having issues?
rudebadger
2007-07-16, 00:58
hi mate
the computer seems to be running a lot better now thanks. any tips for how i can protect my pc anymore? once again thanks very much for all the help you have given me :)
Hi again :)
You can remove the tools we used.
Now you can make your hidden files hidden again.
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Check "Hide protected operating system files"
Click Apply and then the OK and close My Computer.
=============
Now that you seem to be clean, please follow these simple steps in order to keep your computer clean and secure:
Clear your system restore (http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx)
This will clear the system restore folders from possible malware that was left behind during the cleaning process.
Use ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1)
Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.
Use Ad-Aware (http://www.bleepingcomputer.com/forums/?showtutorial=48)
Download and install Ad-Aware. Update it and scan your computer regularly with it.
Use AVG Anti-Spyware (http://www.ewido.net/en/)
Download and install AVG Anti-Spyware. Update it and scan your computer regularly with it.
Use Spybot S&D (http://www.bleepingcomputer.com/forums/?showtutorial=43)
Download and install Spybot S&D. Update it and scan your computer regularly with it.
Install SpywareBlaster (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
SpywareBlaster will prevent spyware from being installed.
Install MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm)
This prevents your computer from connecting to harmful sites.
Use Firefox browser (http://www.mozilla.org)
Firefox is faster and more secure browser than Internet Explorer.
Keep your systen up-to-date (http://windowsupdate.microsoft.com)
Visit Windows Update regularly. How to enable Automatic Updates? (http://www.bleepingcomputer.com/tutorials/tutorial35.html)
Keep your antivirus (http://forum.malwareremoval.com/viewtopic.php?p=53#53) and firewall (http://forum.malwareremoval.com/viewtopic.php?p=56#56) up-to-date
Scan your computer regularly with you antivirus software.
Read this article by TonyKlein (http://forums.spybot.info/showthread.php?t=279)
So how did I get infected in the first place?
Stand Up and Be Counted ! (http://www.malwarecomplaints.info/index.php)
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
Stay clean and be safe ;)