View Full Version : Ad Popups when using explorer.. with log posted
Nekkidbeerman
2007-10-29, 21:07
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:53:54 PM, on 10/29/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\DMI\WIN32\bin\DellDmi.exe
C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
C:\Program Files\Dell\OpenManage\Client\DLT.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL$ABRSM\Binn\sqlservr.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\dmi\win32\bin\Win32sl.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\SxgTkBar.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\VIPPCS\SRS Auto.exe
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINNT\msagent\AgentSvr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Attachmate\KEA! VT\keavt.exe
C:\Program Files\Attachmate\KEA! VT\KEASYS.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\explorer.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\msdtc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Jeff\Local Settings\Temp\StartupList.exe
C:\WINNT\regedit.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINNT\SYSTEM32\RUNDLL32.EXE
C:\WINNT\system32\mmc.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Documents and Settings\Jeff\Desktop\tools\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cnn.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkage
O1 - Hosts: 204.9.89.1 www.livejasmin.com
O1 - Hosts: 216.109.112.135 www.2.livejasmin.com
O1 - Hosts: 216.109.112.135 live-webcam.health-sites-directory.com
O1 - Hosts: 216.109.112.135 voyeur-webcam.health-sites-directory.com
O1 - Hosts: 204.9.89.1 www.streamate.com
O1 - Hosts: 72.14.207.99 www.streamatex.com
O1 - Hosts: 216.109.112.135 streamate.es
O1 - Hosts: 216.109.112.135 www.streamatecams.com
O1 - Hosts: 72.14.207.99 broadcaster.streamate.com
O1 - Hosts: 216.109.112.135 freeicams.com
O1 - Hosts: 204.9.89.1 rogreviews.com
O1 - Hosts: 216.109.112.135 wildorchidz.com
O1 - Hosts: 72.14.207.99 boobchatworld.com
O1 - Hosts: 204.9.89.1 toysoncam.com
O1 - Hosts: 216.109.112.135 statsaholic.com/
O1 - Hosts: 72.14.207.99 crazycam.info
O1 - Hosts: 216.109.112.135 privatefeeds.com
O1 - Hosts: 72.14.207.99 www.2.livejasmin.com
O1 - Hosts: 216.109.112.135 cams.com
O1 - Hosts: 216.109.112.135 imlive.com
O1 - Hosts: 72.14.207.99 adult.dvdempire.com
O1 - Hosts: 216.109.112.135 angelasummers.com
O1 - Hosts: 204.9.89.1 evilchili.com
O1 - Hosts: 216.109.112.135 pornstar.dvdempire.com
O1 - Hosts: 72.14.207.99 tour.twistys.com
O1 - Hosts: 216.109.112.135 evilchilli.com
O1 - Hosts: 204.9.89.1 twistys.com
O1 - Hosts: 216.109.112.135 inside.twistys.com
O1 - Hosts: 216.109.112.135 girls.twistys.net
O1 - Hosts: 216.109.112.135 grouper.com
O1 - Hosts: 72.14.207.99 lickit.net
O1 - Hosts: 216.109.112.135 www.bullz-eye.com
O1 - Hosts: 204.9.89.1 tourvideo.twistys.com
O1 - Hosts: 216.109.112.135 pornstar.dvdempire.com
O1 - Hosts: 204.9.89.1 livejasmin.nu
O1 - Hosts: 216.109.112.135 208.100.1.88
O3 - Toolbar: Live TV Toolbar - {b69a9db4-d0a1-4722-b56b-f20757a29cdf} - C:\Program Files\Live_TV\tbLive.dll__BHODemonDisabled_STHPMWUUFLUHWHSSRU (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SxgTkBar] SxgTkBar.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKLM\..\Run: [OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] ctfmon.exe (User 'Default user')
O4 - Startup: Shortcut to Microsoft Outlook.lnk = ?
O4 - Global Startup: SRS Auto.lnk = C:\VIPPCS\SRS Auto.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - https://www.budnet.com/ABR/Template/ABRReports.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/abarth/us/win/QuickTimeInstaller.exe
O16 - DPF: {B82FA17C-F3A9-11D2-B5DD-0050041B7FF6} (SAXFile FileDownload ActiveX Control) - http://www.abmarketing.com/SAXFile/SAXFile.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://anheuser-busch.webex.com/client/v_mywebex-t20/support/ieatgpc.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup152.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = budofasheville.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = budofasheville.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = budofasheville.local
O23 - Service: 3Com DMI Agent (3ComDMIService) - 3Com Corporation - C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
O23 - Service: ActionAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DellDmi - Dell Computer Corporation - C:\DMI\WIN32\bin\DellDmi.exe
O23 - Service: DEventAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
O23 - Service: DLT - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\DLT.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Remote Registry Service (RemoteRegistry) - Unknown owner - C:\WINNT\system32\regsvc.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Win32Sl - Intel - C:\dmi\win32\bin\Win32sl.exe
--
End of file - 9920 bytes
Hi Nekkidbeerman
Rename HijackThis.exe to Nekki.exe and post back a fresh HijackThis log, please :)
Nekkidbeerman
2007-10-30, 13:53
Little background.. those host files were created by me to keep coworker out of porn and test on this pc. Thank you for any help you can offer..
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:43:43 AM, on 10/30/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\DMI\WIN32\bin\DellDmi.exe
C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
C:\Program Files\Dell\OpenManage\Client\DLT.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL$ABRSM\Binn\sqlservr.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\dmi\win32\bin\Win32sl.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\SxgTkBar.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\VIPPCS\SRS Auto.exe
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\WINNT\msagent\AgentSvr.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\msdtc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Jeff\Desktop\tools\Nekki.exe.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cnn.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkage
O1 - Hosts: 204.9.89.1 www.livejasmin.com
O1 - Hosts: 216.109.112.135 www.2.livejasmin.com
O1 - Hosts: 216.109.112.135 live-webcam.health-sites-directory.com
O1 - Hosts: 216.109.112.135 voyeur-webcam.health-sites-directory.com
O1 - Hosts: 204.9.89.1 www.streamate.com
O1 - Hosts: 72.14.207.99 www.streamatex.com
O1 - Hosts: 216.109.112.135 streamate.es
O1 - Hosts: 216.109.112.135 www.streamatecams.com
O1 - Hosts: 72.14.207.99 broadcaster.streamate.com
O1 - Hosts: 216.109.112.135 freeicams.com
O1 - Hosts: 204.9.89.1 rogreviews.com
O1 - Hosts: 216.109.112.135 wildorchidz.com
O1 - Hosts: 72.14.207.99 boobchatworld.com
O1 - Hosts: 204.9.89.1 toysoncam.com
O1 - Hosts: 216.109.112.135 statsaholic.com/
O1 - Hosts: 72.14.207.99 crazycam.info
O1 - Hosts: 216.109.112.135 privatefeeds.com
O1 - Hosts: 72.14.207.99 www.2.livejasmin.com
O1 - Hosts: 216.109.112.135 cams.com
O1 - Hosts: 216.109.112.135 imlive.com
O1 - Hosts: 72.14.207.99 adult.dvdempire.com
O1 - Hosts: 216.109.112.135 angelasummers.com
O1 - Hosts: 204.9.89.1 evilchili.com
O1 - Hosts: 216.109.112.135 pornstar.dvdempire.com
O1 - Hosts: 72.14.207.99 tour.twistys.com
O1 - Hosts: 216.109.112.135 evilchilli.com
O1 - Hosts: 204.9.89.1 twistys.com
O1 - Hosts: 216.109.112.135 inside.twistys.com
O1 - Hosts: 216.109.112.135 girls.twistys.net
O1 - Hosts: 216.109.112.135 grouper.com
O1 - Hosts: 72.14.207.99 lickit.net
O1 - Hosts: 216.109.112.135 www.bullz-eye.com
O1 - Hosts: 204.9.89.1 tourvideo.twistys.com
O1 - Hosts: 216.109.112.135 pornstar.dvdempire.com
O1 - Hosts: 204.9.89.1 livejasmin.nu
O1 - Hosts: 216.109.112.135 208.100.1.88
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0959454F-AF1C-40DC-A174-7EBA17B4BDCF} - (no file)
O2 - BHO: (no name) - {25EC9914-710A-4E43-9E77-203D9F2CFB62} - C:\WINNT\system32\geedb.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6A4897DF-3F9C-46ED-A708-4E0D34E23907} - (no file)
O2 - BHO: (no name) - {6A4CC1D8-71AF-4243-B5E9-6129C2781CA8} - (no file)
O2 - BHO: (no name) - {89AD4D75-2429-462e-BD4E-443F233F6033} - C:\WINNT\SYSTEM32\sdrrctgu.dll (disabled by BHODemon)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll (disabled by BHODemon)
O2 - BHO: Live TV Toolbar - {b69a9db4-d0a1-4722-b56b-f20757a29cdf} - C:\Program Files\Live_TV\tbLive.dll (disabled by BHODemon)
O2 - BHO: (no name) - {D4B313D0-5C9B-423B-AA32-ACEA573D8421} - (no file)
O3 - Toolbar: Live TV Toolbar - {b69a9db4-d0a1-4722-b56b-f20757a29cdf} - C:\Program Files\Live_TV\tbLive.dll__BHODemonDisabled_STHPMWUUFLUHWHSSRU (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SxgTkBar] SxgTkBar.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [07d208a7] rundll32.exe "C:\WINNT\system32\ownppcop.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] ctfmon.exe (User 'Default user')
O4 - Startup: Shortcut to Microsoft Outlook.lnk = ?
