Page 1 of 4 1234 LastLast
Results 1 to 10 of 31

Thread: Unknown virus in my computer

  1. #1
    Member
    Join Date
    Apr 2008
    Posts
    47

    Default Unknown virus in my computer

    Hello, thank you for your time in this, very greatful.

    My problem is that when i try to play some online games, the game guards detect a virus on my computer and keep it from running. I ran malwarebytes and it got rid of a few harmful viruses but i still keep getting 3 programs that the Gameguard lists that have viruses in em.

    I ran a Hijackthis and heres what i got

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 07:03, on 2008-07-15
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16674)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\windows\system\hpsysdrv.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\System32\hphmon05.exe
    C:\HP\KBD\KBD.EXE
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Multimedia Card Reader\shwicon2k.exe
    C:\Program Files\Unlocker\UnlockerAssistant.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\Program Files\Winamp\winampa.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\Messenger\MSMSGS.EXE
    C:\Program Files\AIM6\aim6.exe
    C:\Program Files\Skype\Phone\Skype.exe
    C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
    C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
    C:\Program Files\interMute\SpamSubtract\SpamSub.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\AIM6\aolsoftware.exe
    C:\Program Files\Skype\Plugin Manager\skypePM.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R3 - URLSearchHook: Yahoo! 工具列 - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Yahoo! 工具列 - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
    O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-18\..\Run: [Notn] "C:\WINDOWS\system32\ASKS~1\winspool.exe" -vt yazb (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [Fowiv] C:\WINDOWS\system32\?ssembly\n?tdde.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [Notn] "C:\WINDOWS\system32\ASKS~1\winspool.exe" -vt yazb (User 'Default user')
    O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
    O4 - Startup: Delta AutoLoad.lnk = C:\Documents and Settings\Owner\Desktop\Gaming Stuffs\Delta\delta.exe
    O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Norton Personal Firewall.lnk = C:\Program Files\Norton Personal Firewall\nisfirst.exe
    O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
    O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O15 - Trusted Zone: http://support.f-secure.com
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1208915641656
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1208916465093
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - c:\Program Files\Norton Personal Firewall\ccPxySvc.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

    --
    End of file - 8939 bytes

  2. #2
    Emeritus
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,066

    Default

    hi slash_tbh,

    keep getting 3 programs
    well here is two of them:

    winspool.exe
    n?tdde.exe

    we will get two downloads to use. run sdfix first (runs only in safe mode)
    followed by combofix.

    sdfix:

    Download SDFix and save it to your Desktop.

    http://downloads.andymanchesta.com/R...ools/SDFix.exe


    Double click SDFix.exe and it will extract the files to %systemdrive%
    (Drive that contains the Windows Directory, typically C:\SDFix)

    Please then reboot your computer in Safe Mode by doing the following :

    * Restart your computer
    * After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    * Instead of Windows loading as normal, the Advanced Options Menu should appear;
    * Select the first option, to run Windows in Safe Mode, then press Enter.
    * Choose your usual account.

    * Open the extracted SDFix folder and double click RunThis.bat to start the script.
    * Type Y to begin the cleanup process.
    * It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
    * Press any Key and it will restart the PC.
    * When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    * Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
    * Finally paste the contents of the Report.txt back on the forum

    last:
    Download combofix from one of these links and save it to your Desktop:

    http://subs.geekstogo.com/ComboFix.exe
    http://download.bleepingcomputer.com/sUBs/ComboFix.exe

    double click on combofix.exe & follow the prompts.
    When finished, it will produce a report for you.
    Please post the "C:\ComboFix.txt"

    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze.


    post the sdfix log and the combofix log and a new hjt log please.
    How Can I Reduce My Risk?

  3. #3
    Member
    Join Date
    Apr 2008
    Posts
    47

    Default

    Hi, here are the logs

    ComboFix 08-07-15.4 - Owner 2008-07-17 23:00:11.6 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.128 [GMT -5:00]
    Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
    * Created a new restore point
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\bestwiner.stt
    C:\WINDOWS\mrofinu1001186.exe
    C:\WINDOWS\system32\asks~1
    C:\WINDOWS\system32\asks~1\?asks\
    C:\WINDOWS\system32\asks~1\winspool.exe
    C:\WINDOWS\system32\ssembl~1
    C:\WINDOWS\system32\ssembl~1\n?tdde.exe

    .
    ((((((((((((((((((((((((( Files Created from 2008-06-18 to 2008-07-18 )))))))))))))))))))))))))))))))
    .

