View Full Version : Command Service/Adware_Command/OuterInfo
I recently got hit with a barrage of pop-ups. After running AdAware and Spyware Doctor, the problem would go away for a few hours then start to crop up again. The name that comes up on the pop-up windows most often is OuterInfo. Also I've noticed that when playing an online game my system will freeze for about 2 seconds every minute or so (time between varies).
I uninstalled my old Spybot S&D and installed the latest version and got the updates. Every time I run it, it finds Command Service and a handful of other seemingly random items. Everything removes successfully except Command Service. I let Spybot run before anything else loads and it only removes 1 out of 3 Registry entries for Command Service.
I followed step 1 and did the online virus scan at Trend Micro. It found a handful of problems but did not generate a report I could copy/past before or after fixing the problems (one was Adware_Command).
Step 2-3, I ran Spybot in safe mode, where it found the typical results I already mentioned. It still couldn't remove Command Service so I let it run first and rebooted to safe mode again. Spybot didn't run automatically so I ran it but cancelled the check when it found Command Service. I rebooted normally and Spybot found CS again but still could only remove 1 of the 3 items.
Step 4, I ran HJT, with the following Log generated:
Logfile of HijackThis v1.99.1
Scan saved at 4:38:04 AM, on 11/5/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Common Files\S?mantec\?srss.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\HiJackThis\HijackThis.exe
R3 - URLSearchHook: (no name) - {74BD51B0-C952-CCDC-7D57-BDCE6BEFE8C7} - C:\WINDOWS\System32\mppyenk.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {74BD51B0-C952-CCDC-7D57-BDCE6BEFE8C7} - C:\WINDOWS\System32\mppyenk.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKCU\..\Run: [Ousr] C:\Program Files\Common Files\S?mantec\?srss.exe
O4 - HKCU\..\Run: [Rcmm] "C:\WINDOWS\System32\FNTS~1\services.exe" -vt ndrv
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunCasino.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunCasino.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136756627953
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://playgames.comcast.net/online2/bejeweled2/popcaploader_v6.cab
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Um9iIEZhY2tsZXI\command.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
pskelley
2006-11-06, 14:46
Welcome to the forum, if you still need help and are not receiving it elsewhere, I'll see what I can do. Please follow the directions carefully and use the "Post Reply" button to stay in this same topic.
Since I see no virus scan log, you may have missed this important information:
"BEFORE you POST" -Preliminary Steps and scanning with SPYBOT-S&D
http://forums.spybot.info/showthread.php?t=288
1) Turn off TeaTimer when running an fix, it will block the changes we must make:
http://russelltexas.com/malware/teatimer.htm
2) Start > Control Panel > Add Remove programs and uninstall PuritySCAN By OIN, OIN, OuterInfo or any variation of this junk. Uniunstall any other programs you know do not belong there, if you are unsure let me know and I will look.
3) Thanks to sUBs and anyone who helped with this fix.
1. Download ComboFix.exe using either of these links:
* bleepingcomputer.com
http://download.bleepingcomputer.com/sUBs/combofix.exe
* techsupportforum.com
http://www.techsupportforum.com/sectools/combofix.exe
2. Double click on combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log & a fresh HJT log in your next reply
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
If the log is large You might need to post half in one reply half in another.
Thanks
Hi pskelley, thank you for the help.
I did run the TrendMicro Housecall online virus scan for step 1 of the Before you Post process. It found several items but didn't give me any kind of report I could copy/paste here.
1. Turned off TeaTimer.
2. I didn't find anything abnormal in Add/Remove Programs. I did remove Purity Scan or OuterInfo when I first started seeing the problems.