O4 - Global Startup: SRS Auto.lnk = C:\VIPPCS\SRS Auto.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - https://www.budnet.com/ABR/Template/ABRReports.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/abarth/us/win/QuickTimeInstaller.exe
O16 - DPF: {B82FA17C-F3A9-11D2-B5DD-0050041B7FF6} (SAXFile FileDownload ActiveX Control) - http://www.abmarketing.com/SAXFile/SAXFile.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://anheuser-busch.webex.com/client/v_mywebex-t20/support/ieatgpc.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup152.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = budofasheville.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = budofasheville.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = budofasheville.local
O23 - Service: 3Com DMI Agent (3ComDMIService) - 3Com Corporation - C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
O23 - Service: ActionAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DellDmi - Dell Computer Corporation - C:\DMI\WIN32\bin\DellDmi.exe
O23 - Service: DEventAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
O23 - Service: DLT - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\DLT.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Remote Registry Service (RemoteRegistry) - Unknown owner - C:\WINNT\system32\regsvc.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Win32Sl - Intel - C:\dmi\win32\bin\Win32sl.exe
--
End of file - 10445 bytes
Hi
Ok, I'll let them then alone :)
Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
1. Download combofix from one of these links and save it to Desktop:
Link1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link2 (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Post:
- a fresh HijackThis log
- combofix report
- vundofix report
Nekkidbeerman
2007-10-30, 16:05
First off.. Thanks again for all you do.. I would like to eventually be able to help others aswell.. with that said please see request information below..
VundoFix V6.5.11
Checking Java version...
Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.
Scan started at 9:32:28 AM 10/30/2007
Listing files found while scanning....
C:\WINNT\system32\pmkhfdd.dll
C:\WINNT\SYSTEM32\sdrrctgu.dll__BHODemonDisabled_QBKHAMKWABUHLYSNINBKXKWOX
Beginning removal...
Performing Repairs to the registry.
Done!
--- also note worthy ---
"cannont import vundofix.reg" popped up when completing the process..
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:44:08 AM, on 10/30/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\DMI\WIN32\bin\DellDmi.exe
C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
C:\Program Files\Dell\OpenManage\Client\DLT.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$ABRSM\Binn\sqlservr.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\dmi\win32\bin\Win32sl.exe
C:\WINNT\system32\SxgTkBar.exe
C:\WINNT\system32\mobsync.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\VIPPCS\SRS Auto.exe
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINNT\msagent\AgentSvr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Documents and Settings\Jeff\Desktop\tools\Nekki.exe.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkage
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0959454F-AF1C-40DC-A174-7EBA17B4BDCF} - (no file)
O2 - BHO: (no name) - {25147DEA-A4B5-4869-98FE-736B9DE587C2} - C:\WINNT\system32\geedb.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6A4897DF-3F9C-46ED-A708-4E0D34E23907} - (no file)
O2 - BHO: (no name) - {6A4CC1D8-71AF-4243-B5E9-6129C2781CA8} - (no file)
O2 - BHO: (no name) - {89AD4D75-2429-462e-BD4E-443F233F6033} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll (disabled by BHODemon)
O2 - BHO: Live TV Toolbar - {b69a9db4-d0a1-4722-b56b-f20757a29cdf} - C:\Program Files\Live_TV\tbLive.dll (disabled by BHODemon)
O2 - BHO: (no name) - {D4B313D0-5C9B-423B-AA32-ACEA573D8421} - (no file)
O3 - Toolbar: Live TV Toolbar - {b69a9db4-d0a1-4722-b56b-f20757a29cdf} - C:\Program Files\Live_TV\tbLive.dll__BHODemonDisabled_STHPMWUUFLUHWHSSRU (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SxgTkBar] SxgTkBar.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [07d208a7] rundll32.exe "C:\WINNT\system32\ownppcop.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] ctfmon.exe (User 'Default user')
O4 - Startup: Shortcut to Microsoft Outlook.lnk = ?
O4 - Global Startup: SRS Auto.lnk = C:\VIPPCS\SRS Auto.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - https://www.budnet.com/ABR/Template/ABRReports.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/abarth/us/win/QuickTimeInstaller.exe
O16 - DPF: {B82FA17C-F3A9-11D2-B5DD-0050041B7FF6} (SAXFile FileDownload ActiveX Control) - http://www.abmarketing.com/SAXFile/SAXFile.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://anheuser-busch.webex.com/client/v_mywebex-t20/support/ieatgpc.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup152.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = budofasheville.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = budofasheville.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = budofasheville.local
O23 - Service: 3Com DMI Agent (3ComDMIService) - 3Com Corporation - C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
O23 - Service: ActionAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DellDmi - Dell Computer Corporation - C:\DMI\WIN32\bin\DellDmi.exe
O23 - Service: DEventAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
O23 - Service: DLT - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\DLT.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Remote Registry Service (RemoteRegistry) - Unknown owner - C:\WINNT\system32\regsvc.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Win32Sl - Intel - C:\dmi\win32\bin\Win32sl.exe
--
End of file - 8717 bytes
ComboFix 07-10-29.1 - Jeff 10/30/2007 9:45:36.1 - FAT32x86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.189 [GMT -4:00]
Running from: C:\Documents and Settings\Jeff\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Jeff\Application Data\macromedia\Flash Player\#SharedObjects\L4BDUNVR\www.broadcaster.com
C:\Documents and Settings\Jeff\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Jeff\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\WINNT\cookies.ini
C:\WINNT\SYSTEM32\bdeeg.bak2
C:\WINNT\SYSTEM32\bdeeg.ini
C:\WINNT\SYSTEM32\dhurwonw.ini
C:\WINNT\system32\geedb.dll
C:\WINNT\system32\ownppcop.dll
C:\WINNT\SYSTEM32\pocppnwo.ini
C:\WINNT\system32\wnowruhd.dll
C:\WINNT\system32\wyrjoytg.dll
.
((((((((((((((((((((((((( Files Created from 202.-02-28 to 202.0.37 )))))))))))))))))))))))))))))))
.
No new files created in this timespan
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-21 19:44 66,024 ----a-w C:\Documents and Settings\Jeff\Application Data\GDIPFONTCACHEV1.DAT
2007-04-27 20:08 299,288 ----a-w C:\Program Files\GmailInstaller.exe
2007-04-27 19:59 1,145,896 ----a-w C:\Program Files\GoogleToolbarInstaller.exe
2004-01-27 17:04 124,956 ----a-w C:\Program Files\INSTALL.LOG
2001-09-28 20:00 164,512 ----a-w C:\Program Files\UNWISE.EXE
2001-06-19 17:05 271 ---ha-w C:\Program Files\DESKTOP.INI
2001-06-19 17:05 21,952 ---ha-w C:\Program Files\FOLDER.HTT
2001-05-08 11:00 32,528 ----a-w C:\WINNT\INF\WBFIRDMA.SYS
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0959454F-AF1C-40DC-A174-7EBA17B4BDCF}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6A4897DF-3F9C-46ED-A708-4E0D34E23907}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6A4CC1D8-71AF-4243-B5E9-6129C2781CA8}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4B313D0-5C9B-423B-AA32-ACEA573D8421}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-06-19 15:05 C:\WINNT\SYSTEM32\mobsync.exe]
"SxgTkBar"="SxgTkBar.exe" [00-04-10 08:10 C:\WINNT\SYSTEM32\sxgtkbar.exe]
"HPDJ Taskbar Utility"="C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe" [03-07-28 09:43 ]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [05-10-04 12:42 ]
"vptray"="C:\PROGRA~1\SYMANT~2\VPTray.exe" [05-11-15 13:28 ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [07-07-12 04:00 ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [07-06-15 15:04 ]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [05-07-15 17:48 ]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="ctfmon.exe" [01-02-20 13:09 C:\WINNT\SYSTEM32\CTFMON.EXE]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [07-07-17 11:05 ]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [06-03-30 16:45 ]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ctfmon.exe"=ctfmon.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
SRS Auto.lnk - C:\VIPPCS\SRS Auto.exe [2006-11-10 14:38:06]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINNT\system32\geedb.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
R0 fasttrak;fasttrak;C:\WINNT\system32\DRIVERS\fasttrak.sys
R0 Fd16_700;Fd16_700;C:\WINNT\system32\DRIVERS\fd16_700.sys
R0 mraid2k;mraid2k;C:\WINNT\system32\DRIVERS\mraid2k.sys
R2 3ComDMIService;3Com DMI Agent;C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
R2 ActionAgent;ActionAgent;C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
R2 BCAITDI;3Com BCAITDI DMI TDI;C:\WINNT\system32\DRIVERS\BCAItdi.sys
R2 DLT;DLT;C:\Program Files\Dell\OpenManage\Client\DLT.exe
R2 MSSQL$ABRSM;MSSQL$ABRSM;C:\Program Files\Microsoft SQL Server\MSSQL$ABRSM\Binn\sqlservr.exe -sABRSM
R2 tcaicchg;tcaicchg;\??\C:\WINNT\System32\tcaicchg.sys
R2 TCAITDI;TCAITDI Protocol;C:\WINNT\system32\DRIVERS\TCAITDI.sys
R3 ati2mtaa;ati2mtaa;C:\WINNT\system32\DRIVERS\ati2mtaa.sys
S1 sxgbvswp;sxgbvswp;C:\WINNT\system32\drivers\sxgbvswp.SYS
S3 ichaud;Service for AC'97 Driver (WDM);C:\WINNT\system32\drivers\ichaud.sys
S3 SQLAgent$ABRSM;SQLAgent$ABRSM;C:\Program Files\Microsoft SQL Server\MSSQL$ABRSM\Binn\sqlagent.EXE -i ABRSM
*Newly Created Service* - IPNAT
*Newly Created Service* - RASAUTO
*Newly Created Service* - SHAREDACCESS
.
**************************************************************************
catchme 0.3.1239 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-30 09:52:13
Windows 5.0.2195 Service Pack 4 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-10-30 9:52:47 - machine was rebooted
.