    2008-07-17 21:05 . 2008-07-17 21:05 <DIR> d-------- C:\WINDOWS\ERUNT
    2008-07-17 20:53 . 2008-07-17 22:38 <DIR> d-------- C:\SDFix
    2008-07-16 01:37 . 2008-07-17 04:38 <DIR> d-------- C:\WINDOWS\system32\Adobe
    2008-07-16 01:37 . 2008-07-16 01:37 681 --a------ C:\WINDOWS\mozver.dat
    2008-07-14 20:44 . 2008-07-14 20:44 <DIR> d-------- C:\Nexon
    2008-07-09 02:50 . 2008-07-09 02:50 <DIR> d-------- C:\Soldat
    2008-07-09 00:59 . 2008-07-09 16:59 <DIR> d-------- C:\61500bf871beb28f8e7c
    2008-07-07 11:49 . 2008-07-07 11:49 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Yahoo!
    2008-06-29 22:04 . 2008-06-29 22:06 <DIR> d-------- C:\Program Files\QuickTime
    2008-06-29 22:04 . 2008-06-29 22:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
    2008-06-29 22:03 . 2008-06-29 22:03 <DIR> d-------- C:\Program Files\Apple Software Update
    2008-06-29 22:03 . 2008-06-29 22:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
    2008-06-20 12:41 . 2008-06-20 12:41 245,248 -----c--- C:\WINDOWS\system32\dllcache\mswsock.dll
    2008-06-20 05:44 . 2008-06-20 05:44 138,368 -----c--- C:\WINDOWS\system32\dllcache\afd.sys

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-07-18 04:03 --------- d-----w C:\Documents and Settings\Owner\Application Data\Skype
    2008-07-18 03:41 --------- d-----w C:\Documents and Settings\Owner\Application Data\skypePM
    2008-07-16 06:33 --------- d-----w C:\Program Files\WildTangent
    2008-07-15 09:56 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
    2008-07-15 09:55 --------- d-----w C:\Program Files\SpywareBlaster
    2008-07-15 09:46 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
    2008-07-07 22:35 34,296 ----a-w C:\WINDOWS\system32\drivers\mbamcatchme.sys
    2008-07-07 22:35 17,144 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
    2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
    2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
    2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
    2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
    2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
    2008-06-13 09:17 --------- d-----w C:\Documents and Settings\Owner\Application Data\Winamp
    2008-06-05 19:13 --------- d-----w C:\Program Files\SpywareGuard
    2008-06-05 19:12 410,976 ----a-w C:\WINDOWS\system32\deploytk.dll
    2008-06-05 19:12 --------- d-----w C:\Program Files\Java
    2008-06-05 10:17 --------- d-----w C:\Program Files\Trend Micro
    2008-06-03 21:01 --------- d-----w C:\Program Files\Gravity
    2008-06-03 04:01 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM
    2008-06-03 03:54 --------- d-----w C:\Program Files\Common Files\Adobe
    2008-05-29 08:26 --------- d-----w C:\Program Files\CCleaner
    2008-05-29 00:22 --------- d-----w C:\Documents and Settings\Owner\Application Data\Hamachi
    2008-05-27 16:54 --------- d-----w C:\Program Files\Norton AntiVirus
    2008-05-27 15:22 --------- d-----w C:\Program Files\eMule
    2008-05-27 15:16 83,968 ----a-w C:\WINDOWS\ST6UNST.EXE
    2008-05-27 15:16 327,680 ------w C:\WINDOWS\Setup1.exe
    2008-05-27 15:02 --------- d-----w C:\Program Files\Common Files\Symantec Shared
    2008-05-22 22:19 --------- d-----w C:\Program Files\Easy Internet signup
    2008-05-13 01:53 536,576 ----a-w C:\WINDOWS\system32\DivXsm.exe
    2008-05-13 01:53 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
    2008-05-13 01:53 129,784 ------w C:\WINDOWS\system32\pxafs.dll
    2008-05-13 01:53 120,056 ------w C:\WINDOWS\system32\pxcpyi64.exe
    2008-05-13 01:53 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe
    2008-05-13 01:51 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
    2008-05-13 01:51 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
    2008-05-13 01:49 161,096 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
    2008-05-13 01:49 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
    2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
    2008-04-23 11:40 0 ----a-r C:\logwmemory.bin
    2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
    2008-04-23 00:21 3,884 ----a-w C:\WINDOWS\viassary-hp.reg
    .

