View Full Version : Smitfraud-C Removal
Hello,
My computer has been freezing up with no keyboard interaction or mouse movement during games as of two weeks ago.. it seems to be on and off...
Anyhow.. i ran my spyware programs (Adaware (found and removed some minor stuff), AVG Anti Virus Free (found nothing)
and Spybot... which hung the computer (in the way i described its been happening to me in game) at entry 35913/76767.. which i read as Smitfraud-C. I ran the online antivirus program recommended.. it also hung. I went into safe mode to run Spybot.. hung the computer again, but this time made it further (39138/76767) at 'Everest Roller'.
So now i don't know what I'm stuck with but here i am.. and here is my Hijackthis Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:05:22 PM, on 9/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ATKKBService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvraidservice.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [ftutil2] "rundll32.exe " ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [NVRaidService] "C:\WINDOWS\system32\nvraidservice.exe"
O4 - HKLM\..\Run: [CTSysVol] "C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe " /r
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE"
O4 - HKLM\..\Run: [SBDrvDet] "C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe " /r
O4 - HKLM\..\Run: [UpdReg] "C:\WINDOWS\UpdReg.EXE"
O4 - HKLM\..\Run: [SoundMan] "SOUNDMAN.EXE"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = 100acrewoods.local
O17 - HKLM\Software\..\Telephony: DomainName = 100acrewoods.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = 100acrewoods.local
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
--
End of file - 6274 bytes
Thanks in advance,
Viper
Hi Viper
1. Download combofix from one of these links:
Link1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link2 (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Post:
- a fresh HijackThis log
- combofix report
Ok, ran combofix:
ComboFix 07-08-30.3 - "Phil" 2007-09-03 13:06:35.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1594 [GMT -6:00]
* Created a new restore point
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\DOCUME~1\PHIL~1.100\APPLIC~1\macromedia\Flash Player\#SharedObjects\2C46N9HE\www.broadcaster.com
C:\DOCUME~1\PHIL~1.100\APPLIC~1\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\LEGACY_NPF
-------\NPF
((((((((((((((((((((((((( Files Created from 2007-08-03 to 2007-09-03 )))))))))))))))))))))))))))))))
2007-09-03 13:06 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-09-02 22:10 <DIR> d-------- C:\Fix
2007-09-02 22:09 583,920 --a------ C:\WindowsXP-KB898062-x86-ENU.exe
2007-09-02 22:09 232,176 --a------ C:\WindowsXP-KB898062-x86-Symbols-ENU.exe
2007-09-02 22:05 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-02 18:15 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-09-02 18:15 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-09-02 17:25 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-09-02 17:25 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-09-02 17:25 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-09-02 17:25 2,030 --a------ C:\WINDOWS\system32\tmp.reg
2007-09-02 17:00 <DIR> d-------- C:\Program Files\Advanced Spyware Remover
2007-09-02 15:26 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-09-01 19:03 <DIR> d-------- C:\temp
2007-09-01 19:02 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Media Center Programs
2007-09-01 18:48 <DIR> d-------- C:\DOCUME~1\Phil\APPLIC~1\InstallShield
2007-08-17 13:04 <DIR> d-------- C:\DOCUME~1\Rich\APPLIC~1\Talkback
2007-08-05 17:12 <DIR> d-------- C:\DOCUME~1\Phil\APPLIC~1\Apple Computer
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-09-02 12:32 108144 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-09-01 19:41 --------- d-------- C:\DOCUME~1\Phil\APPLIC~1\LimeWire
2007-09-01 18:50 --------- d-------- C:\Program Files\THQ
2007-09-01 18:49 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-23 13:06 --------- d-------- C:\Program Files\EA GAMES
2007-08-10 15:54 --------- d-------- C:\DOCUME~1\Phil\APPLIC~1\uTorrent
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-19 20:51 --------- d-------- C:\Program Files\World of Warcraft
2007-07-18 20:18 --------- d-------- C:\DOCUME~1\Phil\APPLIC~1\Ventrilo