--- E O F ---
Hi
HijackThis log is taken before combofix.
Please post a fresh HijackThis log :)
Nekkidbeerman
2007-10-30, 19:00
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:49, on 2007-10-30
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\DMI\WIN32\bin\DellDmi.exe
C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
C:\Program Files\Dell\OpenManage\Client\DLT.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL$ABRSM\Binn\sqlservr.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\dmi\win32\bin\Win32sl.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\ctfmon.exe
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\WINNT\msagent\AgentSvr.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Attachmate\KEA! VT\keavt.exe
C:\Program Files\Attachmate\KEA! VT\KEASYS.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\tools\Nekki.exe.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkage
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0959454F-AF1C-40DC-A174-7EBA17B4BDCF} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6A4897DF-3F9C-46ED-A708-4E0D34E23907} - (no file)
O2 - BHO: (no name) - {6A4CC1D8-71AF-4243-B5E9-6129C2781CA8} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll (disabled by BHODemon)
O2 - BHO: Live TV Toolbar - {b69a9db4-d0a1-4722-b56b-f20757a29cdf} - C:\Program Files\Live_TV\tbLive.dll (disabled by BHODemon)
O2 - BHO: (no name) - {D4B313D0-5C9B-423B-AA32-ACEA573D8421} - (no file)
O3 - Toolbar: Live TV Toolbar - {b69a9db4-d0a1-4722-b56b-f20757a29cdf} - C:\Program Files\Live_TV\tbLive.dll__BHODemonDisabled_STHPMWUUFLUHWHSSRU (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SxgTkBar] SxgTkBar.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] ctfmon.exe (User 'Default user')
O4 - .DEFAULT Startup: Shortcut to Microsoft Outlook.lnk = ? (User 'Default user')
O4 - Startup: Shortcut to Microsoft Outlook.lnk = ?
O4 - Global Startup: SRS Auto.lnk = C:\VIPPCS\SRS Auto.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - https://www.budnet.com/ABR/Template/ABRReports.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/abarth/us/win/QuickTimeInstaller.exe
O16 - DPF: {B82FA17C-F3A9-11D2-B5DD-0050041B7FF6} (SAXFile FileDownload ActiveX Control) - http://www.abmarketing.com/SAXFile/SAXFile.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://anheuser-busch.webex.com/client/v_mywebex-t20/support/ieatgpc.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup152.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = budofasheville.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = budofasheville.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = budofasheville.local
O23 - Service: 3Com DMI Agent (3ComDMIService) - 3Com Corporation - C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
O23 - Service: ActionAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DellDmi - Dell Computer Corporation - C:\DMI\WIN32\bin\DellDmi.exe
O23 - Service: DEventAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
O23 - Service: DLT - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\DLT.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Remote Registry Service (RemoteRegistry) - Unknown owner - C:\WINNT\system32\regsvc.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Win32Sl - Intel - C:\dmi\win32\bin\Win32sl.exe
--
End of file - 8479 bytes
Hi
First we'll need to backup registry:
Start -> Run -> regedit -> ok. Then File -> Export. Give it a name and press Save.
Save text below as fix.reg on Notepad (save it as all files (*.*)) on Desktop
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
It should look like this -> http://users.telenet.be/bluepatchy/miekiemoes/images/reg.gif
Doubleclick fix.reg, press Yes and ok.
(In case you are unsure how to create a reg file, take a look here (http://www.nellie2.co.uk/file.htm#How_to_Make_a_.Reg_File_) with screenshots.)
Open HijackThis, click do a system scan only and checkmark these:
O2 - BHO: (no name) - {0959454F-AF1C-40DC-A174-7EBA17B4BDCF} - (no file)
O2 - BHO: (no name) - {6A4897DF-3F9C-46ED-A708-4E0D34E23907} - (no file)
O2 - BHO: (no name) - {6A4CC1D8-71AF-4243-B5E9-6129C2781CA8} - (no file)
O2 - BHO: Live TV Toolbar - {b69a9db4-d0a1-4722-b56b-f20757a29cdf} - C:\Program Files\Live_TV\tbLive.dll (disabled by BHODemon)
O2 - BHO: (no name) - {D4B313D0-5C9B-423B-AA32-ACEA573D8421} - (no file)
O3 - Toolbar: Live TV Toolbar - {b69a9db4-d0a1-4722-b56b-f20757a29cdf} - C:\Program Files\Live_TV\tbLive.dll__BHODemonDisabled_STHPMWUUFLUHWHSSRU (file missing)
Close all windows including browser and press fix checked.
Reboot.
Post a fresh HijackThis log.
Nekkidbeerman
2007-10-30, 20:21
Also had error with reg file. Cannot import c:\location........fix.reg: the specified file is not a registry script you can import only registry files.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:10, on 2007-10-30
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\DMI\WIN32\bin\DellDmi.exe
C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
C:\Program Files\Dell\OpenManage\Client\DLT.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL$ABRSM\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\dmi\win32\bin\Win32sl.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\SxgTkBar.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\VIPPCS\SRS Auto.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINNT\msagent\AgentSvr.exe
C:\tools\Nekki.exe.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkage
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll (disabled by BHODemon)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SxgTkBar] SxgTkBar.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] ctfmon.exe (User 'Default user')
O4 - .DEFAULT Startup: Shortcut to Microsoft Outlook.lnk = ? (User 'Default user')
O4 - Startup: Shortcut to Microsoft Outlook.lnk = ?
O4 - Global Startup: SRS Auto.lnk = C:\VIPPCS\SRS Auto.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - https://www.budnet.com/ABR/Template/ABRReports.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/abarth/us/win/QuickTimeInstaller.exe
O16 - DPF: {B82FA17C-F3A9-11D2-B5DD-0050041B7FF6} (SAXFile FileDownload ActiveX Control) - http://www.abmarketing.com/SAXFile/SAXFile.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://anheuser-busch.webex.com/client/v_mywebex-t20/support/ieatgpc.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup152.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = budofasheville.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = budofasheville.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = budofasheville.local
O23 - Service: 3Com DMI Agent (3ComDMIService) - 3Com Corporation - C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
O23 - Service: ActionAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DellDmi - Dell Computer Corporation - C:\DMI\WIN32\bin\DellDmi.exe
O23 - Service: DEventAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
O23 - Service: DLT - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\DLT.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Remote Registry Service (RemoteRegistry) - Unknown owner - C:\WINNT\system32\regsvc.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Win32Sl - Intel - C:\dmi\win32\bin\Win32sl.exe
--
End of file - 8055 bytes
Hi
Then let's take a further look if your .reg association is not correct:
Download Deckard's System Scanner (DSS) (http://www.techsupportforum.com/sectools/Deckard/dss.exe) to your Desktop. Note: You must be logged onto an account with administrator privileges.
Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post. in your reply
Nekkidbeerman
2007-10-30, 22:45
Main.. too long for both to be here
Deckard's System Scanner v20071014.68
Run by Jeff on 2007-10-30 16:33:11
Computer is in Normal Mode.
--------------------------------------------------------------------------------
Backed up registry hives.
Performed disk cleanup.
-- HijackThis (run as Jeff.exe) ------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:34, on 2007-10-30
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\DMI\WIN32\bin\DellDmi.exe
C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
C:\Program Files\Dell\OpenManage\Client\DLT.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL$ABRSM\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\dmi\win32\bin\Win32sl.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\SxgTkBar.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\VIPPCS\SRS Auto.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Documents and Settings\Jeff\Desktop\dss.exe
C:\tools\Jeff.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkage
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll (disabled by BHODemon)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SxgTkBar] SxgTkBar.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] ctfmon.exe (User 'Default user')
O4 - .DEFAULT Startup: Shortcut to Microsoft Outlook.lnk = ? (User 'Default user')
O4 - Startup: Shortcut to Microsoft Outlook.lnk = ?