    ------- Sigcheck -------

    2007-06-13 05:23 1043968 e0bac3578bf00d709751666fb82c6b3d C:\WINDOWS\explorer.exe
    2007-06-13 06:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
    2002-08-29 07:00 1004032 a82b28bfc2e4455fe43022a498c0ef0a C:\WINDOWS\$NtServicePackUninstall$\explorer.exe
    2004-08-04 02:56 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\ServicePackFiles\i386\explorer.exe
    2007-06-13 05:23 1033216 97bd6515465659ff8f3b7be375b2ea87 C:\WINDOWS\system32\dllcache\explorer.exe

    2002-08-29 07:00 24064 a4d95ca3f0dcd164e7849d9e79adc59b C:\WINDOWS\$NtServicePackUninstall$\ctfmon.exe
    2004-08-04 02:56 15360 24232996a38c0b0cf151c2140ae29fc8 C:\WINDOWS\ServicePackFiles\i386\ctfmon.exe
    2004-08-04 02:56 26112 4f57bfe915f0f2245a342ce9d2e49c96 C:\WINDOWS\system32\ctfmon.exe

    2005-06-10 18:53 57856 da81ec57acd4cdc3d4c51cf3d409af9f C:\WINDOWS\$hf_mig$\KB896423\SP2GDR\spoolsv.exe
    2005-06-10 19:17 57856 ad3d9d191aea7b5445fe1d82ffbb4788 C:\WINDOWS\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
    2005-06-10 18:55 53248 6b4bf97957a0b8795811975d4bf1acfe C:\WINDOWS\$NtServicePackUninstall$\spoolsv.exe
    2004-08-04 02:56 57856 7435b108b935e42ea92ca94f59c8e717 C:\WINDOWS\ServicePackFiles\i386\spoolsv.exe
    2005-06-10 18:53 101376 4b9be205019a2350bd311e3e51ad444e C:\WINDOWS\system32\spoolsv.exe
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 19:43 4670704]
    "MSMSGS"="C:\Program Files\Messenger\MSMSGS.EXE" [2004-10-13 11:24 1737728]
    "Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-03-25 15:21 50528]
    "Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-05-30 15:54 21718312]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 26112]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 18:04 129024]
    "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-11-02 11:59 139264]
    "HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [2003-05-23 04:55 495616]
    "KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 22:02 73728]
    "UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 10:01 122880]
    "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2003-10-10 23:58 196653]
    "AutoTKit"="C:\hp\bin\AUTOTKIT.EXE" [2003-06-18 21:19 201260]
    "Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 23:42 258048]
    "ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-05-30 09:10 70816]
    "PS2"="C:\WINDOWS\system32\ps2.exe" [2002-10-16 18:57 192512]
    "Sunkist2k"="C:\Program Files\Multimedia Card Reader\shwicon2k.exe" [2003-08-14 22:11 151552]
    "mmtask"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [2003-07-23 18:37 65536]
    "UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2008-03-01 00:10 124928]
    "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-11-02 12:03 167936]
    "ccRegVfy"="c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2002-11-14 19:29 59072]
    "WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-04-01 13:49 145408]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre6\bin\jusched.exe" [2008-06-05 14:12 136600]
    "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 458752]
    "runner1"="C:\WINDOWS\mrofinu1001186.exe" [2008-07-17 23:04 41984]
    "LTMSG"="LTMSG.exe" [2003-07-14 19:52 86016 C:\WINDOWS\ltmsg.exe]
    "AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 15:47 69632 C:\WINDOWS\ALCXMNTR.EXE]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "Fowiv"="C:\WINDOWS\system32\?ssembly\n?tdde.exe" [?]

    C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
    Delta AutoLoad.lnk - C:\Documents and Settings\Owner\Desktop\Gaming Stuffs\Delta\delta.exe [2005-05-22 16:43:52 514048]
    spamsubtract.lnk - C:\Program Files\interMute\SpamSubtract\SpamSub.exe [2003-10-14 00:24:52 667648]
    SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 22:05:35 438272]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-07-07 10:20:40 344064]
    Norton Personal Firewall.lnk - C:\Program Files\Norton Personal Firewall\nisfirst.exe [2002-11-15 12:48:14 644744]
    Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [2003-07-30 06:49:48 167936]
    Updates from HP.lnk - C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe [2003-10-11 00:26:40 16384]