combofix log:
Administrator - 06-11-06 13:17:20.57 Service Pack 1
ComboFix 06.10.19 - Running from: "C:\Documents and Settings\Administrator\Desktop"
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\Program Files\Common Files\{3E2C6B1B-0320-1033-0908-040614040001}
C:\Program Files\Common Files\{9E2C6B1B-0320-1033-0908-040614040001}
C:\WINDOWS\Um9iIEZhY2tsZXI
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\QooBox\Purity\Program Files\YSTEM~1
C:\QooBox\Purity\Program Files\Common Files\SMANTE~1
C:\QooBox\Purity\Program Files\Common Files\SMANTE~1\?srss.exe
C:\QooBox\Purity\WINDOWS\system32\FNTS~1
C:\QooBox\Purity\WINDOWS\system32\FNTS~1\FNTS~1
C:\QooBox\Purity\WINDOWS\system32\FNTS~1\services.exe
((((((((((((((((((((((((((((((( Files Created from 2006-10-06 to 2006-11-06 ))))))))))))))))))))))))))))))))))
2006-11-03 14:40 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2006-11-03 14:40 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2006-11-03 13:38 979 --a------ C:\WINDOWS\system32\winpfg32.sys
2006-11-03 13:38 433,632 --a------ C:\WINDOWS\hancerdoem.exe
2006-11-03 13:38 36,864 --a------ C:\WINDOWS\unstall.exe
2006-11-03 13:38 1,259 --a------ C:\WINDOWS\system32\ytca78f4.sys
2006-11-03 13:36 131,072 --a------ C:\WINDOWS\system32\mppyenk.dll
2006-11-03 04:54 2 --a------ C:\WINDOWS\system32\wtssvit.exe
2006-11-03 04:54 162,816 --a------ C:\sstray.exe
2006-11-03 04:54 1,685 --a------ C:\WINDOWS\U.exe
2006-11-03 04:54 1,685 --a------ C:\U.exe
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2006-11-06 13:17 -------- d-------- C:\Program Files\Common Files
2006-11-05 03:23 -------- d-------- C:\Program Files\Java
2006-11-05 03:22 -------- d-------- C:\Program Files\Common Files\Java
2006-11-04 14:19 -------- d-------- C:\Program Files\Outlook Express
2006-11-04 14:19 -------- d-------- C:\Program Files\Common Files\System
2006-11-04 14:18 -------- d-------- C:\Program Files\Windows Media Player
2006-11-04 13:28 -------- d-------- C:\Program Files\Mozilla Firefox
2006-11-04 03:19 -------- d-------- C:\Program Files\PartyGaming
2006-11-03 13:45 -------- d-------- C:\Program Files\Lavasoft
2006-11-03 13:45 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2006-11-03 13:38 -------- d-------- C:\Program Files\em
2006-10-22 02:32 -------- d-------- C:\Program Files\WowReader
2006-10-09 00:20 -------- d-------- C:\Program Files\ATI Technologies
2006-10-09 00:19 -------- d-------- C:\Documents and Settings\Administrator\Application Data\ATI
2006-10-08 20:54 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-10-01 13:14 -------- d-------- C:\Program Files\World of Warcraft
2006-09-13 00:09 1110528 --a------ C:\WINDOWS\system32\msxml3.dll
2006-08-25 10:53 561664 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-25 04:14 595968 --a------ C:\WINDOWS\system32\xpsp2res.dll
2006-08-16 07:14 95232 --a------ C:\WINDOWS\system32\6to4svc.dll
2006-08-16 07:14 70656 --a------ C:\WINDOWS\system32\ws2_32.dll
2006-08-16 07:14 54272 --a------ C:\WINDOWS\system32\ipv6mon.dll
2006-08-16 07:14 31232 --a------ C:\WINDOWS\system32\inetmib1.dll
2006-08-16 07:14 13312 --a------ C:\WINDOWS\system32\wship6.dll
2006-08-16 04:42 159232 --a------ C:\WINDOWS\system32\xpob2res.dll
2006-08-16 04:28 48640 --a------ C:\WINDOWS\system32\ipv6.exe
2006-08-16 04:27 83456 --a------ C:\WINDOWS\system32\netsh.exe
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Ousr"="C:\\Program Files\\Common Files\\S?mantec\\?srss.exe"
"Rcmm"="\"C:\\WINDOWS\\System32\\FNTS~1\\services.exe\" -vt ndrv"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce\CTStartup]
"CTStartup"="\"C:\\Program Files\\Creative\\Splash Screen\\CTEaxSpl.EXE\" /play"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"CTStartup"="C:\\Program Files\\Creative\\Splash Screen\\CTEaxSpl.EXE /run"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=hex:5f,00,00,00
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Drempels Desktop.lnk]
"path"="C:\\Documents and Settings\\Administrator\\Start Menu\\Programs\\Startup\\Drempels Desktop.lnk"
"backup"="C:\\WINDOWS\\pss\\Drempels Desktop.lnkStartup"
"location"="Startup"
"command"="C:\\WINDOWS\\drempels.exe /y"
"item"="Drempels Desktop"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\InterVideo WinCinema Manager.lnk"
"backup"="C:\\WINDOWS\\pss\\InterVideo WinCinema Manager.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\INTERV~1\\Common\\Bin\\WINCIN~1.EXE "