O4 - Global Startup: SRS Auto.lnk = C:\VIPPCS\SRS Auto.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - https://www.budnet.com/ABR/Template/ABRReports.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/abarth/us/win/QuickTimeInstaller.exe
O16 - DPF: {B82FA17C-F3A9-11D2-B5DD-0050041B7FF6} (SAXFile FileDownload ActiveX Control) - http://www.abmarketing.com/SAXFile/SAXFile.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://anheuser-busch.webex.com/client/v_mywebex-t20/support/ieatgpc.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup152.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = budofasheville.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = budofasheville.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = budofasheville.local
O23 - Service: 3Com DMI Agent (3ComDMIService) - 3Com Corporation - C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
O23 - Service: ActionAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DellDmi - Dell Computer Corporation - C:\DMI\WIN32\bin\DellDmi.exe
O23 - Service: DEventAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
O23 - Service: DLT - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\DLT.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Remote Registry Service (RemoteRegistry) - Unknown owner - C:\WINNT\system32\regsvc.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Win32Sl - Intel - C:\dmi\win32\bin\Win32sl.exe
--
End of file - 7874 bytes
-- HijackThis Fixed Entries (C:\tools\backups\) --------------------------------
backup-20071025-100801-465 R3 - URLSearchHook: Live TV Toolbar - {b69a9db4-d0a1-4722-b56b-f20757a29cdf} - C:\Program Files\Live_TV\tbLive.dll
backup-20071025-100801-382 O4 - HKLM\..\Run: [07d208a7] rundll32.exe "C:\WINNT\system32\kwlgqpni.dll",b
backup-20071025-112333-488 O23 - Service: iPodService - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
backup-20071025-140117-440 O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
backup-20071030-135819-963 O2 - BHO: (no name) - {0959454F-AF1C-40DC-A174-7EBA17B4BDCF} - (no file)
backup-20071030-135819-333 O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
backup-20071030-135819-221 O2 - BHO: (no name) - {6A4897DF-3F9C-46ED-A708-4E0D34E23907} - (no file)
backup-20071030-135819-616 O2 - BHO: (no name) - {6A4CC1D8-71AF-4243-B5E9-6129C2781CA8} - (no file)
backup-20071030-135819-430 O2 - BHO: Live TV Toolbar - {b69a9db4-d0a1-4722-b56b-f20757a29cdf} - C:\Program Files\Live_TV\tbLive.dll (disabled by BHODemon)
backup-20071030-135819-253 O2 - BHO: (no name) - {D4B313D0-5C9B-423B-AA32-ACEA573D8421} - (no file)
backup-20071030-135819-458 O3 - Toolbar: Live TV Toolbar - {b69a9db4-d0a1-4722-b56b-f20757a29cdf} - C:\Program Files\Live_TV\tbLive.dll__BHODemonDisabled_STHPMWUUFLUHWHSSRU (file missing)
-- File Associations -----------------------------------------------------------
.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------
R1 BANTExt (Belarc SMBios Access) - c:\winnt\system32\drivers\bantext.sys
R1 omci - c:\winnt\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R2 BCAITDI (3Com BCAITDI DMI TDI) - c:\winnt\system32\drivers\bcaitdi.sys <Not Verified; 3Com Corporation; 3Com DMI Agent TDI Driver>
R2 tcaicchg - c:\winnt\system32\tcaicchg.sys <Not Verified; 3Com Corporation; 3Com Windows NT NIC Diagnostic/Configuration>
R2 TCAITDI (TCAITDI Protocol) - c:\winnt\system32\drivers\tcaitdi.sys <Not Verified; 3Com Corporation; 3Com Windows NT NIC Diagnostic TDI Driver>
S1 sxgbvswp - c:\winnt\system32\drivers\sxgbvswp.sys <Not Verified; YAMAHA CORPORATION; YAMAHA SXG Driver>
S3 catchme - c:\docume~1\jeff\locals~1\temp\catchme.sys (file missing)
S3 PalmUSBD - c:\winnt\system32\drivers\palmusbd.sys (file missing)
-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------
R2 3ComDMIService (3Com DMI Agent) - c:\winnt\system32\3com_dmi\3cdminic.exe <Not Verified; 3Com Corporation; 3Com DMI Agent>
R2 ActionAgent - c:\program files\dell\openmanage\client\actionagent.exe <Not Verified; Dell Computer Corporation; OpenManage Client Instrumentation>
R2 DellDmi - c:\dmi\win32\bin\delldmi.exe <Not Verified; Dell Computer Corporation; OpenManage Client Instrumentation>
R2 DEventAgent - c:\program files\dell\openmanage\client\eventagt.exe <Not Verified; Dell Computer Corporation; OpenManage Client Instrumentation>
R2 DLT - c:\program files\dell\openmanage\client\dlt.exe <Not Verified; Dell Computer Corporation; OpenManage Client Instrumentation>
R2 Iap - c:\program files\dell\openmanage\client\iap.exe <Not Verified; Dell Computer Corporation; OpenManage Client Instrumentation>
R2 Win32Sl - c:\dmi\win32\bin\win32sl.exe <Not Verified; Intel; DMI 2.0s SDK>
S2 RemoteRegistry (Remote Registry Service) - c:\winnt\system32\regsvc.exe (file missing)
S4 iPodService - c:\program files\ipod\bin\ipodservice.exe (file missing)
-- Device Manager: Disabled ----------------------------------------------------
Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: sxgbvswp
Device ID: ROOT\LEGACY_SXGBVSWP\0000
Manufacturer:
Name: sxgbvswp
PNP Device ID: ROOT\LEGACY_SXGBVSWP\0000
Service: sxgbvswp
-- Files created between 2007-09-30 and 2007-10-30 -----------------------------
2007-10-30 14:04:50 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_3ac.dat
2007-10-30 14:04:34 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_308.dat
2007-10-30 11:58:01 0 d-------- C:\Program Files\A-B
2007-10-30 11:50:54 0 d-------- C:\Program Files\v3.1.16
2007-10-30 08:22:26 0 d-------- C:\WINNT\ERUNT
2007-10-30 08:16:57 1285376 ---h----- C:\WINNT\ShellIconCache
2007-10-30 07:57:28 0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2007-10-30 07:47:46 2312 --a------ C:\WINNT\system32\tmp.reg
2007-10-30 07:35:27 589 --a------ C:\WINNT\system32\hvpnhkvf.dll
2007-10-29 11:50:33 0 d-------- C:\Documents and Settings\Jeff\Application Data\TrojanHunter
2007-10-29 10:26:56 0 d-------- C:\WINNT\PCHEALTH
2007-10-29 09:29:58 0 d-------- C:\Documents and Settings\Jeff\.housecall6.6
2007-10-29 09:01:47 0 d-------- C:\Program Files\InterMute
2007-10-29 07:35:36 589 --a------ C:\WINNT\system32\ceymhgmf.dll
2007-10-26 09:44:52 92672 --a------ C:\WINNT\system32\KillBox.exe <Not Verified; Option; Explicit Software vbtechcd@gmail.com>
2007-10-26 07:31:09 0 d-------- C:\tools
2007-10-25 16:05:45 0 d-------- C:\Documents and Settings\Jeff\Application Data\WinPatrol
2007-10-25 16:05:32 0 d-------- C:\Program Files\BillP Studios
2007-10-25 11:32:08 0 d-------- C:\Documents and Settings\Administrator\Application Data\Attachmate
-- Find3M Report ---------------------------------------------------------------
2007-09-21 15:44:30 66024 --a------ C:\Documents and Settings\Jeff\Application Data\GDIPFONTCACHEV1.DAT
2007-09-11 09:45:18 0 d-------- C:\Program Files\MSECache
2007-08-10 07:53:44 454656 --a------ C:\putty.exe <Not Verified; Simon Tatham; PuTTY suite>
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-06-19 15:05 C:\WINNT\SYSTEM32\mobsync.exe]
"SxgTkBar"="SxgTkBar.exe" [00-04-10 08:10 C:\WINNT\SYSTEM32\sxgtkbar.exe]
"HPDJ Taskbar Utility"="C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe" [03-07-28 09:43 ]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [05-10-04 12:42 ]
"vptray"="C:\PROGRA~1\SYMANT~2\VPTray.exe" [05-11-15 13:28 ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [07-07-12 04:00 ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [07-06-15 15:04 ]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [05-07-15 17:48 ]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="ctfmon.exe" [01-02-20 13:09 C:\WINNT\SYSTEM32\CTFMON.EXE]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [07-07-17 11:05 ]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [06-03-30 16:45 ]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ctfmon.exe"=ctfmon.exe
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINNT\system32\geedb.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
-- End of Deckard's System Scanner: finished at 2007-10-30 16:35:02 ------------
Nekkidbeerman
2007-10-30, 22:52
Extra..
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------
-- System Information ----------------------------------------------------------
Microsoft Windows 2000 Professional (build 2195) SP 4.0
Architecture: X86; Language: English
CPU 0: Intel(R) Pentium(R) 4 CPU 1.70GHz
Percentage of Memory in Use: 40%
Physical Memory (total/avail): 511.02 MiB / 302.23 MiB
Pagefile Memory (total/avail): 671.07 MiB / 394.94 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1954.15 MiB
A: is Removable (No Media)
C: is Fixed (FAT32) - 18.6 GiB total, 9.77 GiB free.
D: is CDROM (No Media)
L: is Network (NTFS)
M: is Network (NTFS)
P: is Network (NTFS)
S: is Network (NTFS)
T: is Network (NTFS)
U: is Network (NTFS)
Y: is Network (NTFS)
Z: is Network (NTFS)
\\.\PHYSICALDRIVE0 - WDC WD200EB-75CPF0 - 18.65 GiB - 2 partitions
\PARTITION0 - Unknown - 31.35 MiB
\PARTITION1 (bootable) - Unknown - 18.61 GiB - C:
-- Security Center -------------------------------------------------------------
AUOptions is scheduled to auto-install.
-- Environment Variables -------------------------------------------------------
ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Jeff\Application Data
CLASSPATH=C:\VIPFTPSUPPORT\JT400.JAR
COLLECTIONID=wuclient
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=W2K-111
ComSpec=C:\WINNT\system32\cmd.exe
HMSERVER=https://h30083.www3.hp.com/wuss/servlet/WUSSServlet
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Jeff
ITEMID=wuclienten
LANG=1033
LOGONSERVER=\\BOASRV01
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Os2LibPath=C:\WINNT\system32\os2\dll;
OSVER=win2KP
Path=C:\Program Files\Mozilla Firefox;C:\WINNT\SYSTEM32;C:\WINNT;C:\WINNT\SYSTEM32\WBEM;C:\DMI\WIN32\BIN;C:\Program Files\Microsoft SQL Server\80\Tools\Binn\;c:\vippcs\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 1 Stepping 2, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0102
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONID=1068373913461wuws06-ld4d66b:f8c00bfa42:-4644
SWUTVER=1.0.18.30716
SystemDrive=C:
SystemRoot=C:\WINNT
TEMP=C:\DOCUME~1\Jeff\LOCALS~1\Temp
TIMEOUT=0
TMP=C:\DOCUME~1\Jeff\LOCALS~1\Temp
TOOLPATH=/C:\Program%20Files\Hewlett-Packard\HP%20Software%20Update\install.htm
UPDATEDIR=C:\DOCUME~1\LARRYA~1\LOCALS~1\Temp\rad5BE56.tmp
USERDNSDOMAIN=budofasheville.local
USERDOMAIN=BUDOFASHEVILLE
USERNAME=Jeff
USERPROFILE=C:\Documents and Settings\Jeff
VERSION=2.0.37
WIN32DMIPATH=C:\DMI\WIN32
windir=C:\WINNT
-- User Profiles ---------------------------------------------------------------
Larry Allen (admin)
Administrator (admin)
pat (new local, admin, net ready)
Larry Allen.BUDOFASHEVILLE (admin)
Jeff (admin)
Chris (new local, admin, net ready)
Administrator.BUDOFASHEVILLE (admin)
-- Add/Remove Programs ---------------------------------------------------------
--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
.Net and ODBC Install --> C:\UNWISE.EXE C:\INSTALL.LOG
3Com DMI Agent --> C:\WINNT\System32\3Com_DMI\UNDMIW2K.EXE
3Com NIC Diagnostics --> un3cdiag.exe /remove
A-B SPP Custom --> C:\UNWISE.EXE C:\INSTALL.LOG
AB Space Reporting Tool --> C:\PROGRA~1\ABSPAC~1\UNWISE.EXE C:\PROGRA~1\ABSPAC~1\INSTALL.LOG
AB Space Reporting Tool --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6B8A69B1-15ED-4273-9708-B14D891A1FB5}\setup.exe" -l0x9
Abacast Client --> C:\PROGRA~1\ABACAST\UNWISE.EXE C:\PROGRA~1\ABACAST\client.LOG
Abacast Version 1.25f1 --> C:\PROGRA~1\ABACAST\UNWISE.EXE C:\PROGRA~1\ABACAST\client.LOG
Ad-Aware SE Personal --> MsiExec.exe /X{78CC3BAB-DE2A-4FB4-8FBB-E4DADDC26747}
Adobe Flash Player 9 ActiveX --> C:\WINNT\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Flash Player Plugin --> C:\WINNT\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Photoshop Album 2.0 Starter Edition --> MsiExec.exe /I{11B569C2-4BF6-4ED0-9D17-A4273943CB24}
Adobe Photoshop CS --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EFB21DE7-8C19-4A88-BB28-A766E16493BC}\setup.exe" -l0x9
Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
Adobe Shockwave Player --> C:\WINNT\SYSTEM32\MACROMED\SHOCKW~2\UNWISE.EXE C:\WINNT\SYSTEM32\MACROMED\SHOCKW~2\INSTALL.LOG
ATI Display Driver --> rundll32 C:\WINNT\System32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Belarc Advisor 7.1 --> C:\PROGRA~1\BELARC\ADVISOR\Uninstall.exe C:\PROGRA~1\BELARC\ADVISOR\INSTALL.LOG
BugOff 1.10 --> C:\Documents and Settings\Jeff\Local Settings\Temp\BugOff.exe /uninstall
Compatibility Pack for the 2007 Office system --> MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
Data Cleansing Tool --> MsiExec.exe /I{387546A5-5656-460D-991D-9FEF8D64E954}
Dell OpenManage Client Instrumentation --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0773A806-0853-4B4D-8771-55BEF03E242B}\Setup.exe" -l0x9 -f1C:\PROGRA~1\Dell\OPENMA~1\Client\uninst.iss
DigitalCodeBook --> MsiExec.exe /I{3E4DB39C-8660-4DFD-A8DA-E3C2A3F9C7ED}
DigitalCodeBook --> MsiExec.exe /I{A55DC799-3DEF-4FC8-9ACA-2DB931FF10FB}
DirectX 9 Hotfix - KB839643 --> C:\WINNT\$NtUninstallKB839643-DirectX9$\spuninst\spuninst.exe
GdiplusUpgrade --> MsiExec.exe /I{5421155F-B033-49DB-9B33-8F80F233D4D5}
Google Gmail Notifier --> "C:\Program Files\Google\Gmail Notifier\UninstallGmail.exe"
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar2.dll"
HijackThis 2.0.2 --> "C:\Documents and Settings\Jeff\Desktop\HijackThis.exe" /uninstall
HP Software Update --> MsiExec.exe /X{15EE79F4-4ED1-4267-9B0F-351009325D7D}
HP Software Update --> MsiExec.exe /X{936C42D0-8CEE-4BDF-B8CE-C4BDC93C6CF8}
Image Extractor 1.3 --> C:\PROGRA~1\RSM\IMAGEE~1\UNWISE.EXE C:\PROGRA~1\RSM\IMAGEE~1\INSTALL.LOG
Intel Application Accelerator --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9984DF60-1C5B-11D3-ACA1-908A4FC10801}\setup.exe" -K -INTELUNINST
Intercept Transition Utility --> C:\UNWISE.EXE C:\INSTALL.LOG
Intercept Transition Utility v2.0 --> C:\PROGRA~1\RSM\INTERC~1\UNWISE.EXE C:\PROGRA~1\RSM\INTERC~1\INSTALL.LOG
Internet Explorer Q903235 --> C:\WINNT\ieuninst.exe C:\WINNT\INF\Q903235.inf
J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
J2SE Runtime Environment 5.0 Update 9 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150090}
Java(TM) 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java(TM) SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
JDA Intactix Activation Manager --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\8\INTEL3~1\IDriver.exe /M{9B578BB7-DB4E-467F-8472-873A9ED75D6B}
JDA Intactix Activation Manager --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{9289CC89-E916-42FE-8B33-C4CDE784EBB9}
JDA Space Automation --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{7AD0EC3C-0671-4515-9B97-A7A2920BEE5D}
JDA Space Automation by Intactix --> MsiExec.exe /I{C511BEBD-D3F4-421B-A868-D76C0D7E7A41}
JDA Space Planning --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{79EA2622-FCBA-43B5-AFC8-09183104CCED}
JDA Space Planning by Intactix --> MsiExec.exe /I{D24858A4-7AEC-480C-BED4-73005724CBEE}
KEAVT v5.10 --> C:\WINNT\uninst.exe -f"C:\Program Files\Attachmate\KEA! VT\DeIsL1.isu"
LiveUpdate 2.6 (Symantec Corporation) --> C:\PROGRA~1\COMMON~1\Symantec Shared\LiveUpdate\LSETUP.EXE /U
Microsoft .NET Framework 1.1 --> MsiExec.exe /X{C9913503-1500-4454-94CD-365ADC1BB9B9}
Microsoft .NET Framework 2.0 --> C:\WINNT\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.exe
Microsoft Interactive Training --> C:\Program Files\MSPress\Training\lunins32_s.exe
Microsoft ODBC .NET Data Provider --> MsiExec.exe /I{6868B3BD-0642-442C-A542-28716AA6DD2D}
Microsoft Office XP Media Content --> MsiExec.exe /I{90300409-6000-11D3-8CFE-0050048383C9}
Microsoft Office XP Professional --> MsiExec.exe /I{91110409-6000-11D3-8CFE-0050048383C9}
Microsoft Publisher 2002 --> MsiExec.exe /I{91190409-6000-11D3-8CFE-0050048383C9}
Microsoft SQL Server Desktop Engine --> MsiExec.exe /X{689404D2-1C94-44B3-9203-BEC5594FDA7A}
Microsoft SQL Server Desktop Engine (ABRSM) --> MsiExec.exe /X{E09B48B5-E141-427A-AB0C-D3605127224A}
Microsoft XML Parser and SDK --> MsiExec.exe /I{3E908702-AF35-4611-9518-955DA24B7E07}
Mobility Database Installer --> MsiExec.exe /I{20FD1961-C404-4B71-ABBC-98FF4D1D8940}
Mozilla Firefox (2.0.0.8) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSDE 2000 for PMT --> C:\PROGRA~1\RSM\PMT_MS~1\UNWISE.EXE C:\PROGRA~1\RSM\PMT_MS~1\INSTALL.LOG
MSXML 4.0 SP2 (KB927978) --> MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181) --> MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MultiView 2000 --> C:\WINNT\IsUninst.exe -f"C:\WINNT\MultiView 2000.isu" -c"C:\Program Files\MultiView\MultiView 2000\jsbunist.dll"
PDF reDirect (remove only) --> C:\Program Files\PDF reDirect\Uninstall.exe
Planogram Management Tool --> MsiExec.exe /X{87E5E9FD-5997-49A7-8AC2-942947B28465}
Planogram Management Tool V.5 --> C:\PROGRA~1\RSM\PLANOG~1\UNWISE.EXE C:\PROGRA~1\RSM\PLANOG~1\INSTALL.LOG
Product Library --> C:\PROGRA~1\JDA\ABCUSTOM\LIBRAR~1\UNWISE.EXE C:\PROGRA~1\JDA\ABCUSTOM\LIBRAR~1\INSTALL.LOG
QuickTime --> C:\WINNT\unvise32qt.exe C:\WINNT\system32\QuickTime\Uninstall.log
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
RSM Image Library --> C:\scale\UNWISE.EXE C:\scale\INSTALL.LOG
Scale --> C:\scale\UNWISE.EXE C:\scale\INSTALL.LOG
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Microsoft .NET Framework 2.0 (KB928365) --> C:\WINNT\system32\msiexec.exe /promptrestart /uninstall {8056AC9E-49C5-4375-9ADE-B2F862C9DF51} /package {7131646D-CD3C-40F4-97B9-CD9E4E6262EF}
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINNT\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINNT\$NtUninstallKB923723$\spuninst\spuninst.exe"
Security Update for Windows 2000 (KB904706) --> "C:\WINNT\$NtUninstallKB904706$\spuninst\spuninst.exe"
Security Update for Windows 2000 (KB923689) --> "C:\WINNT\$NtUninstallKB923689$\spuninst\spuninst.exe"
SMSB --> C:\UNWISE.EXE C:\INSTALL.LOG
SMSB v2.1 --> C:\PROGRA~1\RSM\SMSB\UNWISE.EXE C:\PROGRA~1\RSM\SMSB\INSTALL.LOG
SPP Service Release V2 --> C:\PROGRA~1\JDA\ABCUSTOM\SERVIC~1\UNWISE.EXE C:\PROGRA~1\JDA\ABCUSTOM\SERVIC~1\INSTALL.LOG
SPP Service Release V3 --> C:\PROGRA~1\UNWISE.EXE C:\PROGRA~1\INSTALL.LOG
Spybot - Search & Destroy 1.3 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
VIP SRS Interface 5.65 --> C:\WINNT\uninst.exe -fC:\VIPPCS\DeIsL1.isu -cC:\VIPPCS\_ISREG32.DLL
WebEx --> C:\WINNT\DOWNLO~1\atcliun.exe
Windows 2000 Service Pack 4 --> C:\WINNT\$NtServicePackUninstall$\spuninst\spuninst.exe
Windows Genuine Advantage v1.3.0254.0 --> MsiExec.exe /I{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}
Windows Installer Clean Up --> MsiExec.exe /I{121634B0-2F4A-11D3-ADA3-00C04F52DD53}
Windows Media Player 9 Hotfix [See KB885492 for more information] --> C:\WINNT\$NtUninstallKB885492$\spuninst\spuninst.exe
Windows Media Player system update (9 Series) --> C:\PROGRA~1\WINDOW~2\setup_wm.exe /Uninstall
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
YAMAHA SoftSynthesizer S-YXG50 --> C:\WINNT\IsUninst.exe -fC:\WINNT\DeIsL1.isu -c"C:\WINNT\System32\sxgunins.dll
-- Application Event Log -------------------------------------------------------
Event Record #/Type5174 / Error
Event Submitted/Written: 10/30/2007 00:02:37 PM
Event ID/Source: 0 / A-B Mobility Installer
Event Description:
Failed to perform/install 'MSDE'
System.Exception: Executing program 'setup.exe /q' Failed. Return Value: 1641 Error: 0
at Installer.Utility.RunProgram(String p_sProg, String p_sParamStr, String p_sWorkDir)
at Installer.Install.Install(ComponentsRow p_oComp)
at Installer.Install.InstallRow(ImplementOrderRow p_oImpOr)
Event Record #/Type5159 / Warning
Event Submitted/Written: 10/30/2007 00:01:59 PM
Event ID/Source: 2000 / LoadPerf
Event Description:
No object list was found in the installation file. Adding an object
list to the installation file will
improve performance of the system when measuring performance counters.
Event Record #/Type5158 / Warning
Event Submitted/Written: 10/30/2007 00:00:27 PM
Event ID/Source: 1015 / MsiInstaller
Event Description:
Failed to connect to server. Error: 0x800401F0
Event Record #/Type5154 / Error
Event Submitted/Written: 10/30/2007 00:00:21 PM
Event ID/Source: 0 / A-B Mobility Installer
Event Description:
Failed to perform/install 'Start SQL server'
Event Record #/Type5151 / Error
Event Submitted/Written: 10/30/2007 00:00:17 PM
Event ID/Source: 0 / A-B Mobility Installer
Event Description:
Failed to perform/install 'Mobile Computer Database Install Package'
-- Security Event Log ----------------------------------------------------------
No Errors/Warnings found.
-- System Event Log ------------------------------------------------------------
Event Record #/Type2560 / Error
Event Submitted/Written: 10/30/2007 02:04:44 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Remote Registry Service service failed to start due to the following error:
%%2
Event Record #/Type2556 / Warning
Event Submitted/Written: 10/30/2007 02:01:00 PM
Event ID/Source: 20 / Print
Event Description:
Printer Driver HP LaserJet 1022 for Windows NT x86 Version-3 was added or updated. Files:- IMFNT5.DLL, SDNT5UI.DLL, SDhp1020.SDD, SDhp1020.HLP, SDhp1020.DLL, SUhp1020.DLL, SUhp1020.ENT, ZJBIG.DLL, ZLhp1020.DLL, SUXML.DLL, XERCES-C.DLL, hp1020.img, hp1022.img, hp1022n.img, ZSHP1020.EXE, ZSHP1020.HLP, SUhp1020.VER, VSHP1020.DLL, IMFPRINT.DLL, QDPRINT.DLL, SD32.DLL, SDIMF32.DLL, SDDM32.DLL, SDDMUI.DLL, SR32.DLL, ZGDI32.DLL, SDhp1020.UNZ, ZSPOOL.DLL, ZSPOOL32.EXE, ZTAG32.DLL, ZUNINST.EXE, ZLM.DLL, IMF32.DLL, SDNTUM4.DLL.
Event Record #/Type2555 / Error
Event Submitted/Written: 10/30/2007 11:54:51 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Remote Registry Service service failed to start due to the following error:
%%2
Event Record #/Type2551 / Error
Event Submitted/Written: 10/30/2007 11:34:35 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Remote Registry Service service failed to start due to the following error:
%%2
Event Record #/Type2547 / Error
Event Submitted/Written: 10/30/2007 09:50:20 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Remote Registry Service service failed to start due to the following error:
%%2
-- End of Deckard's System Scanner: finished at 2007-10-30 16:35:02 ------------
Hi
Ok, .reg association seems to be fine.
Open notepad and copy/paste the text in the quotebox below into it:
Registry::
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
Save this as "CFScript"
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Nekkidbeerman
2007-10-31, 14:58
ComboFix 07-10-29.1 - Jeff 2007-10-31 8:45:50.2 - FAT32x86
Running from: C:\tools\ComboFix.exe
Command switches used :: C:\tools\CFScript.txt
.
((((((((((((((((((((((((( Files Created from 2007-09-28 to 2007-10-31 )))))))))))))))))))))))))))))))
.
2007-10-30 16:34 16,384 --a----t- C:\WINNT\SYSTEM32\Perflib_Perfdata_4e8.dat
2007-10-30 16:33 <DIR> d-------- C:\Deckard
2007-10-30 14:04 16,384 --a----t- C:\WINNT\SYSTEM32\Perflib_Perfdata_3ac.dat
2007-10-30 14:04 16,384 --a----t- C:\WINNT\SYSTEM32\Perflib_Perfdata_308.dat
2007-10-30 11:58 <DIR> d-------- C:\Program Files\A-B
2007-10-30 11:50 <DIR> d-------- C:\Program Files\v3.1.16
2007-10-30 09:44 51,200 --a------ C:\WINNT\NirCmd.exe
2007-10-30 08:22 <DIR> d-------- C:\WINNT\ERUNT
2007-10-30 07:47 2,312 --a------ C:\WINNT\SYSTEM32\tmp.reg
2007-10-30 07:35 589 --a------ C:\WINNT\SYSTEM32\hvpnhkvf.dll
2007-10-29 11:50 <DIR> d-------- C:\Documents and Settings\Jeff\Application Data\TrojanHunter
2007-10-29 10:26 <DIR> d-------- C:\WINNT\PCHEALTH
2007-10-29 09:33 102,664 --a------ C:\WINNT\SYSTEM32\DRIVERS\tmcomm.sys
2007-10-29 09:29 <DIR> d-------- C:\Documents and Settings\Jeff\.housecall6.6
2007-10-29 09:01 <DIR> d-------- C:\Program Files\InterMute
2007-10-29 07:35 589 --a------ C:\WINNT\SYSTEM32\ceymhgmf.dll
2007-10-26 09:44 92,672 --a------ C:\WINNT\SYSTEM32\KillBox.exe
2007-10-26 07:31 <DIR> d-------- C:\tools
2007-10-25 16:05 <DIR> d-------- C:\Program Files\BillP Studios
2007-10-25 16:05 <DIR> d-------- C:\Documents and Settings\Jeff\Application Data\WinPatrol
2007-10-25 11:32 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Attachmate
2007-09-11 09:45 <DIR> d-------- C:\WINNT\winsxs
2007-09-11 09:45 <DIR> d-------- C:\Program Files\MSECache
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-21 19:44 66,024 ----a-w C:\Documents and Settings\Jeff\Application Data\GDIPFONTCACHEV1.DAT
2007-08-19 21:55 93,184 ----a-w C:\WINNT\SYSTEM32\dllcache\OEIMPORT.DLL
2007-08-19 21:55 91,136 ----a-w C:\WINNT\SYSTEM32\MSOERT2.DLL
2007-08-19 21:55 91,136 ----a-w C:\WINNT\SYSTEM32\dllcache\MSOERT2.DLL
2007-08-19 21:55 77,824 ----a-w C:\WINNT\SYSTEM32\dllcache\WABIMP.DLL
2007-08-19 21:55 75,776 ----a-w C:\WINNT\SYSTEM32\dllcache\DIRECTDB.DLL
2007-08-19 21:55 596,992 ----a-w C:\WINNT\SYSTEM32\INETCOMM.DLL
2007-08-19 21:55 596,992 ----a-w C:\WINNT\SYSTEM32\dllcache\INETCOMM.DLL
2007-08-19 21:55 56,832 ----a-w C:\WINNT\SYSTEM32\dllcache\MSIMN.EXE
2007-08-19 21:55 55,808 ----a-w C:\WINNT\SYSTEM32\dllcache\OEMIG50.EXE
2007-08-19 21:55 47,616 ----a-w C:\WINNT\SYSTEM32\INETRES.DLL
2007-08-19 21:55 47,616 ----a-w C:\WINNT\SYSTEM32\dllcache\INETRES.DLL
2007-08-19 21:55 465,920 ----a-w C:\WINNT\SYSTEM32\dllcache\WAB32.DLL
2007-08-19 21:55 42,496 ----a-w C:\WINNT\SYSTEM32\dllcache\WAB.EXE
2007-08-19 21:55 31,744 ----a-w C:\WINNT\SYSTEM32\dllcache\OEMIGLIB.DLL
2007-08-19 21:55 30,208 ----a-w C:\WINNT\SYSTEM32\dllcache\WABFIND.DLL
2007-08-19 21:55 27,648 ----a-w C:\WINNT\SYSTEM32\dllcache\WABMIG.EXE
2007-08-19 21:55 229,376 ----a-w C:\WINNT\SYSTEM32\MSOEACCT.DLL
2007-08-19 21:55 229,376 ----a-w C:\WINNT\SYSTEM32\dllcache\MSOEACCT.DLL
2007-08-19 21:55 2,479,616 ----a-w C:\WINNT\SYSTEM32\dllcache\MSOERES.DLL
2007-08-19 21:55 1,176,064 ----a-w C:\WINNT\SYSTEM32\dllcache\MSOE.DLL
2007-08-19 21:52 44,032 ----a-w C:\WINNT\SYSTEM32\MSIDENT.DLL
2007-08-19 21:52 44,032 ----a-w C:\WINNT\SYSTEM32\dllcache\MSIDENT.DLL
2007-08-17 17:21 132,096 ----a-w C:\WINNT\SYSTEM32\dllcache\MSRATING.DLL
2007-08-17 17:20 402,944 ----a-w C:\WINNT\SYSTEM32\dllcache\SHLWAPI.DLL
2007-08-17 17:20 143,360 ----a-w C:\WINNT\SYSTEM32\dllcache\CDFVIEW.DLL
2007-08-17 17:20 1,340,416 ----a-w C:\WINNT\SYSTEM32\dllcache\SHDOCVW.DLL
2007-08-17 17:20 1,018,368 ----a-w C:\WINNT\SYSTEM32\dllcache\BROWSEUI.DLL
2007-08-17 15:10 575,488 ----a-w C:\WINNT\SYSTEM32\dllcache\WININET.DLL
2007-08-17 15:10 462,336 ----a-w C:\WINNT\SYSTEM32\dllcache\URLMON.DLL
2007-08-17 15:10 12,288 ----a-w C:\WINNT\SYSTEM32\dllcache\JSPROXY.DLL
2007-08-17 15:08 69,632 ----a-w C:\WINNT\SYSTEM32\dllcache\INSENG.DLL
2007-08-17 15:08 498,176 ----a-w C:\WINNT\SYSTEM32\dllcache\MSTIME.DLL
2007-08-17 15:08 351,744 ----a-w C:\WINNT\SYSTEM32\dllcache\DXTMSFT.DLL
2007-08-17 15:08 34,816 ----a-w C:\WINNT\SYSTEM32\dllcache\PNGFILT.DLL
2007-08-17 15:08 236,032 ----a-w C:\WINNT\SYSTEM32\dllcache\IEPEERS.DLL
2007-08-17 15:07 2,705,408 ----a-w C:\WINNT\SYSTEM32\dllcache\MSHTML.DLL
2007-08-17 15:07 192,512 ----a-w C:\WINNT\SYSTEM32\dllcache\DXTRANS.DLL
2007-08-17 06:48 448,272 ----a-w C:\WINNT\SYSTEM32\oieng400.dll
2007-08-17 06:48 448,272 ------w C:\WINNT\SYSTEM32\dllcache\oieng400.dll
2007-08-17 06:48 39,184 ----a-w C:\WINNT\SYSTEM32\jpeg2x32.dll
2007-08-17 06:48 39,184 ------w C:\WINNT\SYSTEM32\dllcache\jpeg2x32.dll
2007-08-17 06:48 33,552 ----a-w C:\WINNT\SYSTEM32\tifflt.dll
2007-08-17 06:48 33,552 ------w C:\WINNT\SYSTEM32\dllcache\tifflt.dll
2007-08-10 11:53 454,656 ----a-w C:\putty.exe
2007-07-30 23:19 92,504 ----a-w C:\WINNT\SYSTEM32\dllcache\cdm.dll
2007-07-30 23:19 92,504 ----a-w C:\WINNT\SYSTEM32\cdm.dll
2007-07-30 23:19 549,720 ----a-w C:\WINNT\SYSTEM32\wuapi.dll
2007-07-30 23:19 53,080 ----a-w C:\WINNT\SYSTEM32\wuauclt.exe
2007-07-30 23:19 53,080 ----a-w C:\WINNT\SYSTEM32\dllcache\wuauclt.exe
2007-07-30 23:19 43,352 ----a-w C:\WINNT\SYSTEM32\wups2.dll
2007-07-30 23:19 325,976 ----a-w C:\WINNT\SYSTEM32\wucltui.dll
2007-07-30 23:19 271,224 ----a-w C:\WINNT\SYSTEM32\mucltui.dll
2007-07-30 23:19 207,736 ----a-w C:\WINNT\SYSTEM32\muweb.dll
2007-07-30 23:19 203,096 ----a-w C:\WINNT\SYSTEM32\wuweb.dll
2007-07-30 23:19 1,712,984 ----a-w C:\WINNT\SYSTEM32\wuaueng.dll
2007-07-30 23:19 1,712,984 ----a-w C:\WINNT\SYSTEM32\dllcache\wuaueng.dll
2007-07-30 23:18 33,624 ----a-w C:\WINNT\SYSTEM32\wups.dll
2007-07-17 06:42 439,056 ----a-w C:\WINNT\SYSTEM32\rpcrt4.dll
2007-07-17 06:42 439,056 ------w C:\WINNT\SYSTEM32\dllcache\rpcrt4.dll
2007-04-27 20:08 299,288 ----a-w C:\Program Files\GmailInstaller.exe
2007-04-27 19:59 1,145,896 ----a-w C:\Program Files\GoogleToolbarInstaller.exe
2006-06-07 15:10 62,328 ----a-w C:\Documents and Settings\Larry Allen.BUDOFASHEVILLE\Application Data\GDIPFONTCACHEV1.DAT
2004-01-27 17:04 124,956 ----a-w C:\Program Files\INSTALL.LOG
2001-09-28 20:00 164,512 ----a-w C:\Program Files\UNWISE.EXE
2001-06-19 17:05 271 ---ha-w C:\Program Files\DESKTOP.INI
2001-06-19 17:05 21,952 ---ha-w C:\Program Files\FOLDER.HTT
2001-05-08 11:00 32,528 ----a-w C:\WINNT\INF\WBFIRDMA.SYS
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-06-19 15:05 C:\WINNT\SYSTEM32\mobsync.exe]
"SxgTkBar"="SxgTkBar.exe" [00-04-10 08:10 C:\WINNT\SYSTEM32\sxgtkbar.exe]
"HPDJ Taskbar Utility"="C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe" [03-07-28 09:43 ]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [05-10-04 12:42 ]
"vptray"="C:\PROGRA~1\SYMANT~2\VPTray.exe" [05-11-15 13:28 ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [07-07-12 04:00 ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [07-06-15 15:04 ]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [05-07-15 17:48 ]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="ctfmon.exe" [01-02-20 13:09 C:\WINNT\SYSTEM32\CTFMON.EXE]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [07-07-17 11:05 ]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [06-03-30 16:45 ]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ctfmon.exe"=ctfmon.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
SRS Auto.lnk - C:\VIPPCS\SRS Auto.exe [2006-11-10 14:38:06]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-05-03 22:07:32]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
R0 fasttrak;fasttrak;C:\WINNT\system32\DRIVERS\fasttrak.sys
R0 Fd16_700;Fd16_700;C:\WINNT\system32\DRIVERS\fd16_700.sys
R0 mraid2k;mraid2k;C:\WINNT\system32\DRIVERS\mraid2k.sys
R2 3ComDMIService;3Com DMI Agent;C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
R2 ActionAgent;ActionAgent;C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
R2 BCAITDI;3Com BCAITDI DMI TDI;C:\WINNT\system32\DRIVERS\BCAItdi.sys
R2 DLT;DLT;C:\Program Files\Dell\OpenManage\Client\DLT.exe
R2 MSSQL$ABRSM;MSSQL$ABRSM;C:\Program Files\Microsoft SQL Server\MSSQL$ABRSM\Binn\sqlservr.exe -sABRSM
R2 tcaicchg;tcaicchg;\??\C:\WINNT\System32\tcaicchg.sys
R2 TCAITDI;TCAITDI Protocol;C:\WINNT\system32\DRIVERS\TCAITDI.sys
R3 ati2mtaa;ati2mtaa;C:\WINNT\system32\DRIVERS\ati2mtaa.sys
S1 sxgbvswp;sxgbvswp;C:\WINNT\system32\drivers\sxgbvswp.SYS
S3 ichaud;Service for AC'97 Driver (WDM);C:\WINNT\system32\drivers\ichaud.sys
S3 SQLAgent$ABRSM;SQLAgent$ABRSM;C:\Program Files\Microsoft SQL Server\MSSQL$ABRSM\Binn\sqlagent.EXE -i ABRSM
.
**************************************************************************
catchme 0.3.1239 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-31 08:48:05
Windows 5.0.2195 Service Pack 4 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-10-31 8:48:33
.
--- E O F ---
Hi
Delete these:
C:\WINNT\SYSTEM32\hvpnhkvf.dll
C:\WINNT\SYSTEM32\ceymhgmf.dll
Empty Recycle Bin
Please do an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/downloads/kws/kavwebscan.html). You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:
o Scan using the following Anti-Virus database:
+ Extended (If available otherwise Standard)
o Scan Options:
+ Scan Archives
+ Scan Mail Bases
Click OK
Now under select a target to scan select My Computer
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button
Save the file to your desktop.
Copy and paste that information in your next post.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
Post:
- a fresh HijackThis log
- kaspersky report
Nekkidbeerman
2007-10-31, 21:08
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:58:08 PM, on 10/31/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\DMI\WIN32\bin\DellDmi.exe
C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
C:\Program Files\Dell\OpenManage\Client\DLT.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL$ABRSM\Binn\sqlservr.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\dmi\win32\bin\Win32sl.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\SxgTkBar.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\VIPPCS\SRS Auto.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Attachmate\KEA! VT\keavt.exe
C:\Program Files\Attachmate\KEA! VT\KEASYS.EXE
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINNT\msagent\AgentSvr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\tools\Nekki.exe.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkage
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll (disabled by BHODemon)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SxgTkBar] SxgTkBar.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] ctfmon.exe (User 'Default user')
O4 - .DEFAULT Startup: Shortcut to Microsoft Outlook.lnk = ? (User 'Default user')
O4 - Startup: Shortcut to Microsoft Outlook.lnk = ?
O4 - Global Startup: SRS Auto.lnk = C:\VIPPCS\SRS Auto.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - https://www.budnet.com/ABR/Template/ABRReports.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/abarth/us/win/QuickTimeInstaller.exe
O16 - DPF: {B82FA17C-F3A9-11D2-B5DD-0050041B7FF6} (SAXFile FileDownload ActiveX Control) - http://www.abmarketing.com/SAXFile/SAXFile.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://anheuser-busch.webex.com/client/v_mywebex-t20/support/ieatgpc.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup152.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = budofasheville.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = budofasheville.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = budofasheville.local
O23 - Service: 3Com DMI Agent (3ComDMIService) - 3Com Corporation - C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
O23 - Service: ActionAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DellDmi - Dell Computer Corporation - C:\DMI\WIN32\bin\DellDmi.exe
O23 - Service: DEventAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
O23 - Service: DLT - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\DLT.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Remote Registry Service (RemoteRegistry) - Unknown owner - C:\WINNT\system32\regsvc.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Win32Sl - Intel - C:\dmi\win32\bin\Win32sl.exe
--
End of file - 8365 bytes
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
2007-10-31 14:45
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 31/10/2007
Kaspersky Anti-Virus database records: 449353
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
L:\
M:\
P:\
S:\
T:\
U:\
Y:\
Z:\
Scan Statistics:
Total number of scanned objects: 80513
Number of viruses found: 10
Number of infected objects: 20
Number of suspicious objects: 0
Duration of the scan process: 02:02:34
Infected Object Name / Virus Name / Last Action
C:\WINNT\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINNT\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINNT\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINNT\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINNT\SYSTEM32\CONFIG\SYSTEM.ALT Object is locked skipped
C:\WINNT\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINNT\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINNT\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINNT\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINNT\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINNT\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINNT\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINNT\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINNT\SYSTEM32\WBEM\Repository\CIM.REP Object is locked skipped
C:\WINNT\SYSTEM32\Perflib_Perfdata_308.dat Object is locked skipped
C:\WINNT\SYSTEM32\Perflib_Perfdata_3ac.dat Object is locked skipped
C:\WINNT\SYSTEM32\Perflib_Perfdata_4e8.dat Object is locked skipped
C:\WINNT\DEBUG\PASSWD.LOG Object is locked skipped
C:\WINNT\DEBUG\ipsecpa.log Object is locked skipped
C:\WINNT\DEBUG\oakley.log Object is locked skipped
C:\WINNT\DEBUG\Netlogon.log Object is locked skipped
C:\WINNT\SCHEDLGU.TXT Object is locked skipped
C:\WINNT\CSC\00000001 Object is locked skipped
C:\WINNT\AdvPack.log Object is locked skipped
C:\WINNT\WindowsUpdate.log Object is locked skipped
C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINNT\SoftwareDistribution\DataStore\Logs\edb.log Object is locked skipped
C:\WINNT\SoftwareDistribution\DataStore\Logs\tmp.edb Object is locked skipped
C:\WINNT\SoftwareDistribution\DataStore\DataStore.edb Object is locked skipped
C:\WINNT\SoftwareDistribution\EventCache\{417BD3BA-D884-4B12-BE1F-70254ED9CE73}.bin Object is locked skipped
C:\tools\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\tools\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\tools\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\tools\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08180001\4F3826F8.VBN Infected: not-a-virus:AdWare.Win32.SecToolBar.h skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06C80000\47E8DC8C.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.iu skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06C80001\47E8DCC0.VBN Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06C80002\47E8DCF3.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.il skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05940001\47B5780D.VBN Infected: not-a-virus:AdWare.Win32.SecToolBar.h skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07A00001\47A1E54F.VBN Infected: not-a-virus:AdWare.Win32.SecToolBar.h skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\Jeff\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Jeff\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Jeff\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Jeff\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jeff\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jeff\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Jeff\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Jeff\Local Settings\Temp\KEA46.tmp Object is locked skipped
C:\Documents and Settings\Jeff\Local Settings\Temp\~DFEDF0.tmp Object is locked skipped
C:\Documents and Settings\Jeff\Local Settings\Temp\~DFF026.tmp Object is locked skipped
C:\Documents and Settings\Jeff\Local Settings\Temp\~DF18EB.tmp Object is locked skipped
C:\Documents and Settings\Jeff\Application Data\Microsoft\Outlook\Outlook.srs Object is locked skipped
C:\Documents and Settings\Jeff\Application Data\Microsoft\Outlook\Outlook.NK2 Object is locked skipped
C:\Documents and Settings\Jeff\Application Data\Microsoft\Templates\Normal.dot Object is locked skipped
C:\Documents and Settings\Jeff\Application Data\Microsoft\Word\STARTUP\DVZWDAddin.dot Object is locked skipped
C:\Documents and Settings\Jeff\Application Data\WinPatrol\vault\jdllajme.exe Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\Jeff\Application Data\WinPatrol\vault\laecimyx.exe Infected: Trojan.Win32.Agent.bck skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$ABRSM\LOG\ERRORLOG Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$ABRSM\Data\master.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$ABRSM\Data\mastlog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$ABRSM\Data\model.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$ABRSM\Data\modellog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$ABRSM\Data\tempdb.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$ABRSM\Data\templog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL\LOG\ERRORLOG Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL\Data\master.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL\Data\mastlog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL\Data\model.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL\Data\modellog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL\Data\msdbdata.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL\Data\msdblog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL\Data\tempdb.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL\Data\templog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL\Data\wcs_mobdb_Data.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL\Data\wcs_mobdb_Log.ldf Object is locked skipped
C:\Program Files\Symantec AntiVirus\SAVRT\0054NAV~.TMP Object is locked skipped
C:\Program Files\Symantec AntiVirus\SAVRT\0053NAV~.TMP Object is locked skipped
C:\DMI\WIN32\MifDB\errors.log Object is locked skipped
C:\Temp\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
S:\UltraVNC\UltraVNC-102-Setup.exe/file04 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped
S:\UltraVNC\UltraVNC-102-Setup.exe/file05 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped
S:\UltraVNC\UltraVNC-102-Setup.exe/file34 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 skipped
S:\UltraVNC\UltraVNC-102-Setup.exe Inno: infected - 3 skipped
S:\VNC\tightvnc-1.2.9-setup.exe/data0002 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.h skipped
S:\VNC\tightvnc-1.2.9-setup.exe/data0003 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b skipped
S:\VNC\tightvnc-1.2.9-setup.exe Inno: infected - 2 skipped
Y:\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
Y:\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
Y:\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
Y:\History\History.IE5\index.dat Object is locked skipped
Y:\History\History.IE5\MSHist012007103120071101\index.dat Object is locked skipped
Y:\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
Y:\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
Scan process completed.
Hi
Empty these folders:
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine
C:\Documents and Settings\Jeff\Application Data\WinPatrol\vault\
Empty Recycle Bin
Still problems?
Nekkidbeerman
2007-11-01, 14:56
No I am running awesome now. Thank you for all your help.. Look forward to eventually helping others myself.. Thanks again!!!
Hi
Then you're clean!
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. A malicious site could render Java content under older, vulnerable versions of Sun's software if the user has not removed them. Please follow these steps to remove older version Java components and update: Download the latest version of Java Runtime Environment (JRE) 6 Update 3 (http://java.sun.com/javase/downloads/index.jsp) and save it to your desktop.
Scroll down to where it says "Java Runtime Environment (JRE) 6u3...allows end-users to run Java applications".
Click the "Download" button to the right.
Read the License Agreement and then check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation and save the file to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u3-windows-i586-p.exe to install the newest version.
You can remove all tools we used.
Disable and Enable System Restore. - If you are using Windows XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.
You can find instructions on how to enable and re-enable system restore here:
Windows XP System Restore Guide (http://www.bleepingcomputer.com/forums/tutorial56.html)
Re-enable system restore with instructions from tutorial above
Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
See this link for a listing of some online & their stand-alone antivirus programs:
Virus, Spyware, and Malware Protection and Removal Resources (http://www.bleepingcomputer.com/forums/topic405.html)
Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.
For a tutorial on Firewalls and a listing of some available ones see the link below:
Understanding and Using Firewalls (http://www.bleepingcomputer.com/tutorials/tutorial60.html)
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com (http://www.windowsupdate.com) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install Ad-Aware - Install and download Ad-Aware. You should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.
A tutorial on installing & using this product can be found here:
Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer (http://www.bleepingcomputer.com/forums/?showtutorial=48)
Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option.
This will provide real-time spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an anti virus software. A tutorial on installing & using this product can be found here:
Instructions for - Spybot S & D and Ad-aware (http://www.bleepingcomputer.com/forums/?showtutorial=43)
Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.
Here are some additional utilities that will enhance your safety
IE/Spyad (http://www.spywarewarrior.com/uiuc/resource.htm) <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Comodo BOCLEAN (http://www.comodo.com/boclean/boclean.html) <= Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
Winpatrol (http://www.winpatrol.com/) <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)
Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
Also, please read this great article by Tony Klein So How Did I Get Infected In First Place (http://castlecops.com/postlite7736-.html)
Happy surfing and stay clean!
Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.
Everyone else please begin a New Topic.