2007-07-18 20:08 --------- d-------- C:\Program Files\Ventrilo
2007-07-18 20:08 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-17 22:02 --------- d-------- C:\Program Files\mIRC
2007-07-03 18:35 --------- d-------- C:\Program Files\DivX
2007-07-02 13:41 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-07-02 13:41 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-06-29 01:54 356352 --a------ C:\WINDOWS\system32\nvusmb.exe
2007-06-29 01:54 356352 --a------ C:\WINDOWS\system32\nvunrm.exe
2007-06-29 01:54 356352 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2007-06-29 01:54 356352 --a------ C:\WINDOWS\system32\nvuide.exe
2007-06-29 01:54 356352 --a------ C:\WINDOWS\system32\nvudisp.exe
2007-06-29 00:43 8466432 --a------ C:\WINDOWS\system32\nvcpl.dll
2007-06-29 00:43 81920 --a------ C:\WINDOWS\system32\nvwddi.dll
2007-06-29 00:43 81920 --a------ C:\WINDOWS\system32\nvmctray.dll
2007-06-29 00:43 753664 --a------ C:\WINDOWS\system32\nvcplui.exe
2007-06-29 00:43 6729728 --a------ C:\WINDOWS\system32\nvoglnt.dll
2007-06-29 00:43 6234112 --a------ C:\WINDOWS\system32\nvdisps.dll
2007-06-29 00:43 5690624 --a------ C:\WINDOWS\system32\nv4_disp.dll
2007-06-29 00:43 5455872 --a------ C:\WINDOWS\system32\nvdispsr.dll
2007-06-29 00:43 466944 --a------ C:\WINDOWS\system32\nvshell.dll
2007-06-29 00:43 458752 --a------ C:\WINDOWS\system32\nvmccssr.dll
2007-06-29 00:43 45056 --a------ C:\WINDOWS\system32\nvmccsrs.dll
2007-06-29 00:43 442368 --a------ C:\WINDOWS\system32\nvappbar.exe
2007-06-29 00:43 425984 --a------ C:\WINDOWS\system32\keystone.exe
2007-06-29 00:43 37376 --a------ C:\WINDOWS\system32\nvcodins.dll
2007-06-29 00:43 37376 --a------ C:\WINDOWS\system32\nvcod.dll
2007-06-29 00:43 360448 --a------ C:\WINDOWS\system32\nvapi.dll
2007-06-29 00:43 3600384 --a------ C:\WINDOWS\system32\nvvitvsr.dll
2007-06-29 00:43 3518464 --a------ C:\WINDOWS\system32\nvvitvs.dll
2007-06-29 00:43 3321856 --a------ C:\WINDOWS\system32\nvgames.dll
2007-06-29 00:43 3072000 --a------ C:\WINDOWS\system32\nvgamesr.dll
2007-06-29 00:43 307200 --a------ C:\WINDOWS\system32\nvexpbar.dll
2007-06-29 00:43 286720 --a------ C:\WINDOWS\system32\nvnt4cpl.dll
2007-06-29 00:43 2854912 --a------ C:\WINDOWS\system32\nvmoblsr.dll
2007-06-29 00:43 2416640 --a------ C:\WINDOWS\system32\nvwssr.dll
2007-06-29 00:43 2330624 --a------ C:\WINDOWS\system32\nvwss.dll
2007-06-29 00:43 229376 --a------ C:\WINDOWS\system32\nvmccs.dll
2007-06-29 00:43 188416 --a------ C:\WINDOWS\system32\nvmccss.dll
2007-06-29 00:43 1703936 --a------ C:\WINDOWS\system32\nvwdmcpl.dll
2007-06-29 00:43 1626112 --a------ C:\WINDOWS\system32\nwiz.exe
2007-06-29 00:43 155716 --a------ C:\WINDOWS\system32\nvsvc32.exe
2007-06-29 00:43 1474560 --a------ C:\WINDOWS\system32\nview.dll
2007-06-29 00:43 147456 --a------ C:\WINDOWS\system32\nvcolor.exe
2007-06-29 00:43 1339392 --a------ C:\WINDOWS\system32\nvdspsch.exe
2007-06-29 00:43 1142784 --a------ C:\WINDOWS\system32\nvmobls.dll
2007-06-29 00:43 1073152 --a------ C:\WINDOWS\system32\nvcpluir.dll
2007-06-29 00:43 1019904 --a------ C:\WINDOWS\system32\nvwimg.dll
2007-06-29 00:43 1018772 --a------ C:\WINDOWS\system32\nvucode.bin
2007-06-26 00:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-19 07:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-17 19:11 94208 --a------ C:\WINDOWS\DIIUnin.exe
2007-06-17 19:11 2829 --a------ C:\WINDOWS\DIIUnin.pif
2007-06-13 04:23 1033216 --a------ C:\WINDOWS\explorer.exe
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ftutil2"=" ftutil2.dll" []
"NVRaidService"="C:\WINDOWS\system32\nvraidservice.exe" [2005-03-14 03:05]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 10:43]
"CTDVDDET"="C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE" [2003-06-18 01:00]
"SBDrvDet"="C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-03 18:06]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00]
"SoundMan"="SOUNDMAN.EXE" [2005-03-24 07:20 C:\WINDOWS\SOUNDMAN.EXE]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"CTHelper"="CTHELPER.EXE" [2006-08-11 15:56 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 15:56 C:\WINDOWS\system32\CTXFIHLP.EXE]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-06-29 00:43]
"nwiz"="nwiz.exe" [2007-06-29 00:43 C:\WINDOWS\system32\nwiz.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-08-16 22:10]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-06-29 00:43]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2006-01-24 13:37]
"Steam"="" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-13 11:03]
C:\DOCUME~1\Rich\STARTM~1\Programs\Startup\
PowerReg Scheduler V3.exe [2005-12-16 22:34:39]
R0 DontGo;Promise Removable Disk Control Driver;C:\WINDOWS\system32\drivers\DontGo.sys
R0 viapdsk;VIA ATA/ATAPI Host Controller;C:\WINDOWS\system32\DRIVERS\viapdsk.sys
R0 viasraid;viasraid;C:\WINDOWS\system32\DRIVERS\viasraid.sys
R2 PfDetNT;PfDetNT;\??\C:\WINDOWS\system32\drivers\PfModNT.sys
R3 UsbFltr;%SvcDisplayName%;C:\WINDOWS\system32\drivers\copperhd.sys
R3 WmBEnum;Logitech Virtual Bus Enumerator Driver;C:\WINDOWS\system32\drivers\WmBEnum.sys
R3 WmXlCore;Logitech WingMan Translation Layer Driver;C:\WINDOWS\system32\drivers\WmXlCore.sys
S3 gel90xne;gel90xne;\??\C:\DOCUME~1\Rich\LOCALS~1\Temp\gel90xne.sys
S3 PhilCam8116;Logitech QuickCam Pro 3000 (08B0);C:\WINDOWS\system32\DRIVERS\CamDrO21.sys
S3 Razerlow;Razer Copperhead Driver;C:\WINDOWS\system32\Drivers\Razerlow.sys
S3 WmFilter;Logitech Gaming HID Filter Driver;C:\WINDOWS\system32\drivers\WmFilter.sys
S3 WmVirHid;Logitech Virtual Hid Device Driver;C:\WINDOWS\system32\drivers\WmVirHid.sys
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-03 13:12:12
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-09-03 13:13:13 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-03 13:13
--- E O F ---
And here is a fresh highjackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:15:25 PM, on 9/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ATKKBService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvraidservice.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\notepad.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [ftutil2] "rundll32.exe " ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [NVRaidService] "C:\WINDOWS\system32\nvraidservice.exe"
O4 - HKLM\..\Run: [CTSysVol] "C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe " /r
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE"
O4 - HKLM\..\Run: [SBDrvDet] "C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe " /r
O4 - HKLM\..\Run: [UpdReg] "C:\WINDOWS\UpdReg.EXE"
O4 - HKLM\..\Run: [SoundMan] "SOUNDMAN.EXE"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = 100acrewoods.local
O17 - HKLM\Software\..\Telephony: DomainName = 100acrewoods.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = 100acrewoods.local
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
--
End of file - 6163 bytes
Hi
Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
How to see hidden files in Windows (http://www.xtra.co.nz/help/0,,4155-1916458,00.html)
Please click this link-->Jotti (http://virusscan.jotti.org/)
When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.
C:\Documents and settings\Rich\LocalService\Temp\gel90xne.sys
Please post back the results of the scan in your next post.
If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/flash/index_en.html
Hi Shaba,
I set it up so i can see hidden files now... and tried Jotti but i can't seem to find a Local Service folder inside Rich... but there is a Local Settings one with a temp folder inside (in it there is a folder called Google Toolbar, empty.... As well as jusched.txt).
I tried logging on as Rich to see if that would help... still no luck.
Hi
My bad, it should be Local Settings.
You can copy/paste filename with path to jotti/virustotal if you still can't find it :)
I can't seem to find the file at all... I have checked all the places in Rich's documents and settings, and have searched C:/ for it(although i didn't expect that to work) :sad:
I also have made sure i can see hidden files.. and tried logging on as Rich to see if that helps, and still nothing.
Thanks again for your time and trouble aiding me
Hi
Please do a search:
Go "Start">"Search">"All Files and Folders"
Enter gel90xne.sys in "All or part of file name"
Select "More advanced options"
Check-mark "Search System Folders", "Search hidden files and folders", and "Search subfolders".
Click "Search".
Write down filepath and try again
I tried your suggestion and it still isn't finding anything. I also tryed gel90xne on its own with no .sys at the end.
Hi
Then we do this as its running from temp folder and almost 100% bad.
Open notepad and copy/paste the text in the quotebox below into it:
File::
C:\DOCUME~1\Rich\LOCALS~1\Temp\gel90xne.sys
Driver::
gel90xne
Save this as "CFScript"
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
Hello,
Here is the combofix log which came up on startup:
ComboFix 07-08-30.3 - "Phil" 2007-09-06 10:02:42.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1671 [GMT -6:00]
Command switches used :: C:\Documents and Settings\Phil\My Documents\CFScript.txt
* Created a new restore point
FILE::
C:\DOCUME~1\Rich\LOCALS~1\Temp\gel90xne.sys
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\LEGACY_GEL90XNE
-------\gel90xne
((((((((((((((((((((((((( Files Created from 2007-08-06 to 2007-09-06 )))))))))))))))))))))))))))))))
2007-09-03 13:06 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-09-02 22:10 <DIR> d-------- C:\Fix
2007-09-02 22:09 583,920 --a------ C:\WindowsXP-KB898062-x86-ENU.exe
2007-09-02 22:09 232,176 --a------ C:\WindowsXP-KB898062-x86-Symbols-ENU.exe
2007-09-02 22:05 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-02 18:15 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-09-02 18:15 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-09-02 17:25 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-09-02 17:25 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-09-02 17:25 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-09-02 17:25 2,030 --a------ C:\WINDOWS\system32\tmp.reg
2007-09-02 17:00 <DIR> d-------- C:\Program Files\Advanced Spyware Remover
2007-09-02 15:26 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-09-01 19:03 <DIR> d-------- C:\temp
2007-09-01 19:02 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Media Center Programs
2007-09-01 18:48 <DIR> d-------- C:\DOCUME~1\Phil\APPLIC~1\InstallShield
2007-08-17 13:04 <DIR> d-------- C:\DOCUME~1\Rich\APPLIC~1\Talkback
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-09-04 21:39 --------- d-------- C:\Program Files\World of Warcraft
2007-09-02 12:32 108144 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-09-01 19:41 --------- d-------- C:\DOCUME~1\Phil\APPLIC~1\LimeWire
2007-09-01 18:50 --------- d-------- C:\Program Files\THQ
2007-09-01 18:49 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-23 13:06 --------- d-------- C:\Program Files\EA GAMES
2007-08-10 15:54 --------- d-------- C:\DOCUME~1\Phil\APPLIC~1\uTorrent
2007-08-05 17:12 --------- d-------- C:\DOCUME~1\Phil\APPLIC~1\Apple Computer
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-18 20:18 --------- d-------- C:\DOCUME~1\Phil\APPLIC~1\Ventrilo
2007-07-18 20:08 --------- d-------- C:\Program Files\Ventrilo
2007-07-18 20:08 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-17 22:02 --------- d-------- C:\Program Files\mIRC
2007-07-02 13:41 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-07-02 13:41 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-06-29 01:54 356352 --a------ C:\WINDOWS\system32\nvusmb.exe
2007-06-29 01:54 356352 --a------ C:\WINDOWS\system32\nvunrm.exe
2007-06-29 01:54 356352 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2007-06-29 01:54 356352 --a------ C:\WINDOWS\system32\nvuide.exe
2007-06-29 01:54 356352 --a------ C:\WINDOWS\system32\nvudisp.exe
2007-06-29 00:43 8466432 --a------ C:\WINDOWS\system32\nvcpl.dll
2007-06-29 00:43 81920 --a------ C:\WINDOWS\system32\nvwddi.dll
2007-06-29 00:43 81920 --a------ C:\WINDOWS\system32\nvmctray.dll
2007-06-29 00:43 753664 --a------ C:\WINDOWS\system32\nvcplui.exe
2007-06-29 00:43 6729728 --a------ C:\WINDOWS\system32\nvoglnt.dll
2007-06-29 00:43 6234112 --a------ C:\WINDOWS\system32\nvdisps.dll
2007-06-29 00:43 5690624 --a------ C:\WINDOWS\system32\nv4_disp.dll
2007-06-29 00:43 5455872 --a------ C:\WINDOWS\system32\nvdispsr.dll
2007-06-29 00:43 466944 --a------ C:\WINDOWS\system32\nvshell.dll
2007-06-29 00:43 458752 --a------ C:\WINDOWS\system32\nvmccssr.dll
2007-06-29 00:43 45056 --a------ C:\WINDOWS\system32\nvmccsrs.dll
2007-06-29 00:43 442368 --a------ C:\WINDOWS\system32\nvappbar.exe
2007-06-29 00:43 425984 --a------ C:\WINDOWS\system32\keystone.exe
2007-06-29 00:43 37376 --a------ C:\WINDOWS\system32\nvcodins.dll
2007-06-29 00:43 37376 --a------ C:\WINDOWS\system32\nvcod.dll
2007-06-29 00:43 360448 --a------ C:\WINDOWS\system32\nvapi.dll
2007-06-29 00:43 3600384 --a------ C:\WINDOWS\system32\nvvitvsr.dll
2007-06-29 00:43 3518464 --a------ C:\WINDOWS\system32\nvvitvs.dll
2007-06-29 00:43 3321856 --a------ C:\WINDOWS\system32\nvgames.dll
2007-06-29 00:43 3072000 --a------ C:\WINDOWS\system32\nvgamesr.dll
2007-06-29 00:43 307200 --a------ C:\WINDOWS\system32\nvexpbar.dll
2007-06-29 00:43 286720 --a------ C:\WINDOWS\system32\nvnt4cpl.dll
2007-06-29 00:43 2854912 --a------ C:\WINDOWS\system32\nvmoblsr.dll
2007-06-29 00:43 2416640 --a------ C:\WINDOWS\system32\nvwssr.dll
2007-06-29 00:43 2330624 --a------ C:\WINDOWS\system32\nvwss.dll
2007-06-29 00:43 229376 --a------ C:\WINDOWS\system32\nvmccs.dll
2007-06-29 00:43 188416 --a------ C:\WINDOWS\system32\nvmccss.dll
2007-06-29 00:43 1703936 --a------ C:\WINDOWS\system32\nvwdmcpl.dll
2007-06-29 00:43 1626112 --a------ C:\WINDOWS\system32\nwiz.exe
2007-06-29 00:43 155716 --a------ C:\WINDOWS\system32\nvsvc32.exe
2007-06-29 00:43 1474560 --a------ C:\WINDOWS\system32\nview.dll
2007-06-29 00:43 147456 --a------ C:\WINDOWS\system32\nvcolor.exe
2007-06-29 00:43 1339392 --a------ C:\WINDOWS\system32\nvdspsch.exe
2007-06-29 00:43 1142784 --a------ C:\WINDOWS\system32\nvmobls.dll
2007-06-29 00:43 1073152 --a------ C:\WINDOWS\system32\nvcpluir.dll
2007-06-29 00:43 1019904 --a------ C:\WINDOWS\system32\nvwimg.dll
2007-06-29 00:43 1018772 --a------ C:\WINDOWS\system32\nvucode.bin
2007-06-26 00:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-19 07:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-17 19:11 94208 --a------ C:\WINDOWS\DIIUnin.exe
2007-06-17 19:11 2829 --a------ C:\WINDOWS\DIIUnin.pif
2007-06-13 04:23 1033216 --a------ C:\WINDOWS\explorer.exe
((((((((((((((((((((((((((((( snapshot_2007-09-03_131252.03 )))))))))))))))))))))))))))))))))))))))))
-c----w 180,224 2004-08-04 12:00:00 C:\WINDOWS\$NtUninstallKB898062$\scecli.dll
-c----w 209,632 2005-02-25 03:35:05 C:\WINDOWS\$NtUninstallKB898062$\spuninst\spuninst.exe
-c----w 371,936 2005-02-25 03:35:06 C:\WINDOWS\$NtUninstallKB898062$\spuninst\updspapi.dll
----a-w 181,248 2005-04-22 21:16:56 C:\WINDOWS\system32\scecli.dll
----a-w 180,224 2004-08-04 12:00:00 C:\WINDOWS\system32\scecli.dll
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ftutil2"=" ftutil2.dll" []
"NVRaidService"="C:\WINDOWS\system32\nvraidservice.exe" [2005-03-14 03:05]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 10:43]
"CTDVDDET"="C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE" [2003-06-18 01:00]
"SBDrvDet"="C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-03 18:06]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00]
"SoundMan"="SOUNDMAN.EXE" [2005-03-24 07:20 C:\WINDOWS\SOUNDMAN.EXE]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"CTHelper"="CTHELPER.EXE" [2006-08-11 15:56 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 15:56 C:\WINDOWS\system32\CTXFIHLP.EXE]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-06-29 00:43]
"nwiz"="nwiz.exe" [2007-06-29 00:43 C:\WINDOWS\system32\nwiz.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-08-16 22:10]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-06-29 00:43]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2006-01-24 13:37]
"Steam"="" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-13 11:03]
C:\DOCUME~1\Rich\STARTM~1\Programs\Startup\
PowerReg Scheduler V3.exe [2005-12-16 22:34:39]
R0 DontGo;Promise Removable Disk Control Driver;C:\WINDOWS\system32\drivers\DontGo.sys
R0 viapdsk;VIA ATA/ATAPI Host Controller;C:\WINDOWS\system32\DRIVERS\viapdsk.sys
R0 viasraid;viasraid;C:\WINDOWS\system32\DRIVERS\viasraid.sys
R2 PfDetNT;PfDetNT;\??\C:\WINDOWS\system32\drivers\PfModNT.sys
R3 UsbFltr;%SvcDisplayName%;C:\WINDOWS\system32\drivers\copperhd.sys
R3 WmBEnum;Logitech Virtual Bus Enumerator Driver;C:\WINDOWS\system32\drivers\WmBEnum.sys
R3 WmXlCore;Logitech WingMan Translation Layer Driver;C:\WINDOWS\system32\drivers\WmXlCore.sys
S3 PhilCam8116;Logitech QuickCam Pro 3000 (08B0);C:\WINDOWS\system32\DRIVERS\CamDrO21.sys
S3 Razerlow;Razer Copperhead Driver;C:\WINDOWS\system32\Drivers\Razerlow.sys
S3 WmFilter;Logitech Gaming HID Filter Driver;C:\WINDOWS\system32\drivers\WmFilter.sys
S3 WmVirHid;Logitech Virtual Hid Device Driver;C:\WINDOWS\system32\drivers\WmVirHid.sys
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-06 10:07:22
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-09-06 10:08:21 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-06 10:08
C:\ComboFix2.txt ... 2007-09-04 14:45
C:\ComboFix3.txt ... 2007-09-03 13:13
--- E O F ---
... and here is a fresh hijackthis log :bigthumb:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:17:53 AM, on 9/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ATKKBService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\nvraidservice.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [ftutil2] "rundll32.exe " ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [NVRaidService] "C:\WINDOWS\system32\nvraidservice.exe"
O4 - HKLM\..\Run: [CTSysVol] "C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe " /r
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE"
O4 - HKLM\..\Run: [SBDrvDet] "C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe " /r
O4 - HKLM\..\Run: [UpdReg] "C:\WINDOWS\UpdReg.EXE"
O4 - HKLM\..\Run: [SoundMan] "SOUNDMAN.EXE"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = 100acrewoods.local
O17 - HKLM\Software\..\Telephony: DomainName = 100acrewoods.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = 100acrewoods.local
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
--
End of file - 6219 bytes
Hi
Please do an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/downloads/kws/kavwebscan.html). You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:
o Scan using the following Anti-Virus database:
+ Extended (If available otherwise Standard)
o Scan Options:
+ Scan Archives
+ Scan Mail Bases
Click OK
Now under select a target to scan select My Computer
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button
Save the file to your desktop.
Copy and paste that information in your next post.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
Post:
- a fresh HijackThis log
- kaspersky report
Hello,
Kaspersky will not finish scanning... it causes the computer to hang mid-scan :spider:
Hi
Try this instead:
Please run this online scan:
Panda ActiveScan (http://www.pandasoftware.com/activescan/com/activescan_principal.htm)
Once you are on the Panda site, click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on Local Disks to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the Panda scan report, along with a new HijackThis Log
Here is the Panda Log (Two Parts, because of post size limit)
Incident Status Location
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Dianne\Cookies\dianne@burstnet[1].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Dianne\Cookies\dianne@www.burstbeacon[2].txt
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\h3bf5jdm.default\cookies.txt[statse.webtrendslive.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\h3bf5jdm.default\cookies.txt[.com.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\h3bf5jdm.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\h3bf5jdm.default\cookies.txt[.toplist.cz/]
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\h3bf5jdm.default\cookies.txt[.yadro.ru/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\h3bf5jdm.default\cookies.txt[.go.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\h3bf5jdm.default\cookies.txt[.ehg-dig.hitbox.com/]
Spyware:Cookie/Hitslink Not disinfected C:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\h3bf5jdm.default\cookies.txt[counter.hitslink.com/]
Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\h3bf5jdm.default\cookies.txt[.www.myaffiliateprogram.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\h3bf5jdm.default\cookies.txt[.2o7.net/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Phil\Cookies\phil@ad.yieldmanager[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Phil\Cookies\phil@atwola[1].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Phil\Cookies\phil@azjmp[1].txt
Spyware:Cookie/BurstNet Not disinfected
C:\Documents and Settings\Phil\Cookies\phil@burstnet[2].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Phil\Cookies\phil@casalemedia[2].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Phil\Desktop\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/SuperFast Not disinfected C:\Documents and Settings\Phil\Desktop\SmitfraudFix\restart.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Phil\Desktop\SmitfraudFix\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Potentially unwanted tool:Application/SuperFast Not disinfected C:\Documents and Settings\Phil\Desktop\SmitfraudFix\SmitfraudFix.zip[SmitfraudFix/restart.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Phil\Desktop\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Potentially unwanted tool:Application/SuperFast Not disinfected C:\Documents and Settings\Phil\Desktop\SmitfraudFix.zip[SmitfraudFix/restart.exe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Phil\Desktop\Windows Fix\Computer Fix\ComboFix.exe[nircmd.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Phil\Local Settings\Temporary Internet Files\Content.IE5\CBO35DCG\SmitfraudFix[1].zip[SmitfraudFix/Process.exe]
Potentially unwanted tool:Application/SuperFast Not disinfected C:\Documents and Settings\Phil\Local Settings\Temporary Internet Files\Content.IE5\CBO35DCG\SmitfraudFix[1].zip[SmitfraudFix/restart.exe]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\phil.100ACREWOODS\Application Data\Mozilla\Firefox\Profiles\w2b5pg5n.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\phil.100ACREWOODS\Application Data\Mozilla\Firefox\Profiles\w2b5pg5n.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\phil.100ACREWOODS\Application Data\Mozilla\Firefox\Profiles\w2b5pg5n.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\phil.100ACREWOODS\Application Data\Mozilla\Firefox\Profiles\w2b5pg5n.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\phil.100ACREWOODS\Application Data\Mozilla\Firefox\Profiles\w2b5pg5n.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/NewMedia Not disinfected C:\Documents and Settings\phil.100ACREWOODS\Application Data\Mozilla\Firefox\Profiles\w2b5pg5n.default\cookies.txt[.anm.co.uk/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\phil.100ACREWOODS\Application Data\Mozilla\Firefox\Profiles\w2b5pg5n.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\phil.100ACREWOODS\Application Data\Mozilla\Firefox\Profiles\w2b5pg5n.default\cookies.txt[.bs.serving-sys.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\phil.100ACREWOODS\Application Data\Mozilla\Firefox\Profiles\w2b5pg5n.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\phil.100ACREWOODS\Application Data\Mozilla\Firefox\Profiles\w2b5pg5n.default\cookies.txt[.com.com/]
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\phil.100ACREWOODS\Application Data\Mozilla\Firefox\Profiles\w2b5pg5n.default\cookies.txt[.i.screensavers.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\phil.100ACREWOODS\Application Data\Mozilla\Firefox\Profiles\w2b5pg5n.default\cookies.txt[.overture.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\phil.100ACREWOODS\Application Data\Mozilla\Firefox\Profiles\w2b5pg5n.default\cookies.txt[.perf.overture.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\phil.100ACREWOODS\Application Data\Mozilla\Firefox\Profiles\w2b5pg5n.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\phil.100ACREWOODS\Application Data\Mozilla\Firefox\Profiles\w2b5pg5n.default\cookies.txt[.revenue.net/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\phil.100ACREWOODS\Application Data\Mozilla\Firefox\Profiles\w2b5pg5n.default\cookies.txt[.searchportal.information.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\phil.100ACREWOODS\Application Data\Mozilla\Firefox\Profiles\w2b5pg5n.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\phil.100ACREWOODS\Application Data\Mozilla\Firefox\Profiles\w2b5pg5n.default\cookies.txt[.trafficmp.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\phil.100ACREWOODS\Application Data\Mozilla\Firefox\Profiles\w2b5pg5n.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\phil.100ACREWOODS\Application Data\Mozilla\Firefox\Profiles\w2b5pg5n.default\cookies.txt[.xiti.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\phil.100ACREWOODS\Application Data\Mozilla\Firefox\Profiles\w2b5pg5n.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/NewMedia Not disinfected C:\Documents and Settings\phil.100ACREWOODS\Cookies\phil@anm.co[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\phil.100ACREWOODS\Cookies\phil@burstnet[2].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\phil.100ACREWOODS\Cookies\phil@cgi-bin[1].txt
Spyware:Cookie/Kmpads Not disinfected C:\Documents and Settings\phil.100ACREWOODS\Cookies\phil@kmpads[1].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\phil.100ACREWOODS\Cookies\phil@xiti[1].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Rich\Cookies\rich@888[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Rich\Cookies\rich@ad.yieldmanager[1].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Rich\Cookies\rich@adopt.hbmediapro[2].txt
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Rich\Cookies\rich@adtech[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Rich\Cookies\rich@advertising[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Rich\Cookies\rich@atdmt[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Rich\Cookies\rich@atwola[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Rich\Cookies\rich@belnk[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Rich\Cookies\rich@bs.serving-sys[1].txt
Spyware:Cookie/BurstNet Not disinfected
C:\Documents and Settings\Rich\Cookies\rich@burstnet[2].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Rich\Cookies\rich@casalemedia[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Rich\Cookies\rich@dist.belnk[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Rich\Cookies\rich@doubleclick[1].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Rich\Cookies\rich@ehg-dig.hitbox[2].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Rich\Cookies\rich@go[1].txt
Spyware:Cookie/Kmpads Not disinfected C:\Documents and Settings\Rich\Cookies\rich@kmpads[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Rich\Cookies\rich@overture[1].txt
Spyware:Cookie/Paypopup Not disinfected C:\Documents and Settings\Rich\Cookies\rich@paypopup[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Rich\Cookies\rich@serving-sys[2].txt
Spyware:Cookie/Affiliate fuel Not disinfected C:\Documents and Settings\Rich\Cookies\rich@www.affiliatefuel[1].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Rich\Cookies\rich@www.burstbeacon[2].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Rich\Cookies\rich@xiti[1].txt
Potentially unwanted tool:Application/PRScheduler Not disinfected C:\Documents and Settings\Rich\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Rich.100ACREWOODS\Application Data\Mozilla\Firefox\Profiles\4jjfi63k.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Rich.100ACREWOODS\Application Data\Mozilla\Firefox\Profiles\4jjfi63k.default\cookies.txt[.ad.yieldmanager.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Rich.100ACREWOODS\Application Data\Mozilla\Firefox\Profiles\4jjfi63k.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Rich.100ACREWOODS\Application Data\Mozilla\Firefox\Profiles\4jjfi63k.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Rich.100ACREWOODS\Application Data\Mozilla\Firefox\Profiles\4jjfi63k.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Rich.100ACREWOODS\Application Data\Mozilla\Firefox\Profiles\4jjfi63k.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Rich.100ACREWOODS\Application Data\Mozilla\Firefox\Profiles\4jjfi63k.default\cookies.txt[.go.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Rich.100ACREWOODS\Application Data\Mozilla\Firefox\Profiles\4jjfi63k.default\cookies.txt[.ehg-dig.hitbox.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Rich.100ACREWOODS\Application Data\Mozilla\Firefox\Profiles\4jjfi63k.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Rich.100ACREWOODS\Application Data\Mozilla\Firefox\Profiles\4jjfi63k.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Rich.100ACREWOODS\Application Data\Mozilla\Firefox\Profiles\4jjfi63k.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Rich.100ACREWOODS\Application Data\Mozilla\Firefox\Profiles\4jjfi63k.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Rich.100ACREWOODS\Application Data\Mozilla\Firefox\Profiles\4jjfi63k.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Rich.100ACREWOODS\Application Data\Mozilla\Firefox\Profiles\4jjfi63k.default\cookies.txt[.atwola.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Rich.100ACREWOODS\Application Data\Mozilla\Firefox\Profiles\4jjfi63k.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Rich.100ACREWOODS\Application Data\Mozilla\Firefox\Profiles\4jjfi63k.default\cookies.txt[.advertising.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Rich.100ACREWOODS\Application Data\Mozilla\Firefox\Profiles\4jjfi63k.default\cookies.txt[.247realmedia.com/]
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\Rich.100ACREWOODS\Application Data\Mozilla\Firefox\Profiles\4jjfi63k.default\cookies.txt[.yadro.ru/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Rich.100ACREWOODS\Application Data\Mozilla\Firefox\Profiles\4jjfi63k.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Rich.100ACREWOODS\Application Data\Mozilla\Firefox\Profiles\4jjfi63k.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Rich.100ACREWOODS\Application Data\Mozilla\Firefox\Profiles\4jjfi63k.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Rich.100ACREWOODS\Application Data\Mozilla\Firefox\Profiles\4jjfi63k.default\cookies.txt[.com.com/]
Spyware:Cookie/SpyLog Not disinfected C:\Documents and Settings\Rich.100ACREWOODS\Application Data\Mozilla\Firefox\Profiles\4jjfi63k.default\cookies.txt[.spylog.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Rich.100ACREWOODS\Application Data\Mozilla\Firefox\Profiles\4jjfi63k.default\cookies.txt[.bs.serving-sys.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Rich.100ACREWOODS\Application Data\Mozilla\Firefox\Profiles\4jjfi63k.default\cookies.txt[.server.iad.liveperson.net/hc/80570461]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Rich.100ACREWOODS\Cookies\rich@atdmt[2].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Rich.100ACREWOODS\Cookies\rich@burstnet[2].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Rich.100ACREWOODS\Cookies\rich@cgi-bin[1].txt
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\Rich.100ACREWOODS\Cookies\rich@yadro[1].txt
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\nircmd.exe
Potentially unwanted tool:Application/CloseApp Not disinfected
make that over 3 posts, :rolleyes:
I can't seem to win, AVG or something messed up my HiJackThis and it says i dont have permission or something to reinstall... so i got 2.0 from MajorGeeks... hope that is ok:
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 3:40:20 PM, on 9/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ATKKBService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvraidservice.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Phil\Desktop\HiJackThis_v2.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [ftutil2] "rundll32.exe " ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [NVRaidService] "C:\WINDOWS\system32\nvraidservice.exe"
O4 - HKLM\..\Run: [CTSysVol] "C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe " /r
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE"
O4 - HKLM\..\Run: [SBDrvDet] "C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe " /r
O4 - HKLM\..\Run: [UpdReg] "C:\WINDOWS\UpdReg.EXE"
O4 - HKLM\..\Run: [SoundMan] "SOUNDMAN.EXE"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = 100acrewoods.local
O17 - HKLM\Software\..\Telephony: DomainName = 100acrewoods.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = 100acrewoods.local
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
--
End of file - 6443 bytes
Thanks very much!
Hi
That looks good :)
Still problems?
Unfortunately no, it didn't fix my problems... I tried running spybot and it hung.
Hi
Does it work in safe mode?
If not, uninstall/re-install it and tell if it works now :)
Due to the lack of feedback this Topic is closed.
If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.
Everyone else please begin a New Topic.