"item"="InterVideo WinCinema Manager"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Nero StartSmart.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Nero StartSmart.lnk"
"backup"="C:\\WINDOWS\\pss\\Nero StartSmart.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Ahead\\NEROST~1\\NEROST~1.EXE "
"item"="Nero StartSmart"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VIA RAID TOOL.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\VIA RAID TOOL.lnk"
"backup"="C:\\WINDOWS\\pss\\VIA RAID TOOL.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\VIA\\RAID\\RAID_T~1.EXE "
"item"="VIA RAID TOOL"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jet Detection]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ADGJDet"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Creative\\SBAudigy\\PROGRAM\\ADGJDet.exe\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvCpl"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RunDLL32"
"hkey"="HKLM"
"command"="RunDLL32.exe NvMCTray.dll,NvTaskbarInit"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NWEReboot]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwiz"
"hkey"="HKLM"
"command"="nwiz.exe /install"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TeaTimer"
"hkey"="HKCU"
"command"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Steam"
"hkey"="HKCU"
"command"="C:\\Program Files\\Valve\\Steam\\Steam.exe -silent"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\jre1.5.0\\bin\\jusched.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="UpdReg"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\UpdReg.EXE"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winampa"
"hkey"="HKLM"
"command"="C:\\Program Files\\Winamp\\winampa.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINDVDPatch]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CTHELPER"
"hkey"="HKLM"
"command"="CTHELPER.EXE"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
Completion time: 06-11-06 13:18:02.89
C:\ComboFix.txt ... 06-11-06 13:18
hjt log:
Logfile of HijackThis v1.99.1
Scan saved at 1:21:22 PM, on 11/6/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Common Files\S?mantec\?srss.exe
C:\WINDOWS\System32\FNTS~1\services.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\HiJackThis\HijackThis.exe
R3 - URLSearchHook: (no name) - {74BD51B0-C952-CCDC-7D57-BDCE6BEFE8C7} - C:\WINDOWS\System32\mppyenk.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {74BD51B0-C952-CCDC-7D57-BDCE6BEFE8C7} - C:\WINDOWS\System32\mppyenk.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKCU\..\Run: [Ousr] C:\Program Files\Common Files\S?mantec\?srss.exe
O4 - HKCU\..\Run: [Rcmm] "C:\WINDOWS\System32\FNTS~1\services.exe" -vt ndrv
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunCasino.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunCasino.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136756627953
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://playgames.comcast.net/online2/bejeweled2/popcaploader_v6.cab
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
pskelley
2006-11-06, 20:15
Thanks for returning you information and for the feedback, here is what I would like you to do now. Make sure TeaTimer is turned off anytime you are running fixes.
1) I see no antivirus program running? This is cyber-suicide with all of the junk on the internet now. Choose one of these three free ones, download, install, update and run removing anything located.
http://free.grisoft.com/freeweb.php
http://www.avast.com/eng/avast_4_home.html
http://www.free-av.com/
I suggest AVG Free by Grisoft. Do not confuse this with the Spyware program, they do completely different jobs for your security.
If you use AVG Free, choose only the free version, do not choose trials or paid versions.
2) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.
3) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.
4) Download AVG Anti-Spyware 7.5 from this link. It is important that you follow the directions exactly. Do not run the program until I ask you to do so. When you run it, make sure you are in safe mode, and understand the directions for deleting or at least quarantining what it locates.
http://www.virusvault.co.uk/fusionbb/showtopic.php?tid/33/
Thanks to John McKenna for the tutorial.
5) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
R3 - URLSearchHook: (no name) - {74BD51B0-C952-CCDC-7D57-BDCE6BEFE8C7} - C:\WINDOWS\System32\mppyenk.dll
O2 - BHO: (no name) - {74BD51B0-C952-CCDC-7D57-BDCE6BEFE8C7} - C:\WINDOWS\System32\mppyenk.dll
O4 - HKCU\..\Run: [Ousr] C:\Program Files\Common Files\S?mantec\?srss.exe
O4 - HKCU\..\Run: [Rcmm] "C:\WINDOWS\System32\FNTS~1\services.exe" -vt ndrv
O9 - Extra button: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunCasino.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunCasino.exe (file missing)
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://playgames.comcast.net/online2...ploader_v6.cab
Close all programs but HJT and all browser windows, then click on "Fix Checked"
6) RIGHT Click on Start then click on Explore. Locate and delete these items:
(be careful and delete only the files or folders I have highlited in red. If you have a problem deleting them, do it in safe mode:)
http://www.bleepingcomputer.com/tutorials/tutorial61.html <<< instructions
(If a file or folder is not there, that is fine, just DO NOT miss any)
C:\Program Files\Common Files\S?mantec\ <<< Delete that folder
C:\WINDOWS\System32\FNTS~1\ <<< delete that folder
C:\WINDOWS\System32\mppyenk.dll <<< delete that file
7) Now follow the instructions to restart in Safe mode and run AVG Anti-Spyware according to the instructions. Make sure to save the report:
Then click Save report > Save report as and save the Report-Scan.txt to your desktop. `
8) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Restart the computer to return to normal mode and post the results of the AVG Anti-Spyware scan, and a new HJT log.
Thanks
(if you have questions, post them)
Ok, I've followed these steps.
1. I downloaded and installed avast, updated, and ran it from before bootup then again after boot, I have logs of both if you need them.
2. Made files/folders visible.
3 & 4. Downloaded ATF Cleaner and AVG Anti-Spyware.
5. Fixed the instructed items in HJT.
6. None of those files/folders were present.
7. Rebooted to Safe Mode, ran AVG Anti-Spyware according to the tutorial.
8. Ran ATF Cleaner.
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 4:49:46 AM 11/7/2006
+ Scan result:
C:\System Volume Information\_restore{22DB160A-50BB-4F8F-AA53-6C64C8F9B7C3}\RP489\A0129656.exe -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{22DB160A-50BB-4F8F-AA53-6C64C8F9B7C3}\RP453\A0128884.dll -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{22DB160A-50BB-4F8F-AA53-6C64C8F9B7C3}\RP453\A0128882.exe -> Adware.Webhancer.a : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Cookies\administrator@ameriprise.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
:mozilla.50:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\fibs0ryq.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
::Report end
Logfile of HijackThis v1.99.1
Scan saved at 4:56:12 AM, on 11/7/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\HiJackThis\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136756627953
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
pskelley
2006-11-07, 13:50
1. I downloaded and installed avast, updated, and ran it from before bootup then again after boot, I have logs of both if you need them.I am interested in any malware Avast located but could not remove, I will not need to see more that that at this time.
That is a clean HJT log, great job:bigthumb: following those instructions. Sometimes HJT removes the junk, but I like to double check. How is the computer running?
Use one or more of these free online scanners to check these files. Delete them if they are bad.
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/flash/index_en.html
C:\WINDOWS\system32\msvcp71.dll <<< careful may be good
C:\WINDOWS\system32\msvcr71.dll <<< careful may be good
C:\WINDOWS\system32\winpfg32.sys
C:\WINDOWS\hancerdoem.exe <<< bad, no need to scan, delete it.
C:\WINDOWS\unstall.exe
C:\WINDOWS\system32\ytca78f4.sys
C:\WINDOWS\system32\mppyenk.dll
C:\WINDOWS\system32\wtssvit.exe
C:\sstray.exe
C:\WINDOWS\U.exe
C:\U.exe
Be very careful here, I believe all files are bad but the first two. They may also be infected, the scanner will tell you. Delete them if they are bad, they will move to the recycle bin, delete them from there after a few days.
Once you are finished, post a new combofix log and let me know how the computer is running. If you run ATF-Cleaner, skip cleaning the Recycle Bin for a few days.
Thanks
Once this cleanup is complete, you need to be thinking about updating to SP2. SP1 is not longer supported by Microsoft and the updates you need to be secure are no longer available, see this helpful information:
http://www.microsoft.com/windowsxp/downloads/updates/sp2/cdorder/en_us/default.mspx
http://www.microsoft.com/windowsxp/sp2/sp2_whattoknow.mspx
http://www.microsoft.com/windowsxp/sp2/sysreqs.mspx
I don't think avast came up with anything it couldn't fix.
The system seems to be running ok, though I have yet to try it for games. I'll try that tonight.
I used the jotti.org scan. Everything came up fine except the following:
I couldn't find these files
C:\WINDOWS\system32\mppyenk.dll
C:\WINDOWS\U.exe
C:\U.exe
This one came up with several different problems, and I deleted it
C:\sstray.exe
This one came up with "probable unknown NewHeur_PE" found by NoD32. I left it intact as it said it may be a false positive.
C:\WINDOWS\unstall.exe
combofix log coming shortly...
Administrator - 06-11-07 15:42:49.10 Service Pack 1
ComboFix 06.10.19 - Running from: "C:\Documents and Settings\Administrator\Desktop"
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\QooBox\Purity\Program Files\YSTEM~1
C:\QooBox\Purity\Program Files\Common Files\SMANTE~1
C:\QooBox\Purity\Program Files\Common Files\SMANTE~1\?srss.exe
C:\QooBox\Purity\WINDOWS\system32\FNTS~1
C:\QooBox\Purity\WINDOWS\system32\FNTS~1\FNTS~1
((((((((((((((((((((((((((((((( Files Created from 2006-10-07 to 2006-11-07 ))))))))))))))))))))))))))))))))))
2006-11-07 03:51 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-11-06 14:31 87,424 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2006-11-06 14:31 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2006-11-06 14:31 36,176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2006-11-06 14:31 24,560 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2006-11-06 14:31 16,352 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2006-11-06 14:30 90,112 --a------ C:\WINDOWS\system32\AVASTSS.scr
2006-11-06 14:30 666,240 --a------ C:\WINDOWS\system32\aswBoot.exe
2006-11-06 14:30 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2006-11-03 14:40 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2006-11-03 14:40 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2006-11-03 13:38 979 --a------ C:\WINDOWS\system32\winpfg32.sys
2006-11-03 13:38 36,864 --a------ C:\WINDOWS\unstall.exe
2006-11-03 13:38 1,259 --a------ C:\WINDOWS\system32\ytca78f4.sys
2006-11-03 04:54 2 --a------ C:\WINDOWS\system32\wtssvit.exe
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2006-11-07 03:51 -------- d-------- C:\Program Files\Grisoft
2006-11-06 14:30 -------- d-------- C:\Program Files\Alwil Software
2006-11-06 13:17 -------- d-------- C:\Program Files\Common Files
2006-11-05 03:23 -------- d-------- C:\Program Files\Java
2006-11-05 03:22 -------- d-------- C:\Program Files\Common Files\Java
2006-11-04 14:19 -------- d-------- C:\Program Files\Outlook Express
2006-11-04 14:19 -------- d-------- C:\Program Files\Common Files\System
2006-11-04 14:18 -------- d-------- C:\Program Files\Windows Media Player
2006-11-04 13:28 -------- d-------- C:\Program Files\Mozilla Firefox
2006-11-04 03:19 -------- d-------- C:\Program Files\PartyGaming
2006-11-03 13:45 -------- d-------- C:\Program Files\Lavasoft
2006-11-03 13:45 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2006-11-03 13:38 -------- d-------- C:\Program Files\em
2006-10-22 02:32 -------- d-------- C:\Program Files\WowReader
2006-10-09 00:20 -------- d-------- C:\Program Files\ATI Technologies
2006-10-09 00:19 -------- d-------- C:\Documents and Settings\Administrator\Application Data\ATI
2006-10-08 20:54 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-10-01 13:14 -------- d-------- C:\Program Files\World of Warcraft
2006-09-13 00:09 1110528 --a------ C:\WINDOWS\system32\msxml3.dll
2006-08-25 10:53 561664 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-25 04:14 595968 --a------ C:\WINDOWS\system32\xpsp2res.dll
2006-08-16 07:14 95232 --a------ C:\WINDOWS\system32\6to4svc.dll
2006-08-16 07:14 70656 --a------ C:\WINDOWS\system32\ws2_32.dll
2006-08-16 07:14 54272 --a------ C:\WINDOWS\system32\ipv6mon.dll
2006-08-16 07:14 31232 --a------ C:\WINDOWS\system32\inetmib1.dll
2006-08-16 07:14 13312 --a------ C:\WINDOWS\system32\wship6.dll
2006-08-16 04:42 159232 --a------ C:\WINDOWS\system32\xpob2res.dll
2006-08-16 04:28 48640 --a------ C:\WINDOWS\system32\ipv6.exe
2006-08-16 04:27 83456 --a------ C:\WINDOWS\system32\netsh.exe
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce\CTStartup]
"CTStartup"="\"C:\\Program Files\\Creative\\Splash Screen\\CTEaxSpl.EXE\" /play"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"CTStartup"="C:\\Program Files\\Creative\\Splash Screen\\CTEaxSpl.EXE /run"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=hex:5f,00,00,00
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Drempels Desktop.lnk]
"path"="C:\\Documents and Settings\\Administrator\\Start Menu\\Programs\\Startup\\Drempels Desktop.lnk"
"backup"="C:\\WINDOWS\\pss\\Drempels Desktop.lnkStartup"
"location"="Startup"
"command"="C:\\WINDOWS\\drempels.exe /y"
"item"="Drempels Desktop"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\InterVideo WinCinema Manager.lnk"
"backup"="C:\\WINDOWS\\pss\\InterVideo WinCinema Manager.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\INTERV~1\\Common\\Bin\\WINCIN~1.EXE "
"item"="InterVideo WinCinema Manager"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Nero StartSmart.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Nero StartSmart.lnk"
"backup"="C:\\WINDOWS\\pss\\Nero StartSmart.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Ahead\\NEROST~1\\NEROST~1.EXE "
"item"="Nero StartSmart"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VIA RAID TOOL.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\VIA RAID TOOL.lnk"
"backup"="C:\\WINDOWS\\pss\\VIA RAID TOOL.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\VIA\\RAID\\RAID_T~1.EXE "
"item"="VIA RAID TOOL"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jet Detection]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ADGJDet"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Creative\\SBAudigy\\PROGRAM\\ADGJDet.exe\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvCpl"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RunDLL32"
"hkey"="HKLM"
"command"="RunDLL32.exe NvMCTray.dll,NvTaskbarInit"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NWEReboot]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwiz"
"hkey"="HKLM"
"command"="nwiz.exe /install"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TeaTimer"
"hkey"="HKCU"
"command"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Steam"
"hkey"="HKCU"
"command"="C:\\Program Files\\Valve\\Steam\\Steam.exe -silent"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\jre1.5.0\\bin\\jusched.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="UpdReg"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\UpdReg.EXE"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winampa"
"hkey"="HKLM"
"command"="C:\\Program Files\\Winamp\\winampa.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINDVDPatch]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CTHELPER"
"hkey"="HKLM"
"command"="CTHELPER.EXE"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
Completion time: 06-11-07 15:43:15.71
C:\ComboFix.txt ... 06-11-07 15:43
C:\ComboFix2.txt ... 06-11-06 13:19
I am planning to upgrade to SP2 but I read somewhere along the way that the system needs to be squeaky clean before adding it.
When I'm done with everything, how much of the stuff I've downloaded to I need to keep? I assume at least avast and Spybot, but don't know if I need to keep the others.
pskelley
2006-11-07, 21:56
OK, looks good, one of the other programs must have removed those files. You can remove combofix from the computer, make sure C:\QooBox\ goes with it. Then let's do this:
System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam
AVG Anti-Spyware is a good program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.
Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
Safe surfing...tashi:) will close your topic in a few days.
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
pskelley
2006-11-07, 22:03
My suggestion would be to keep the ATF-Cleaner, it is a good little tool, and I suggest after the trial that you stop AVG Anti-Spyware from running completely and keep the scanner. Nothing should be running in the HJT log unless you are doing a scan. Updates are free and the scanner will do the job, you will not have the realtime protection in the freeware version.
Thanks
Thank you for all the help. I haven't seen the lag while gaming, and I ran Spybot and found nothing. I did run through Jason's security tests and made some minor changes to Firefox's settings, and am paying more attention to my cookies.
The only thing that bothers me is, I turned TeaTimer back on when everything was done, and now every time I reboot, it pops up the same 3 items that want to be changed.
11/9/2006 6:48:48 PM Allowed value "{8E718888-423F-11D2-876E-00A0C9082467}" (new data: "") deleted in Global browser toolbar!
11/9/2006 6:48:48 PM Allowed value "BootExecute" (new data: "") deleted in Session manager!
11/9/2006 6:48:48 PM Allowed value "ExcludeFromKnownDlls" (new data: "") deleted in Session manager!
If I close the window or deny them they just keep popping up over and over again, so I've set them to always allow for now. Are they something bad?
pskelley
2006-11-10, 01:21
Hard to keep up with TeaTimer, there are a few false positives right now. I suggest you post here:
http://forums.spybot.info/forumdisplay.php?f=4
Those folks will be able to help you.
Thanks...Phil