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "C:\\Program Files\\eMule\\emule.exe"=
    "C:\\Program Files\\BitLord\\BitLord.exe"=
    "C:\\Program Files\\AIM6\\aim6.exe"=
    "C:\\Program Files\\Updates from HP\\137903\\Program\\BackWeb-137903.exe"=
    "C:\\Soldat\\Soldat.exe"=
    "C:\\Program Files\\Skype\\Phone\\Skype.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
    "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

    R2 JavaQuickStarterService;Java Quick Starter;C:\Program Files\Java\jre6\bin\jqs.exe [2008-06-05 14:12]
    R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 16:38]
    .
    Contents of the 'Scheduled Tasks' folder
    "2008-07-18 03:09:30 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
    "2008-07-05 01:00:01 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
    - c:\PROGRA~1\NORTON~1\Navw32.exeh/task:
    "2008-04-25 06:29:47 C:\WINDOWS\Tasks\Symantec NetDetect.job"
    - C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
    .
    - - - - ORPHANS REMOVED - - - -

    HKLM-Run-HPHUPD05 - c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
    HKLM-Run-VTTimer - VTTimer.exe
    HKU-Default-Run-Notn - C:\WINDOWS\system32\ASKS~1\winspool.exe


    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-07-17 23:03:18
    Windows 5.1.2600 Service Pack 2 NTFS

    detected NTDLL code modification:
    ZwOpenFile

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2008-07-17 23:05:46
    ComboFix-quarantined-files.txt 2008-07-18 04:05:38

    Pre-Run: 52,566,118,400 bytes free
    Post-Run: 52,568,064,000 bytes free

    181 --- E O F --- 2008-07-10 08:07:30


    SDFix: Version 1.206
    Run by Owner on 2008-07-17 at 21:14

    Microsoft Windows XP [Version 5.1.2600]
    Running From: C:\SDFix

    Checking Services :


    Restoring Default Security Values
    Restoring Default Hosts File

    Rebooting


    Checking Files :

    Trojan Files Found:

    C:\WINDOWS\SYSTEM32\IALMCOIN.DLL - Deleted





    Removing Temp Files

    ADS Check :



    Final Check :

    catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-07-17 22:35:17
    Windows 5.1.2600 Service Pack 2 NTFS

    detected NTDLL code modification:
    ZwOpenFile

    scanning hidden processes ...

    scanning hidden services & system hive ...

    scanning hidden registry entries ...

    scanning hidden files ...

    scan completed successfully
    hidden processes: 0
    hidden services: 0
    hidden files: 0


    Remaining Services :




    Authorized Application Key Export:

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
    "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
    "C:\\Program Files\\eMule\\emule.exe"="C:\\Program Files\\eMule\\emule.exe:*:Enabled:eMule"
    "C:\\Program Files\\BitLord\\BitLord.exe"="C:\\Program Files\\BitLord\\BitLord.exe:*:Enabled:BitLord"
    "C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"
    "C:\\Program Files\\Updates from HP\\137903\\Program\\BackWeb-137903.exe"="C:\\Program Files\\Updates from HP\\137903\\Program\\BackWeb-137903.exe:*:Enabled:BackWeb-137903"
    "C:\\Soldat\\Soldat.exe"="C:\\Soldat\\Soldat.exe:*:Enabled:Soldat"
    "C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

    Remaining Files :


    File Backups: - C:\SDFix\backups\backups.zip

    Files with Hidden Attributes :

    Tue 22 Apr 2008 196 A.SHR --- "C:\BOOT.BAK"
    Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
    Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
    Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
    Wed 30 Apr 2008 95 A..H. --- "C:\Program Files\InterActual\InterActual Player\itiF0.tmp"
    Mon 7 Jul 2008 115,200 ..SHR --- "C:\WINDOWS\system32\蓷sks\winspool.exe"
    Thu 29 May 2008 244,736 ..SHR --- "C:\WINDOWS\system32\?ssembly\n?tdde.exe"
    Tue 6 May 2008 1,740 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\ccReg.reg"
    Tue 6 May 2008 226,126 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\CommonClient.reg"
    Tue 6 May 2008 154,774 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\IAM.reg"
    Thu 17 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\BIT3.tmp"

    Finished!



    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 03:36, on 2008-07-18
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16674)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\17PHolmes1001186.exe
    C:\windows\system\hpsysdrv.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\HP\KBD\KBD.EXE
    C:\Program Files\Multimedia Card Reader\shwicon2k.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\Program Files\Winamp\winampa.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\AIM6\aim6.exe
    C:\Program Files\Skype\Phone\Skype.exe
    C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
    C:\Program Files\interMute\SpamSubtract\SpamSub.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\AIM6\aolsoftware.exe
    C:\Program Files\Skype\Plugin Manager\skypePM.exe
    C:\WINDOWS\17PHolmes1001186.exe
    C:\Program Files\Common Files\AOL\Loader\aolload.exe
    C:\WINDOWS\17PHolmes1001186.exe
    C:\WINDOWS\17PHolmes1001186.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R3 - URLSearchHook: Yahoo! 工具列 - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Yahoo! 工具列 - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-18\..\Run: [Fowiv] C:\WINDOWS\system32\?ssembly\n?tdde.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [Fowiv] C:\WINDOWS\system32\?ssembly\n?tdde.exe (User 'Default user')
    O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
    O4 - Startup: Delta AutoLoad.lnk = C:\Documents and Settings\Owner\Desktop\Gaming Stuffs\Delta\delta.exe
    O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Norton Personal Firewall.lnk = C:\Program Files\Norton Personal Firewall\nisfirst.exe
    O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
    O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O15 - Trusted Zone: http://support.f-secure.com
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1208915641656
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1208916465093
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - c:\Program Files\Norton Personal Firewall\ccPxySvc.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

    --
    End of file - 8647 bytes

  4. #4
    Member
    Join Date
    Apr 2008
    Posts
    47

    Default

    Sorry for making another post, but this is what the gameguard anti-virus thing is picking up

    Virus/W32.Virut.E C:\Windows\explorer.exe
    Virus/W32.Virut.D C:\Windows\system32\spoolsv.exe
    Virus/W32.Virut.D C:\Maplestory\maplestory.exe
    Virus/W32.Virut.E C:\Windows\system32\ctfmon.exe

  5. #5
    Emeritus
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,066

    Default

    hi slash_tbh,

    no problem. those four items are all ok and in there correct directory. its possible they may have a virus or be a false positive. after you use hjt i would do a online scan. (below) for another opinion.

    we will use hjt;

    start HJT, click the "Scan" button. check the items below, close any open windows, then click "Fixed checked"

    O4 - HKUS\S-1-5-18\..\Run: [Fowiv] C:\WINDOWS\system32\?ssembly\n?tdde.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [Fowiv] C:\WINDOWS\system32\?ssembly\n?tdde.exe (User 'Default user')
    --------------------------------
    online scan:
    ESET online scanner:

    http://www.eset.com/onlinescan/

    uses Internet Explorer only
    check "YES" to accept terms
    click start button
    allow the ActiveX component to install
    click the start button. the Scanner will update.
    check both "Remove found threats" and "Scan unwanted applications"
    click scan
    when done you can find the scan log at:C:\Program Files\EsetOnlineScanner\log.txt
    please copy/paste that log in next reply.
    How Can I Reduce My Risk?

  6. #6
    Member
    Join Date
    Apr 2008
    Posts
    47

    Default

    i did the first thing you told me to do with hjt, but the online scanner isn't working for me, when prompt to install it.. i clicked install then i would get and [X] and it wouldn't continue.

  7. #7
    Emeritus
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,066

    Default

    hi,

    ok we can try another one. that game guard thats flagging these viruses, was the antivirus with that optional to install. or did it automatically come with and get installed with game guard?

    Panda ActiveScan

    http://www.pandasoftware.com/products/activescan.htm

    * Once you are on the Panda site click the Scan your PC button
    * A new window will open...click the Check Now button
    * Enter your Country
    * Enter your State/Province
    * Enter your e-mail address and click send (use a fake e-mail)
    * Select either Home User or Company
    * Click the big Scan Now button
    * If it wants to install an ActiveX component allow it
    * It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
    * When download is complete, click on My Computer to start the scan
    * When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report
    How Can I Reduce My Risk?

  8. #8
    Member
    Join Date
    Apr 2008
    Posts
    47

    Default

    The txt file is too large to post up on here. is there somewhere i can upload the file too?

  9. #9
    Member
    Join Date
    Apr 2008
    Posts
    47

    Default

    And sorry,the Gameguard is not an optional thing, its a anti-hacking device

  10. #10
    Emeritus
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,066

    Default

    hi,

    thanks for the info.
    can you break up the panda scan in to several posts?

    i was asking if the gameguard antivirus component itself could be turned off. like is that part optional to disable? seems strange that a rootkit like component, gameguard- a antihacking/reverse engineering app. would have a antivirus built in to it.

    is gameguard still flagging those .exe?
    isnt this:
    \Maplestory\maplestory.exe
    the game its "protecting"
    How Can I Reduce My Risk?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •