Jump to content

Change Mode

Can't get rid of virus


Recommended Posts

I have windows xp. When I run spyware doctor, it keeps showing virus.DOS.agent. I've tried downloading the new version of Norton but the virus must have done something to my plug and play because it won't download. I've also noticed something about svchost.exe during the scans.

 

I've just tried running a test but it wouldn't let me finish.

 

Any help would be greatly appreciated.

 

I was told to download HijackThis, copy and paste and this is what I got.

 

 

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:23:11 AM, on 10/4/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16705)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\LEXPPS.EXE

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Spyware Doctor\pctsAuxs.exe

C:\Program Files\Spyware Doctor\pctsSvc.exe

C:\WINDOWS\system32\VTTimer.exe

C:\Program Files\Spyware Doctor\pctsTray.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\WINDOWS\faceback.exe

C:\WINDOWS\system32\Rundll32.exe

C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Fantastic Flame Screensaver\FantasticFlameAgent.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Spyware Doctor\pctsGui.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [VTTimer] VTTimer.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [iSTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"

O4 - HKLM\..\Run: [NAV] "C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\WCX1SG0S\NAV09EN[1].exe" /RELAUNCH /RUNONCE

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [runner1] C:\WINDOWS\faceback.exe 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [bMcf5ae155] Rundll32.exe "C:\WINDOWS\system32\ommsqdrw.dll",s

O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [VnrBlock21] "C:\Program Files\VnrBlock\VnrBlock21.exe"

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [GetModule23] "C:\Program Files\GetModule\GetModule23.exe"

O4 - HKUS\S-1-5-21-1482476501-1972579041-839522115-1003\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe" (User '?')

O4 - HKUS\S-1-5-21-1482476501-1972579041-839522115-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')

O4 - HKUS\S-1-5-21-1482476501-1972579041-839522115-1003\..\Run: [VnrBlock21] "C:\Program Files\VnrBlock\VnrBlock21.exe" (User '?')

O4 - HKUS\S-1-5-21-1482476501-1972579041-839522115-1003\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User '?')

O4 - HKUS\S-1-5-21-1482476501-1972579041-839522115-1003\..\Run: [GetModule23] "C:\Program Files\GetModule\GetModule23.exe" (User '?')

O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User '?')

O4 - HKUS\S-1-5-18\..\Run: [ADriver] (User '?')

O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')

O4 - Global Startup: Fantastic Flame Agent.lnk = C:\Program Files\Fantastic Flame Screensaver\FantasticFlameAgent.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: http://www.download.com

O15 - Trusted Zone: *.download.com

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...etup1.0.1.0.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1159208668211

O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab

O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O20 - Winlogon Notify: khfFWPji - khfFWPji.dll (file missing)

O21 - SSODL: FfeHphnL - {CC69D267-66C3-78CD-29CD-667EAFCAEC05} - (no file)

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

 

--

End of file - 8966 bytes

Link to post
Share on other sites

Instructions posted for this user are customized for this user only. The tools used may cause damage if used on a computer with different infections. If you think you have similar problems, please post a HJT log and start a new topic.

 

 

Welcome

 

This log is crawling all over the place with creepy crawlie thingies.....

 

Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

 

Link 1

Link 2

Link 3

 

 

**Note: It is important that it is saved directly to your desktop**

 

--------------------------------------------------------------------

 

1. Close any open browsers.

 

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

This is important to disable your security software cause it can prevent this tool from running correctly.

--------------------------------------------------------------------

 

Double click on ComboFix.exe & follow the prompts.

  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log for further review.
Note:

Do not mouseclick combofix's window while it's running. That may cause it to stall

Link to post
Share on other sites

ComboFix 08-10-04.01 - Admin 2008-10-04 12:45:50.1 - NTFSx86

 

Running from: C:\Documents and Settings\Admin\Desktop\ComboFix.exe

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\Documents and Settings\Admin\Application Data\rhca70j0ej77

C:\Program Files\GetModule

C:\Program Files\GetModule\dicik.gz

C:\Program Files\GetModule\kwdik.gz

C:\Program Files\GetModule\ozadik.gz

C:\Program Files\iCheck

C:\Program Files\iCheck\iCheck.exe

C:\Program Files\iCheck\Uninstall.exe

C:\Program Files\VnrBlock

C:\Program Files\VnrBlock\VnrBlock21.exe

C:\Program Files\VnrBlock\xoffdic.gz

C:\WINDOWS\b103.exe

C:\WINDOWS\b104.exe

C:\WINDOWS\b157.exe

C:\WINDOWS\b161.exe

C:\WINDOWS\BMcf5ae155.txt

C:\WINDOWS\BMcf5ae155.xml

C:\WINDOWS\Downloaded Program Files\setup.inf

C:\WINDOWS\faceback.exe

C:\WINDOWS\pskt.ini

C:\WINDOWS\system32\asks~1

C:\WINDOWS\system32\asks~1\?asks\

C:\WINDOWS\system32\asks~1\rundll32.exe

C:\WINDOWS\system32\ctlxseuk.ini

C:\WINDOWS\system32\geBqNGww.dll

C:\WINDOWS\system32\lphce70j0ej77.exe

C:\WINDOWS\system32\mbols~1

C:\WINDOWS\system32\mbols~1\?pool32.exe

C:\WINDOWS\system32\Mloqttwa.ini

C:\WINDOWS\system32\rvofndxi.ini

 

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\Legacy_MCHINJDRV

 

 

((((((((((((((((((((((((( Files Created from 2008-09-04 to 2008-10-04 )))))))))))))))))))))))))))))))

.

 

2008-10-04 12:51 . 2008-10-04 12:51 22 --a------ C:\WINDOWS\pskt.ini

2008-10-04 12:51 . 2008-10-04 12:52 0 --a------ C:\WINDOWS\BMcf5ae155.xml

2008-10-04 11:54 . 2008-10-04 11:54 396 --a------ C:\WINDOWS\system32\ikhcore.cfg

2008-10-04 10:21 . 2008-10-04 10:21 <DIR> d-------- C:\Program Files\Trend Micro

2008-10-03 13:06 . 2008-10-03 13:06 <DIR> d-------- C:\Program Files\NortonInstaller

2008-10-03 13:06 . 2008-10-03 13:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NortonInstaller

2008-10-02 14:41 . 2008-10-02 14:41 <DIR> d-------- C:\Program Files\HP

2008-09-29 17:36 . 2008-09-29 17:36 <DIR> d-------- C:\Program Files\Webtools

2008-09-29 17:36 . 2008-09-29 17:36 <DIR> d-------- C:\Program Files\Twain

2008-09-29 17:22 . 2008-09-29 17:22 123,904 --a------ C:\WINDOWS\system32\srfigjjv.dll

2008-09-29 17:22 . 2008-09-29 17:22 101,888 --a------ C:\WINDOWS\system32\ommsqdrw.dll

2008-09-29 00:24 . 2008-09-29 00:24 1,977 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico

2008-09-29 00:18 . 2008-09-29 00:18 1,977 --a------ C:\WINDOWS\system32\Jamster.ico

2008-09-28 17:02 . 2008-09-28 17:02 128,000 --a------ C:\WINDOWS\system32\pbhqfl.dll

2008-09-28 17:02 . 2008-09-28 17:02 128,000 --a------ C:\WINDOWS\system32\drrxopvf.dll

2008-09-28 17:01 . 2008-09-28 17:01 105,984 --a------ C:\WINDOWS\system32\gqxehpkq.dll

2008-09-28 17:01 . 2008-09-28 17:01 71,168 --a------ C:\WINDOWS\system32\kuesxltc.dll

2008-09-28 16:59 . 2008-09-30 13:41 878,932 --ahs---- C:\WINDOWS\system32\Mloqttwa.ini2

2008-09-28 16:55 . 2008-10-01 17:37 <DIR> d-------- C:\Program Files\OINAnalytics

2008-09-28 16:54 . 2008-09-28 16:54 3,072 --a------ C:\Documents and Settings\Admin\~.exe

2008-09-27 14:08 . 2008-09-28 16:15 54,156 --ah----- C:\WINDOWS\QTFont.qfn

2008-09-27 14:08 . 2008-09-27 14:08 1,409 --a------ C:\WINDOWS\QTFont.for

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-10-04 16:44 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP

2008-10-04 16:44 --------- d-----w C:\Program Files\Spyware Doctor

2008-10-01 21:28 --------- d-----w C:\Program Files\TuneUp Utilities 2007

2008-09-29 21:36 --------- d-----w C:\Program Files\Common Files\Adobe

2008-09-29 04:00 --------- d-----w C:\Documents and Settings\Admin\Application Data\AdobeUM

2008-09-28 22:50 --------- d-----w C:\Documents and Settings\Admin\Application Data\MP3Rocket

2008-09-25 17:32 --------- d-----w C:\Program Files\Common Files\Symantec Shared

2008-09-15 18:40 --------- d-----w C:\Program Files\MP3 Rocket

2008-09-14 22:37 --------- d-----w C:\Program Files\Java

2008-08-14 21:43 160,792 ----a-w C:\WINDOWS\system32\drivers\pctfw2.sys

2008-08-14 17:41 --------- d-----w C:\Program Files\Common Files\PC Tools

2008-08-14 17:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Tools

2008-07-03 20:43 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008070320080704\index.dat

.

 

------- Sigcheck -------

 

2001-08-23 08:00 12800 0f7d9c87b0ce1fa520473119752c6f79 C:\WINDOWS\$NtServicePackUninstall$\svchost.exe

2004-08-04 03:56 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\ServicePackFiles\i386\svchost.exe

2008-04-13 20:12 14336 27c6d03bcdb8cfeb96b716f3d8be3e18 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\svchost.exe

2004-08-04 03:56 17408 68c3b8be818b5147a91fcd319f95d39a C:\WINDOWS\system32\svchost.exe

 

2001-08-23 08:00 430080 2b0e480e975ee51f2d5ce5f068fed6e2 C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe

2004-08-04 03:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\ServicePackFiles\i386\winlogon.exe

2008-04-13 20:12 507904 ed0ef0a136dec83df69f04118870003e C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\winlogon.exe

2004-08-04 03:56 506368 1d0ea457a836e29e92280cd2d438aca0 C:\WINDOWS\system32\winlogon.exe

 

2001-08-23 08:00 101376 e3df4a0252d287c44606ee55355e1623 C:\WINDOWS\$NtServicePackUninstall$\services.exe

2004-08-04 03:56 108032 c6ce6eec82f187615d1002bb3bb50ed4 C:\WINDOWS\ServicePackFiles\i386\services.exe

2008-04-13 20:12 108544 0e776ed5f7cc9f94299e70461b7b8185 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\services.exe

2004-08-04 03:56 110592 a417db84f6dc93edb375c100fbb23fb8 C:\WINDOWS\system32\services.exe

 

2001-08-23 08:00 11776 8a590ea109b5e0c7629e022f8a6b17c5 C:\WINDOWS\$NtServicePackUninstall$\lsass.exe

2004-08-04 03:56 13312 84885f9b82f4d55c6146ebf6065d75d2 C:\WINDOWS\ServicePackFiles\i386\lsass.exe

2008-04-13 20:12 13312 bf2466b3e18e970d8a976fb95fc1ca85 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\lsass.exe

2004-08-04 03:56 14848 be00d99c6391800a645ccc664e3434e3 C:\WINDOWS\system32\lsass.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DW6"="C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2008-06-10 785520]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]

"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-19 68856]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 413696]

"BMcf5ae155"="C:\WINDOWS\system32\ommsqdrw.dll" [2008-09-29 101888]

"VTTimer"="VTTimer.exe" [2005-03-08 C:\WINDOWS\system32\VTTimer.exe]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-19 68856]

 

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Fantastic Flame Agent.lnk - C:\Program Files\Fantastic Flame Screensaver\FantasticFlameAgent.exe [2006-10-14 25600]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"

"Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"

"Unshare"=C:\Program Files\safe-share\SafeShare.exe

"NAV CfgWiz"="C:\Program Files\Norton AntiVirus\CfgWiz.exe" /GUID {0D7956A2-5A08-4ec2-A72C-DF8495A66016} /MODE CfgWiz /CMDLINE "REBOOT"

"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime

"lphce70j0ej77"=C:\WINDOWS\system32\lphce70j0ej77.exe

"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe"

"inrhca70j0ej77"=C:\Documents and Settings\Admin\Local Settings\Temp\.tt124.tmp.exe /CR=0B9EF0ACFB8FBFDD4B2DD86928DB01F7816DE22E84EA709F3134CC9F1F3C7240F4392A5CF870EE1F5335EC209A2904959D127EB903E38B19812B61E9F4595B1C41FCAC485FEEAED07B83CCA01B60D321AB

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Program Files\\Safe-Share\\giFT\\giFTl.exe"=

"C:\\Program Files\\Safe-Share\\Safe-Share.exe"=

"C:\\Program Files\\MP3 Rocket\\MP3Rocket.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\javaw.exe"=

"C:\\Program Files\\iTunes\\iTunes.exe"=

"C:\\Program Files\\Java\\jre1.6.0_05\\bin\\javaw.exe"=

 

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

UxTuneUp

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]

\Shell\AutoRun\command - H:\setup.exe

.

Contents of the 'Scheduled Tasks' folder

 

2008-08-30 C:\WINDOWS\Tasks\1-Click Maintenance.job

- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe [2007-08-02 19:35]

 

2008-07-23 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]

 

2008-07-19 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Admin.job

- C:\PROGRA~1\NORTON~1\Navw32.exe [2004-08-18 03:44]

 

2008-09-29 C:\WINDOWS\Tasks\Symantec NetDetect.job

- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE [2004-07-19 17:26]

.

- - - - ORPHANS REMOVED - - - -

 

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)

HKCU-Run-VnrBlock21 - C:\Program Files\VnrBlock\VnrBlock21.exe

HKCU-Run-GetModule23 - C:\Program Files\GetModule\GetModule23.exe

HKLM-Run-NAV - C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\WCX1SG0S\NAV09EN[1].exe

HKU-Default-Run-DriverLoad - (no file)

HKU-Default-Run-DriverCheck - (no file)

HKU-Default-Run-SystemDriverLoad - (no file)

HKU-Default-Run-SystemDriver - (no file)

HKU-Default-Run-FDriver - (no file)

HKU-Default-Run-ADriver - (no file)

SSODL-FfeHphnL-{CC69D267-66C3-78CD-29CD-667EAFCAEC05} - (no file)

Notify-khfFWPji - khfFWPji.dll

 

 

.

------- Supplementary Scan -------

.

R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

R1 -: HKCU-Internet Connection Wizard,ShellNext = iexplore

R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s

O15 -: Trusted Zone: *.download.com

 

O16 -: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab

C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

.

 

**************************************************************************

 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-10-04 12:51:12

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

 

C:\WINDOWS\BMcf5ae155.txt 133 bytes

C:\WINDOWS\BMcf5ae155.xml 0 bytes

C:\WINDOWS\pskt.ini 22 bytes

 

scan completed successfully

hidden files: 3

 

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

PROCESS: C:\WINDOWS\explorer.exe

-> C:\WINDOWS\system32\ommsqdrw.dll

.

------------------------ Other Running Processes ------------------------

.

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\LEXPPS.EXE

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

C:\WINDOWS\system32\rundll32.exe

.

**************************************************************************

.

Completion time: 2008-10-04 12:59:07 - machine was rebooted

ComboFix-quarantined-files.txt 2008-10-04 16:59:00

 

Pre-Run: 93,281,501,184 bytes free

Post-Run: 93,779,513,344 bytes free

 

214 --- E O F --- 2008-09-14 19:57:15

 

 

 

 

 

 

 

 

 

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:01:48 PM, on 10/4/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16705)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\LEXPPS.EXE

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\VTTimer.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\WINDOWS\system32\Rundll32.exe

C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Fantastic Flame Screensaver\FantasticFlameAgent.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\internet explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [VTTimer] VTTimer.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [bMcf5ae155] Rundll32.exe "C:\WINDOWS\system32\ommsqdrw.dll",s

O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKUS\S-1-5-21-1482476501-1972579041-839522115-1003\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe" (User '?')

O4 - HKUS\S-1-5-21-1482476501-1972579041-839522115-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')

O4 - HKUS\S-1-5-21-1482476501-1972579041-839522115-1003\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User '?')

O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User '?')

O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')

O4 - Global Startup: Fantastic Flame Agent.lnk = C:\Program Files\Fantastic Flame Screensaver\FantasticFlameAgent.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: http://www.download.com

O15 - Trusted Zone: *.download.com

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1159208668211

O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab

O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

 

--

End of file - 7288 bytes

Link to post
Share on other sites

Spyware Doctor's OnGuard protective functionality may interfere with certain HijackThis fixes we need to make. Please follow these instructions to disable it:

 

To deactivate Spyware Doctor's OnGuard Tools

1. From within Spyware Doctor, click the "OnGuard" button on the left side.

2. Uncheck "Activate OnGuard".

You can reenable it once your system is clean.

 

 

 

 

 

 

Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

 

O4 - HKLM\..\Run: [bMcf5ae155] Rundll32.exe "C:\WINDOWS\system32\ommsqdrw.dll",s

 

 

 

 

 

 

 

 

Go to Microsoft's website => http://support.microsoft.com/kb/310994 Select the download that's appropriate for your Operating System

No Validation is required.

 

Posted Image

 

 

Download the file & save it as it's originally named, next to ComboFix.exe.

 

Posted Image

 

Now close all open windows and programs, including all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • Drag the setup package onto ComboFix.exe and drop it.

  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.

  • At the next prompt, click 'NO' to run the full ComboFix scan.

 

 

 

 

 

 

NEXT**

Next: Disconnect from the internet. If you are on Cable or DSL unplug your computer from the modem.

Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.

This includes Antivirus, Firewall, and any Spyware scanners that run in the background.

 

Click on this link Here to see a list of programs that should be disabled.

The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

 

 

For this next step, please ensure that ComboFix.exe is on your desktop:

 

Open Notepad...click on Format.....make sure word wrap is not selected.

 

 

Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:

Save this as "CFScript.txt" including quotes and change the "Save as type" to "All Files" and place it on your desktop.

KillAll::

 

File::

C:\WINDOWS\pskt.ini

C:\WINDOWS\BMcf5ae155.xml

C:\WINDOWS\system32\ikhcore.cfg

C:\WINDOWS\system32\srfigjjv.dll

C:\WINDOWS\system32\ommsqdrw.dll

C:\WINDOWS\system32\Jamster.ico

C:\WINDOWS\system32\pbhqfl.dll

C:\WINDOWS\system32\drrxopvf.dll

C:\WINDOWS\system32\gqxehpkq.dll

C:\WINDOWS\system32\kuesxltc.dll

C:\WINDOWS\system32\Mloqttwa.ini2

C:\Documents and Settings\Admin\~.exe

C:\WINDOWS\system32\lphce70j0ej77.exe

C:\Documents and Settings\Admin\Local Settings\Temp\.tt124.tmp.exe

 

Folder::

C:\Program Files\OINAnalytics

 

Registry::

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BMcf5ae155"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"lphce70j0ej77"=-

"inrhca70j0ej77"=-

Posted Image

 

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.

ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

 

 

 

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

 

 

 

 

 

NEXT**

I'd like for you to run this next online scan to check for remnants or anything that might be hidden.

The below scan can take up to an hour or longer, please be patient.

 

*Note

It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.

Please don't go surfing while your resident protection is disabled!

Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.

 

Please do a scan with Kaspersky Online Scanner or from here

http://www.kaspersky.com/virusscanner

 

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

 

Click on the Accept button and install any components it needs.

[*]The program will install and then begin downloading the latest definition

files.

[*]After the files have been downloaded on the left side of the page in the Scan section select My Computer.

[*]This will start the program and scan your system.

[*]The scan will take a while, so be patient and let it run. (At times it may appear to stall)

* Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.

* Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.

* Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.

 

[*]Once the scan is complete, click on View scan report To obtain the report:

Click on: Save Report As

Next, in the Save as prompt, Save in area, select: Desktop

In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select:

Text file [*.txt]

Then, click: Save

Please post the Kaspersky Online Scanner Report in

your reply.

 

Animated tutorial

http://i275.photobucket.com/albums/jj285/B...ng/KAS/KAS9.gif

 

(Note.. for Internet Explorer 7 users:

If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)

Or use Firefox with IE-Tab plugin

https://addons.mozilla.org/en-US/firefox/addon/1419

 

 

In your next reply post:

ComboFix.txt

Kaspersky log

New HJT log taken after the above scans have run

 

 

You may need several replies to post the requested logs, otherwise they might get cut off.

 

 

 

Also please update me on how the computer is at the moment.

Edited by Juliet
Link to post
Share on other sites

I don't know whats happened here, HJT can't do that to a computer as far as I know.

 

Win XP is set by default to automatically reboot when it encounters an unrecoverable error.

 

 

 

Let's see if we can stop the shutdowns first. Go to Start > Run and copy and paste the following

 

shutdown -a

 

and click OK.

 

 

When you first bootup can you hit F8 and see any of these options?

 

Start in Safe Mode

Start in Safe Mode with networking

command promp? (not sure on this one)

and start with last know good configuration

 

 

If you can get into safe mode

1. Click Start, and then right-click My Computer.

2. Click Properties.

3. Click the Advanced tab, and then click Settings under Startup and Recovery.

4. Under System failure, click on the small box beside Automatically restart to remove the checkmark.

5. Click OK, and then click OK.

 

If you then get an error message, look at all of it's details.

 

 

Can you boot from Windows XP CD and try to do a chkdsk /r to repair the drive

 

 

 

 

Also would like to mention this could also be a hardware issue like

graphics card

video card

power supply

Link to post
Share on other sites

ComboFix 08-10-04.01 - Admin 2008-10-08 13:48:36.2 - NTFSx86

 

Running from: C:\Documents and Settings\Admin\Desktop\ComboFix.exe

Command switches used :: C:\Documents and Settings\Admin\Desktop\CFScript.txt

 

FILE ::

C:\Documents and Settings\Admin\~.exe

C:\Documents and Settings\Admin\Local Settings\Temp\.tt124.tmp.exe

C:\WINDOWS\BMcf5ae155.xml

C:\WINDOWS\pskt.ini

C:\WINDOWS\system32\drrxopvf.dll

C:\WINDOWS\system32\gqxehpkq.dll

C:\WINDOWS\system32\ikhcore.cfg

C:\WINDOWS\system32\Jamster.ico

C:\WINDOWS\system32\kuesxltc.dll

C:\WINDOWS\system32\lphce70j0ej77.exe

C:\WINDOWS\system32\Mloqttwa.ini2

C:\WINDOWS\system32\ommsqdrw.dll

C:\WINDOWS\system32\pbhqfl.dll

C:\WINDOWS\system32\srfigjjv.dll

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\Documents and Settings\Admin\~.exe

C:\Documents and Settings\Admin\Cookies\[email protected][1].txt

C:\Program Files\OINAnalytics

C:\Program Files\OINAnalytics\Uninstall.exe

C:\WINDOWS\BMcf5ae155.txt

C:\WINDOWS\BMcf5ae155.xml

C:\WINDOWS\pskt.ini

C:\WINDOWS\system32\drrxopvf.dll

C:\WINDOWS\system32\gqxehpkq.dll

C:\WINDOWS\system32\Jamster.ico

C:\WINDOWS\system32\kuesxltc.dll

C:\WINDOWS\system32\Mloqttwa.ini2

C:\WINDOWS\system32\ommsqdrw.dll

C:\WINDOWS\system32\pbhqfl.dll

C:\WINDOWS\system32\srfigjjv.dll

 

.

((((((((((((((((((((((((( Files Created from 2008-09-08 to 2008-10-08 )))))))))))))))))))))))))))))))

.

 

2008-10-04 14:03 . 2008-10-04 14:03 <DIR> d-------- C:\hp

2008-10-04 13:44 . 2004-08-04 03:56 506,368 --a------ C:\WINDOWS\system32\winlogon.exe

2008-10-04 13:44 . 2004-08-04 03:56 110,592 --a------ C:\WINDOWS\system32\services.exe

2008-10-04 13:44 . 2004-08-04 03:56 17,408 --a------ C:\WINDOWS\system32\svchost.exe

2008-10-04 13:44 . 2004-08-04 03:56 14,848 --a------ C:\WINDOWS\system32\lsass.exe

2008-10-04 13:30 . 2004-09-21 11:13 9,196,032 --------- C:\WINDOWS\system32\RTLCPL.exe

2008-10-04 13:30 . 2004-09-10 10:12 208,896 --------- C:\WINDOWS\alcupd.exe

2008-10-04 13:30 . 2004-09-07 14:23 156,672 --------- C:\WINDOWS\system32\RtlCPAPI.dll

2008-10-04 13:30 . 2002-02-05 13:54 141,016 --------- C:\WINDOWS\system32\alsndmgr.wav

2008-10-04 13:30 . 2004-09-01 20:04 139,264 --------- C:\WINDOWS\alcrmv.exe

2008-10-04 13:30 . 2004-09-16 20:39 69,632 --------- C:\WINDOWS\soundman.exe

2008-10-04 13:30 . 2004-09-07 13:47 57,344 --------- C:\WINDOWS\Alcxmntr.exe

2008-10-04 13:30 . 2004-02-25 18:00 40,448 --------- C:\WINDOWS\system32\ChCfg.exe

2008-10-04 10:21 . 2008-10-04 10:21 <DIR> d-------- C:\Program Files\Trend Micro

2008-10-03 13:06 . 2008-10-03 13:06 <DIR> d-------- C:\Program Files\NortonInstaller

2008-10-03 13:06 . 2008-10-03 13:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NortonInstaller

2008-10-02 14:41 . 2008-10-02 14:41 <DIR> d-------- C:\Program Files\HP

2008-09-29 17:36 . 2008-09-29 17:36 <DIR> d-------- C:\Program Files\Webtools

2008-09-29 17:36 . 2008-09-29 17:36 <DIR> d-------- C:\Program Files\Twain

2008-09-29 00:24 . 2008-09-29 00:24 1,977 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico

2008-09-27 14:08 . 2008-09-28 16:15 54,156 --ah----- C:\WINDOWS\QTFont.qfn

2008-09-27 14:08 . 2008-09-27 14:08 1,409 --a------ C:\WINDOWS\QTFont.for

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-10-06 06:48 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP

2008-10-04 17:45 --------- d-----w C:\Program Files\Spyware Doctor

2008-10-04 17:30 --------- d--h--w C:\Program Files\InstallShield Installation Information

2008-10-04 17:06 --------- d-----w C:\Documents and Settings\Admin\Application Data\MP3Rocket

2008-10-01 21:28 --------- d-----w C:\Program Files\TuneUp Utilities 2007

2008-09-29 21:36 --------- d-----w C:\Program Files\Common Files\Adobe

2008-09-29 04:00 --------- d-----w C:\Documents and Settings\Admin\Application Data\AdobeUM

2008-09-25 17:32 --------- d-----w C:\Program Files\Common Files\Symantec Shared

2008-09-15 18:40 --------- d-----w C:\Program Files\MP3 Rocket

2008-09-14 22:37 --------- d-----w C:\Program Files\Java

2008-08-14 21:43 160,792 ----a-w C:\WINDOWS\system32\drivers\pctfw2.sys

2008-08-14 17:41 --------- d-----w C:\Program Files\Common Files\PC Tools

2008-08-14 17:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Tools

2008-07-03 20:43 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008070320080704\index.dat

.

 

------- Sigcheck -------

 

2001-08-23 08:00 12800 0f7d9c87b0ce1fa520473119752c6f79 C:\WINDOWS\$NtServicePackUninstall$\svchost.exe

2004-08-04 03:56 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\ServicePackFiles\i386\svchost.exe

2008-04-13 20:12 14336 27c6d03bcdb8cfeb96b716f3d8be3e18 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\svchost.exe

2004-08-04 03:56 17408 68c3b8be818b5147a91fcd319f95d39a C:\WINDOWS\system32\svchost.exe

2004-08-04 03:56 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\system32\dllcache\svchost.exe

 

2001-08-23 08:00 430080 2b0e480e975ee51f2d5ce5f068fed6e2 C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe

2004-08-04 03:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\ServicePackFiles\i386\winlogon.exe

2008-04-13 20:12 507904 ed0ef0a136dec83df69f04118870003e C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\winlogon.exe

2004-08-04 03:56 506368 1d0ea457a836e29e92280cd2d438aca0 C:\WINDOWS\system32\winlogon.exe

2004-08-04 03:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\system32\dllcache\winlogon.exe

 

2001-08-23 08:00 101376 e3df4a0252d287c44606ee55355e1623 C:\WINDOWS\$NtServicePackUninstall$\services.exe

2004-08-04 03:56 108032 c6ce6eec82f187615d1002bb3bb50ed4 C:\WINDOWS\ServicePackFiles\i386\services.exe

2008-04-13 20:12 108544 0e776ed5f7cc9f94299e70461b7b8185 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\services.exe

2004-08-04 03:56 110592 a417db84f6dc93edb375c100fbb23fb8 C:\WINDOWS\system32\services.exe

2004-08-04 03:56 108032 c6ce6eec82f187615d1002bb3bb50ed4 C:\WINDOWS\system32\dllcache\services.exe

 

2001-08-23 08:00 11776 8a590ea109b5e0c7629e022f8a6b17c5 C:\WINDOWS\$NtServicePackUninstall$\lsass.exe

2004-08-04 03:56 13312 84885f9b82f4d55c6146ebf6065d75d2 C:\WINDOWS\ServicePackFiles\i386\lsass.exe

2008-04-13 20:12 13312 bf2466b3e18e970d8a976fb95fc1ca85 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\lsass.exe

2004-08-04 03:56 14848 be00d99c6391800a645ccc664e3434e3 C:\WINDOWS\system32\lsass.exe

2004-08-04 03:56 13312 84885f9b82f4d55c6146ebf6065d75d2 C:\WINDOWS\system32\dllcache\lsass.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DW6"="C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2008-06-10 785520]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]

"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-19 68856]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 413696]

"VTTimer"="VTTimer.exe" [2005-03-08 C:\WINDOWS\system32\VTTimer.exe]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-19 68856]

 

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Fantastic Flame Agent.lnk - C:\Program Files\Fantastic Flame Screensaver\FantasticFlameAgent.exe [2006-10-14 25600]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"

"Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"

"Unshare"=C:\Program Files\safe-share\SafeShare.exe

"NAV CfgWiz"="C:\Program Files\Norton AntiVirus\CfgWiz.exe" /GUID {0D7956A2-5A08-4ec2-A72C-DF8495A66016} /MODE CfgWiz /CMDLINE "REBOOT"

"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime

"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Program Files\\Safe-Share\\giFT\\giFTl.exe"=

"C:\\Program Files\\Safe-Share\\Safe-Share.exe"=

"C:\\Program Files\\MP3 Rocket\\MP3Rocket.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\javaw.exe"=

"C:\\Program Files\\iTunes\\iTunes.exe"=

"C:\\Program Files\\Java\\jre1.6.0_05\\bin\\javaw.exe"=

 

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

UxTuneUp

.

Contents of the 'Scheduled Tasks' folder

 

2008-08-30 C:\WINDOWS\Tasks\1-Click Maintenance.job

- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe [2007-08-02 19:35]

 

2008-07-23 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]

 

2008-07-19 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Admin.job

- C:\PROGRA~1\NORTON~1\Navw32.exe [2004-08-18 03:44]

 

2008-09-29 C:\WINDOWS\Tasks\Symantec NetDetect.job

- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE [2004-07-19 17:26]

.

 

**************************************************************************

 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-10-08 13:52:15

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\LEXPPS.EXE

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

C:\ComboFix\pv.cfexe

.

**************************************************************************

.

Completion time: 2008-10-08 13:59:22 - machine was rebooted [Admin]

ComboFix-quarantined-files.txt 2008-10-08 17:59:17

ComboFix2.txt 2008-10-06 06:44:33

ComboFix3.txt 2008-10-04 16:59:08

 

Pre-Run: 93,478,526,976 bytes free

Post-Run: 93,615,079,424 bytes free

 

183 --- E O F --- 2008-09-14 19:57:15

 

 

 

 

 

 

 

 

 

 

 

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7 REPORT

Wednesday, October 8, 2008

Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)

Kaspersky Online Scanner 7 version: 7.0.25.0

Program database last update: Wednesday, October 08, 2008 16:55:28

Records in database: 1299861

--------------------------------------------------------------------------------

 

Scan settings:

Scan using the following database: extended

Scan archives: yes

Scan mail databases: yes

 

Scan area - My Computer:

C:\

D:\

E:\

F:\

G:\

H:\

I:\

 

Scan statistics:

Files scanned: 48307

Threat name: 19

Infected objects: 50

Suspicious objects: 0

Duration of the scan: 00:58:52

 

 

File name / Threat name / Threats count

C:\WINDOWS\system32\winlogon.exe/C:\WINDOWS\system32\winlogon.exe Infected: Trojan.Win32.Patched.cx 1

C:\WINDOWS\system32\services.exe/C:\WINDOWS\system32\services.exe Infected: Trojan.Win32.Patched.cx 1

C:\WINDOWS\system32\lsass.exe/C:\WINDOWS\system32\lsass.exe Infected: Trojan.Win32.Patched.cx 1

C:\WINDOWS\system32\svchost.exe/C:\WINDOWS\system32\svchost.exe Infected: Trojan.Win32.Patched.cx 3

C:\WINDOWS\System32\svchost.exe/C:\WINDOWS\System32\svchost.exe Infected: Trojan.Win32.Patched.cx 3

C:\Documents and Settings\Admin\Application Data\Sun\Java\Deployment\cache\6.0\17\2f7fa3d1-3bcf3ce0 Infected: Trojan-Downloader.Java.OpenStream.ac 1

C:\Documents and Settings\Admin\Application Data\Sun\Java\Deployment\cache\6.0\20\1b0842d4-1995562a Infected: Exploit.Java.Gimsh.b 1

C:\Documents and Settings\Admin\Application Data\Sun\Java\Deployment\cache\6.0\20\2ffde494-28c8d2da Infected: Trojan-Downloader.Java.OpenStream.c 1

C:\Documents and Settings\Admin\Application Data\Sun\Java\Deployment\cache\6.0\20\2ffde494-28c8d2da Infected: Trojan.Java.ClassLoader.h 1

C:\Documents and Settings\Admin\Application Data\Sun\Java\Deployment\cache\6.0\20\2ffde494-28c8d2da Infected: Trojan.Java.ClassLoader.d 1

C:\Documents and Settings\Admin\Application Data\Sun\Java\Deployment\cache\6.0\22\10453ed6-7fc2c9f5 Infected: Exploit.Java.Gimsh.b 1

C:\Documents and Settings\Admin\Application Data\Sun\Java\Deployment\cache\6.0\22\626cced6-78a4c2ac Infected: Exploit.Java.Gimsh.b 1

C:\Documents and Settings\Admin\Application Data\Sun\Java\Deployment\cache\6.0\40\3cda1268-7ae8e642 Infected: Exploit.Java.Gimsh.b 1

C:\Documents and Settings\Admin\Application Data\Sun\Java\Deployment\cache\6.0\47\191e7eef-360fe522 Infected: Trojan-Downloader.Java.OpenStream.c 1

C:\Documents and Settings\Admin\Application Data\Sun\Java\Deployment\cache\6.0\47\191e7eef-360fe522 Infected: Trojan.Java.ClassLoader.h 1

C:\Documents and Settings\Admin\Application Data\Sun\Java\Deployment\cache\6.0\47\191e7eef-360fe522 Infected: Trojan.Java.ClassLoader.d 1

C:\Documents and Settings\Admin\Application Data\Sun\Java\Deployment\cache\6.0\47\bd7ce2f-3c46283f Infected: Exploit.Java.Gimsh.b 1

C:\Documents and Settings\Admin\Application Data\Sun\Java\Deployment\cache\6.0\49\49820371-4fd2b011 Infected: Exploit.Java.Gimsh.b 1

C:\Documents and Settings\Admin\Application Data\Sun\Java\Deployment\cache\6.0\52\309a49b4-2122215b Infected: Trojan-Downloader.Java.OpenStream.ac 1

C:\Documents and Settings\Admin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-2afc8601-4c8b0cfc.zip Infected: Exploit.Java.Gimsh.b 1

C:\Documents and Settings\Admin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-396c70dc-13b2fd91.zip Infected: Exploit.Java.Gimsh.b 1

C:\Documents and Settings\Admin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-3ad601a5-431208d6.zip Infected: Exploit.Java.Gimsh.b 1

C:\Documents and Settings\Admin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-4a5d57d0-7ec1a1ee.zip Infected: Exploit.Java.Gimsh.b 1

C:\Documents and Settings\Admin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-5efd1945-3bb36e51.zip Infected: Exploit.Java.Gimsh.b 1

C:\Documents and Settings\Admin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b13a7e7-7f0478ee.zip Infected: Exploit.Java.Gimsh.b 1

C:\Documents and Settings\Admin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\OP.jar-136bbb50-1bbac00b.zip Infected: Trojan-Downloader.Java.OpenStream.ac 1

C:\Documents and Settings\Admin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\OP.jar-15d79a1d-7f302d0a.zip Infected: Trojan-Downloader.Java.OpenStream.ac 1

C:\Documents and Settings\Admin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\OP.jar-35260e86-6e31ea0c.zip Infected: Trojan-Downloader.Java.OpenStream.ac 1

C:\Documents and Settings\Admin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\OP.jar-714d2d40-7e5ed2e2.zip Infected: Trojan-Downloader.Java.OpenStream.ac 1

C:\Documents and Settings\Admin\Shared\i kissed girl remix katy perry.mp3 Infected: Trojan-Downloader.WMA.Wimad.n 1

C:\QooBox\Quarantine\C\Documents and Settings\Admin\~.exe.vir Infected: Trojan.Win32.Agent.afaz 1

C:\QooBox\Quarantine\C\WINDOWS\b103.exe.vir Infected: not-a-virus:AdWare.Win32.Rond.d 1

C:\QooBox\Quarantine\C\WINDOWS\b104.exe.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.qyk 1

C:\QooBox\Quarantine\C\WINDOWS\b161.exe.vir Infected: Trojan-Downloader.Win32.Agent.ajca 1

C:\QooBox\Quarantine\C\WINDOWS\faceback.exe.vir Infected: Trojan-Downloader.Win32.Agent.aice 1

C:\QooBox\Quarantine\C\WINDOWS\system32\ASKS~1\rundll32.exe.vir Infected: Trojan-Downloader.Win32.Agent.kwg 1

C:\QooBox\Quarantine\C\WINDOWS\system32\geBqNGww.dll.vir Infected: Trojan.Win32.Agent.afbr 1

C:\QooBox\Quarantine\C\WINDOWS\system32\gqxehpkq.dll.vir Infected: Trojan.Win32.Monder.qkr 1

C:\QooBox\Quarantine\C\WINDOWS\system32\kuesxltc.dll.vir Infected: Trojan.Win32.Monder.qkq 1

C:\QooBox\Quarantine\C\WINDOWS\system32\lphce70j0ej77.exe.vir Infected: Backdoor.Win32.Frauder.:filtered: 1

C:\QooBox\Quarantine\C\WINDOWS\system32\ommsqdrw.dll.vir Infected: Trojan.Win32.Agent.afqd 1

C:\QooBox\Quarantine\C\WINDOWS\system32\srfigjjv.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.altx 1

C:\WINDOWS\system32\lsass.exe Infected: Trojan.Win32.Patched.cx 1

C:\WINDOWS\system32\services.exe Infected: Trojan.Win32.Patched.cx 1

C:\WINDOWS\system32\svchost.exe Infected: Trojan.Win32.Patched.cx 1

C:\WINDOWS\system32\winlogon.exe Infected: Trojan.Win32.Patched.cx 1

 

The selected area was scanned.

 

 

 

 

 

 

 

 

PHP Version 4.3.9

 

System Linux tantra.reboot.ca 2.6.9-42.ELsmp #1 SMP Wed Jul 12 23:27:17 EDT 2006 i686

Build Date Nov 2 2006 16:40:53

Configure Command './configure' '--build=i686-redhat-linux-gnu' '--host=i686-redhat-linux-gnu' '--target=i386-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib' '--libexecdir=/usr/libexec' '--localstatedir=/var' '--sharedstatedir=/usr/com' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--cache-file=../config.cache' '--with-config-file-path=/etc' '--with-config-file-scan-dir=/etc/php.d' '--enable-force-cgi-redirect' '--disable-debug' '--enable-pic' '--disable-rpath' '--enable-inline-optimization' '--with-bz2' '--with-db4=/usr' '--with-curl' '--with-exec-dir=/usr/bin' '--with-freetype-dir=/usr' '--with-png-dir=/usr' '--with-gd=shared' '--enable-gd-native-ttf' '--without-gdbm' '--with-gettext' '--with-ncurses=shared' '--with-gmp' '--with-iconv' '--with-jpeg-dir=/usr' '--with-openssl' '--with-png' '--with-pspell' '--with-xml' '--with-expat-dir=/usr' '--with-dom=shared,/usr' '--with-dom-xslt=/usr' '--with-dom-exslt=/usr' '--with-xmlrpc=shared' '--with-pcre-regex=/usr' '--with-zlib' '--with-layout=GNU' '--enable-bcmath' '--enable-exif' '--enable-ftp' '--enable-magic-quotes' '--enable-sockets' '--enable-sysvsem' '--enable-sysvshm' '--enable-track-vars' '--enable-trans-sid' '--enable-yp' '--enable-wddx' '--with-pear=/usr/share/pear' '--with-imap=shared' '--with-imap-ssl' '--with-kerberos' '--with-ldap=shared' '--with-mysql=shared,/usr' '--with-pgsql=shared' '--with-snmp=shared,/usr' '--with-snmp=shared' '--enable-ucd-snmp-hack' '--with-unixODBC=shared,/usr' '--enable-memory-limit' '--enable-shmop' '--enable-calendar' '--enable-dbx' '--enable-dio' '--enable-mbstring=shared' '--enable-mbstr-enc-trans' '--enable-mbregex' '--with-mime-magic=/usr/share/file/magic.mime' '--with-apxs2=/usr/sbin/apxs'

Server API Apache 2.0 Handler

Virtual Directory Support disabled

Configuration File (php.ini) Path /etc/php.ini

Scan this dir for additional .ini files /etc/php.d

additional .ini files parsed /etc/php.d/gd.ini, /etc/php.d/imap.ini, /etc/php.d/ldap.ini, /etc/php.d/mbstring.ini, /etc/php.d/mysql.ini, /etc/php.d/pgsql.ini

PHP API 20020918

PHP Extension 20020429

Zend Extension 20021010

Debug Build no

Thread Safety disabled

Registered PHP Streams php, http, ftp, https, ftps, compress.bzip2, compress.zlib

 

This program makes use of the Zend Scripting Language Engine:

Zend Engine v1.3.0, Copyright © 1998-2004 Zend Technologies

 

 

--------------------------------------------------------------------------------

 

PHP Credits

 

--------------------------------------------------------------------------------

 

Configuration

PHP Core

Directive Local Value Master Value

allow_call_time_pass_reference Off Off

allow_url_fopen On On

always_populate_raw_post_data Off Off

arg_separator.input & &

arg_separator.output & &

asp_tags Off Off

auto_append_file no value no value

auto_prepend_file no value no value

browscap no value no value

default_charset no value no value

default_mimetype text/html text/html

define_syslog_variables Off Off

disable_classes no value no value

disable_functions no value no value

display_errors On On

display_startup_errors Off Off

doc_root no value no value

docref_ext no value no value

docref_root no value no value

enable_dl On On

error_append_string no value no value

error_log no value no value

error_prepend_string no value no value

error_reporting 4 4

expose_php On On

extension_dir /usr/lib/php4 /usr/lib/php4

file_uploads On On

gpc_order GPC GPC

highlight.bg #FFFFFF #FFFFFF

highlight.comment #FF8000 #FF8000

highlight.default #0000BB #0000BB

highlight.html #000000 #000000

highlight.keyword #007700 #007700

highlight.string #DD0000 #DD0000

html_errors On On

ignore_repeated_errors Off Off

ignore_repeated_source Off Off

ignore_user_abort Off Off

implicit_flush Off Off

include_path .:/php/includes:/usr/share/php .:/php/includes:/usr/share/php

log_errors On On

log_errors_max_len 1024 1024

magic_quotes_gpc Off Off

magic_quotes_runtime Off Off

magic_quotes_sybase Off Off

max_execution_time 60 60

max_input_time 60 60

memory_limit 16M 16M

open_basedir no value no value

output_buffering no value no value

output_handler no value no value

post_max_size 8M 8M

precision 14 14

register_argc_argv On On

register_globals On On

report_memleaks On On

safe_mode Off Off

safe_mode_exec_dir no value no value

safe_mode_gid Off Off

safe_mode_include_dir no value no value

sendmail_from no value no value

sendmail_path /usr/sbin/sendmail -t -i /usr/sbin/sendmail -t -i

serialize_precision 100 100

short_open_tag On On

SMTP localhost localhost

smtp_port 25 25

sql.safe_mode Off Off

track_errors Off Off

unserialize_callback_func no value no value

upload_max_filesize 10M 10M

upload_tmp_dir no value no value

user_dir no value no value

variables_order EGPCS EGPCS

xmlrpc_error_number 0 0

xmlrpc_errors Off Off

y2k_compliance On On

 

 

apache2handler

Apache Version Apache/2.0.52 (Red Hat)

Apache API Version 20020903

Server Administrator [email protected]

Hostname:Port tantra.reboot.ca:80

User/Group apache(48)/48

Max Requests Per Child: 4000 - Keep Alive: on - Max Per Connection: 100

Timeouts Connection: 120 - Keep-Alive: 15

Virtual Server Yes

Server Root /etc/httpd

Loaded Modules core prefork http_core mod_so mod_access mod_auth mod_auth_anon mod_auth_dbm mod_auth_digest util_ldap mod_auth_ldap mod_include mod_log_config mod_env mod_mime_magic mod_cern_meta mod_expires mod_deflate mod_headers mod_usertrack mod_setenvif mod_mime mod_dav mod_status mod_autoindex mod_asis mod_info mod_dav_fs mod_vhost_alias mod_negotiation mod_dir mod_imap mod_actions mod_speling mod_userdir mod_alias mod_rewrite mod_proxy proxy_ftp proxy_http proxy_connect mod_cache mod_suexec mod_disk_cache mod_file_cache mod_mem_cache mod_cgi httpd_defines20 httpdmon mod_perl sapi_apache2 mod_ssl mod_jk mod_fpcgid

 

Directive Local Value Master Value

engine 1 1

last_modified 0 0

xbithack 0 0

 

 

Apache Environment

Variable Value

force-no-vary 1

SCRIPT_URL /

SCRIPT_URI http://tantra.reboot.ca/

HTTP_ACCEPT image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-silverlight, */*

HTTP_REFERER http://hjt-data.trend-braintree.com/hjt/an...?report=7692818

HTTP_ACCEPT_LANGUAGE en-us

HTTP_UA_CPU x86

HTTP_ACCEPT_ENCODING gzip, deflate

HTTP_USER_AGENT Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)

HTTP_HOST pcpitstop.ibforums.com

HTTP_CONNECTION Keep-Alive

PATH /sbin:/usr/sbin:/bin:/usr/bin:/usr/X11R6/bin

SERVER_SIGNATURE <address>Apache/2.0.52 (Red Hat) Server at tantra.reboot.ca Port 80</address>

SERVER_SOFTWARE Apache/2.0.52 (Red Hat)

SERVER_NAME tantra.reboot.ca

SERVER_ADDR 67.15.145.21

SERVER_PORT 80

REMOTE_ADDR 96.235.6.32

DOCUMENT_ROOT /var/www/html

SERVER_ADMIN [email protected]

SCRIPT_FILENAME /var/www/html/index.php

REMOTE_PORT 4214

GATEWAY_INTERFACE CGI/1.1

SERVER_PROTOCOL HTTP/1.1

REQUEST_METHOD GET

QUERY_STRING no value

REQUEST_URI /

SCRIPT_NAME /index.php

force-response-1.0 1

 

 

HTTP Headers Information

HTTP Request Headers

HTTP Request GET / HTTP/1.1

Accept image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-silverlight, */*

Referer http://hjt-data.trend-braintree.com/hjt/an...?report=7692818

Accept-Language en-us

UA-CPU x86

Accept-Encoding gzip, deflate

User-Agent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)

Host pcpitstop.ibforums.com

Connection Keep-Alive

HTTP Response Headers

X-Powered-By PHP/4.3.9

Connection close

Content-Type text/html; charset=UTF-8

 

 

bcmath

BCMath support enabled

 

 

bz2

BZip2 Support Enabled

BZip2 Version 1.0.2, 30-Dec-2001

 

 

calendar

Calendar support enabled

 

 

ctype

ctype functions enabled

 

 

curl

CURL support enabled

CURL Information libcurl/7.12.1 OpenSSL/0.9.7a zlib/1.2.1.2 libidn/0.5.6

 

 

dba

DBA support enabled

Supported handlers cdb cdb_make db4 inifile flatfile

 

 

dbx

dbx support enabled

dbx version 1.0.0

supported databases MySQL ODBC PostgreSQL Microsoft SQL Server FrontBase Oracle 8 (oci8) Sybase-CT

 

Directive Local Value Master Value

dbx.colnames_case lowercase lowercase

 

 

dio

dio support enabled

 

 

exif

EXIF Support enabled

EXIF Version 1.4 $Id: exif.c,v 1.118.2.35 2005/03/05 18:30:47 rasmus Exp $

Supported EXIF Version 0220

Supported filetypes JPEG,TIFF

 

 

ftp

FTP support enabled

 

 

gd

GD Support enabled

GD Version bundled (2.0.28 compatible)

FreeType Support enabled

FreeType Linkage with freetype

GIF Read Support enabled

GIF Create Support enabled

JPG Support enabled

PNG Support enabled

WBMP Support enabled

XBM Support enabled

 

 

gettext

GetText Support enabled

 

 

gmp

gmp support enabled

 

 

iconv

iconv support enabled

iconv implementation glibc

iconv library version 2.3.4

 

Directive Local Value Master Value

iconv.input_encoding ISO-8859-1 ISO-8859-1

iconv.internal_encoding ISO-8859-1 ISO-8859-1

iconv.output_encoding ISO-8859-1 ISO-8859-1

 

 

imap

IMAP c-Client Version 2001

SSL Support enabled

Kerberos Support enabled

 

 

ldap

LDAP Support enabled

RCS Version $Id: ldap.c,v 1.130.2.10 2004/06/01 21:05:33 iliaa Exp $

Total Links 0/unlimited

API Version 3001

Vendor Name OpenLDAP

Vendor Version 20213

 

 

mbstring

Multibyte Support enabled

Japanese support enabled

Simplified chinese support enabled

Traditional chinese support enabled

Korean support enabled

Russian support enabled

Multibyte (japanese) regex support enabled

 

mbstring extension makes use of "streamable kanji code filter and converter", which is distributed under the GNU Lesser General Public License version 2.1.

 

Directive Local Value Master Value

mbstring.detect_order no value no value

mbstring.encoding_translation Off Off

mbstring.func_overload 0 0

mbstring.http_input pass pass

mbstring.http_output pass pass

mbstring.internal_encoding no value no value

mbstring.language neutral neutral

mbstring.substitute_character no value no value

 

 

mime_magic

mime_magic support enabled

 

Directive Local Value Master Value

mime_magic.magicfile /usr/share/file/magic.mime /usr/share/file/magic.mime

 

 

mysql

MySQL Support enabled

Active Persistent Links 0

Active Links 0

Client API version 4.1.20

MYSQL_MODULE_TYPE external

MYSQL_SOCKET /var/lib/mysql/mysql.sock

MYSQL_INCLUDE -I/usr/include/mysql

MYSQL_LIBS -L/usr/lib/mysql -lmysqlclient

 

Directive Local Value Master Value

mysql.allow_persistent On On

mysql.connect_timeout 60 60

mysql.default_host no value no value

mysql.default_password no value no value

mysql.default_port no value no value

mysql.default_socket no value no value

mysql.default_user no value no value

mysql.max_links Unlimited Unlimited

mysql.max_persistent Unlimited Unlimited

mysql.trace_mode Off Off

 

 

openssl

OpenSSL support enabled

OpenSSL Version OpenSSL 0.9.7a Feb 19 2003

 

 

overload

User-Space Object Overloading Support enabled

 

 

pcre

PCRE (Perl Compatible Regular Expressions) Support enabled

PCRE Library Version 4.5 01-December-2003

 

 

pgsql

PostgreSQL Support enabled

PostgreSQL(libpq) Version 7.4.13

Multibyte character support enabled

SSL support enabled

Active Persistent Links 0

Active Links 0

 

Directive Local Value Master Value

pgsql.allow_persistent On On

pgsql.auto_reset_persistent Off Off

pgsql.ignore_notice Off Off

pgsql.log_notice Off Off

pgsql.max_links Unlimited Unlimited

pgsql.max_persistent Unlimited Unlimited

 

 

posix

Revision $Revision: 1.51.2.2 $

 

 

pspell

PSpell Support enabled

 

 

session

Session Support enabled

Registered save handlers files user

 

Directive Local Value Master Value

session.auto_start Off Off

session.bug_compat_42 Off Off

session.bug_compat_warn On On

session.cache_expire 180 180

session.cache_limiter nocache nocache

session.cookie_domain no value no value

session.cookie_lifetime 0 0

session.cookie_path / /

session.cookie_secure Off Off

session.entropy_file no value no value

session.entropy_length 0 0

session.gc_divisor 1000 1000

session.gc_maxlifetime 1440 1440

session.gc_probability 1 1

session.name PHPSESSID PHPSESSID

session.referer_check no value no value

session.save_handler files files

session.save_path /tmp /tmp

session.serialize_handler php php

session.use_cookies On On

session.use_only_cookies Off Off

session.use_trans_sid Off Off

 

 

shmop

shmop support enabled

 

 

sockets

Sockets Support enabled

 

 

standard

Regex Library Bundled library enabled

Dynamic Library Support enabled

Path to sendmail /usr/sbin/sendmail -t -i

 

Directive Local Value Master Value

assert.active 1 1

assert.bail 0 0

assert.callback no value no value

assert.quiet_eval 0 0

assert.warning 1 1

auto_detect_line_endings 0 0

default_socket_timeout 60 60

safe_mode_allowed_env_vars PHP_ TZ PHP_ TZ

safe_mode_protected_env_vars LD_LIBRARY_PATH LD_LIBRARY_PATH

url_rewriter.tags a=href,area=href,frame=src,input=src,form=fakeentry a=href,area=href,frame=src,input=src,form=fakeentry

user_agent no value no value

 

 

tokenizer

Tokenizer Support enabled

 

 

wddx

WDDX Support enabled

WDDX Session Serializer enabled

 

 

xml

XML Support active

XML Namespace Support active

EXPAT Version expat_1.95.7

 

 

yp

YP Support enabled

 

 

zlib

ZLib Support enabled

Compiled Version 1.2.1.2

Linked Version 1.2.1.2

 

Directive Local Value Master Value

zlib.output_compression Off Off

zlib.output_compression_level -1 -1

zlib.output_handler no value no value

 

 

Additional Modules

Module Name

sysvsem

sysvshm

 

 

Environment

Variable Value

SELINUX_INIT YES

CONSOLE /dev/console

TERM linux

INIT_VERSION sysvinit-2.85

PATH /sbin:/usr/sbin:/bin:/usr/bin:/usr/X11R6/bin

RUNLEVEL 3

runlevel 3

PWD /

LANG en_US.UTF-8

PREVLEVEL N

previous N

HOME /

SHLVL 2

_ /sbin/initlog

 

 

PHP Variables

Variable Value

PHP_SELF /index.php

_SERVER["force-no-vary"] 1

_SERVER["SCRIPT_URL"] /

_SERVER["SCRIPT_URI"] http://tantra.reboot.ca/

_SERVER["HTTP_ACCEPT"] image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-silverlight, */*

_SERVER["HTTP_REFERER"] http://hjt-data.trend-braintree.com/hjt/an...?report=7692818

_SERVER["HTTP_ACCEPT_LANGUAGE"] en-us

_SERVER["HTTP_UA_CPU"] x86

_SERVER["HTTP_ACCEPT_ENCODING"] gzip, deflate

_SERVER["HTTP_USER_AGENT"] Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)

_SERVER["HTTP_HOST"] pcpitstop.ibforums.com

_SERVER["HTTP_CONNECTION"] Keep-Alive

_SERVER["PATH"] /sbin:/usr/sbin:/bin:/usr/bin:/usr/X11R6/bin

_SERVER["SERVER_SIGNATURE"] <address>Apache/2.0.52 (Red Hat) Server at tantra.reboot.ca Port 80</address>

_SERVER["SERVER_SOFTWARE"] Apache/2.0.52 (Red Hat)

_SERVER["SERVER_NAME"] tantra.reboot.ca

_SERVER["SERVER_ADDR"] 67.15.145.21

_SERVER["SERVER_PORT"] 80

_SERVER["REMOTE_ADDR"] 96.235.6.32

_SERVER["DOCUMENT_ROOT"] /var/www/html

_SERVER["SERVER_ADMIN"] [email protected]

_SERVER["SCRIPT_FILENAME"] /var/www/html/index.php

_SERVER["REMOTE_PORT"] 4214

_SERVER["GATEWAY_INTERFACE"] CGI/1.1

_SERVER["SERVER_PROTOCOL"] HTTP/1.1

_SERVER["REQUEST_METHOD"] GET

_SERVER["QUERY_STRING"] no value

_SERVER["REQUEST_URI"] /

_SERVER["SCRIPT_NAME"] /index.php

_SERVER["PHP_SELF"] /index.php

_SERVER["PATH_TRANSLATED"] /var/www/html/index.php

_SERVER["argv"] Array

_SERVER["argc"] 0

_ENV["SELINUX_INIT"] YES

_ENV["CONSOLE"] /dev/console

_ENV["TERM"] linux

_ENV["INIT_VERSION"] sysvinit-2.85

_ENV["PATH"] /sbin:/usr/sbin:/bin:/usr/bin:/usr/X11R6/bin

_ENV["RUNLEVEL"] 3

_ENV["runlevel"] 3

_ENV["PWD"] /

_ENV["LANG"] en_US.UTF-8

_ENV["PREVLEVEL"] N

_ENV["previous"] N

_ENV["HOME"] /

_ENV["SHLVL"] 2

_ENV["_"] /sbin/initlog

 

 

PHP License

This program is free software; you can redistribute it and/or modify it under the terms of the PHP License as published by the PHP Group and included in the distribution in the file: LICENSE

 

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

 

If you did not receive a copy of the PHP license, or have any questions about PHP licensing, please contact [email protected]

 

 

 

 

 

 

 

I hope I did everything right. The only thing I notice about my computer, besides missing my audio is after a little while when I click on a website it will tell me "can not display page" or something like that and I have to restart my computer to view web pages again.

Link to post
Share on other sites

Welcome back

 

 

Your machine has been hit with a critical system files patcher infection confirmed by the Kaspersky scan.

While some can be removed successfully others can not. Many suggest at this time the best way to rid the machine of this infection would be to do a wipe and reformat.

I will attempt to do my best but with warning it may not be possible.

 

I see you have P2P software (Safe-Share) installed on your machine. Not here to pass judgment on file-sharing However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation.

Even when programs like these are not infected themselves, they may still bring malware into your system because more than half of all files available for download from peer-to-peer networks have been deliberately infected with some form of malware

You can find a list of clean P2P programs

http://p2p.malwareremoval.com.

 

Go to Start – Settings – Control Panel. Click on Add/Remove Programs, click on the program to highlight it, and click on Remove.

SafeShare

 

 

NEXT**

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup)

  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets

      Trace and Log Files

  • Click OK on Delete Temporary Files Window

    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.
===================================================

 

Also I want you to remove all older versions of Java except Java 6.-7

 

 

NEXT**

Next: Disconnect from the internet. If you are on Cable or DSL unplug your computer from the modem.

Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.

This includes Antivirus, Firewall, and any Spyware scanners that run in the background.

 

Click on this link Here to see a list of programs that should be disabled.

 

Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:

Save this as "CFScript.txt" including quotes and change the "Save as type" to "All Files" and place it on your desktop.

File:: 
C:\Documents and Settings\Admin\Shared\i kissed girl remix katy perry.mp3

FCopy::
C:\WINDOWS\ServicePackFiles\i386\lsass.exe | C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\ServicePackFiles\i386\services.exe | C:\WINDOWS\system32\services.exe
C:\WINDOWS\ServicePackFiles\i386\winlogon.exe | C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\ServicePackFiles\i386\svchost.exe | C:\WINDOWS\System32\svchost.exe
Posted Image

 

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.

ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

 

 

 

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

 

 

 

 

 

NEXT**

 

 

Go to My Computer->Tools->Folder Options->View tab:

[*]Under the Hidden files and folders heading:

[*]Select - Show hidden files and folders.

[*]Uncheck- Hide protected operating system files (recommended) option.

[*]Also, make sure there is no checkmark beside Hide file extensions for known file types.

[*] Click OK. (Remember to Hide files and folders once done)

 

 

 

 

Please go to: VirusTotal

  • Posted Image

     

     

     

  • Click the Browse button and search for the following file: C:\WINDOWS\system32\lsass.exe
  • Click Open
  • Then click Send File
  • Please be patient while the file is scanned.
  • Once the scan results appear, please provide them in your next reply.
If it says already scanned -- click "reanalyze now"

 

Please also have the below files scanned one at a time and post the results for these as well

 

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\System32\svchost.exe

 

 

In your next reply post:

ComboFix.txt

Files requested scanned

New HJT log taken after the above scan has run

 

 

Need an update on how the computer is at the moment

Edited by Juliet
Link to post
Share on other sites

ComboFix 08-10-04.01 - Admin 2008-10-10 19:06:46.4 - NTFSx86

 

Running from: C:\Documents and Settings\Admin\Desktop\ComboFix.exe

Command switches used :: C:\Documents and Settings\Admin\Desktop\CFScript.txt

 

FILE ::

C:\Documents and Settings\Admin\Shared\i kissed girl remix katy perry.mp3

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\Documents and Settings\Admin\Cookies\[email protected][2].txt

C:\Documents and Settings\Admin\Cookies\[email protected][1].txt

C:\Documents and Settings\Admin\Shared\i kissed girl remix katy perry.mp3

 

.

--------------- FCopy ---------------

 

C:\WINDOWS\ServicePackFiles\i386\lsass.exe --> C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\ServicePackFiles\i386\services.exe --> C:\WINDOWS\system32\services.exe

C:\WINDOWS\ServicePackFiles\i386\winlogon.exe --> C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\ServicePackFiles\i386\svchost.exe --> C:\WINDOWS\System32\svchost.exe

.

((((((((((((((((((((((((( Files Created from 2008-09-10 to 2008-10-10 )))))))))))))))))))))))))))))))

.

 

2008-10-10 18:20 . 2008-10-10 18:49 <DIR> d--h-c--- C:\Documents and Settings\All Users\Application Data\~0

2008-10-10 18:20 . 2008-10-10 18:20 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Uniblue

2008-10-04 14:03 . 2008-10-04 14:03 <DIR> d-------- C:\hp

2008-10-04 13:44 . 2004-08-04 03:56 502,272 --a------ C:\WINDOWS\system32\winlogon.exe

2008-10-04 13:44 . 2004-08-04 03:56 502,272 --a--c--- C:\WINDOWS\system32\dllcache\winlogon.exe

2008-10-04 13:44 . 2004-08-04 03:56 108,032 --a------ C:\WINDOWS\system32\services.exe

2008-10-04 13:44 . 2004-08-04 03:56 108,032 --a--c--- C:\WINDOWS\system32\dllcache\services.exe

2008-10-04 13:44 . 2004-08-04 03:56 14,336 --a------ C:\WINDOWS\system32\svchost.exe

2008-10-04 13:44 . 2004-08-04 03:56 14,336 --a--c--- C:\WINDOWS\system32\dllcache\svchost.exe

2008-10-04 13:44 . 2004-08-04 03:56 13,312 --a------ C:\WINDOWS\system32\lsass.exe

2008-10-04 13:44 . 2004-08-04 03:56 13,312 --a--c--- C:\WINDOWS\system32\dllcache\lsass.exe

2008-10-04 13:30 . 2004-09-21 11:13 9,196,032 --------- C:\WINDOWS\system32\RTLCPL.exe

2008-10-04 13:30 . 2004-09-10 10:12 208,896 --------- C:\WINDOWS\alcupd.exe

2008-10-04 13:30 . 2004-09-07 14:23 156,672 --------- C:\WINDOWS\system32\RtlCPAPI.dll

2008-10-04 13:30 . 2002-02-05 13:54 141,016 --------- C:\WINDOWS\system32\alsndmgr.wav

2008-10-04 13:30 . 2004-09-01 20:04 139,264 --------- C:\WINDOWS\alcrmv.exe

2008-10-04 13:30 . 2004-09-16 20:39 69,632 --------- C:\WINDOWS\soundman.exe

2008-10-04 13:30 . 2004-09-07 13:47 57,344 --------- C:\WINDOWS\Alcxmntr.exe

2008-10-04 13:30 . 2004-02-25 18:00 40,448 --------- C:\WINDOWS\system32\ChCfg.exe

2008-10-04 10:21 . 2008-10-04 10:21 <DIR> d-------- C:\Program Files\Trend Micro

2008-10-03 13:06 . 2008-10-03 13:06 <DIR> d-------- C:\Program Files\NortonInstaller

2008-10-03 13:06 . 2008-10-03 13:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NortonInstaller

2008-10-02 14:41 . 2008-10-02 14:41 <DIR> d-------- C:\Program Files\HP

2008-09-29 17:36 . 2008-09-29 17:36 <DIR> d-------- C:\Program Files\Webtools

2008-09-29 17:36 . 2008-09-29 17:36 <DIR> d-------- C:\Program Files\Twain

2008-09-29 00:24 . 2008-09-29 00:24 1,977 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico

2008-09-27 14:08 . 2008-09-28 16:15 54,156 --ah----- C:\WINDOWS\QTFont.qfn

2008-09-27 14:08 . 2008-09-27 14:08 1,409 --a------ C:\WINDOWS\QTFont.for

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-10-10 23:00 --------- d-----w C:\Program Files\Java

2008-10-09 22:31 --------- d-----w C:\Program Files\Safe-Share

2008-10-06 06:48 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP

2008-10-04 17:45 --------- d-----w C:\Program Files\Spyware Doctor

2008-10-04 17:30 --------- d--h--w C:\Program Files\InstallShield Installation Information

2008-10-04 17:06 --------- d-----w C:\Documents and Settings\Admin\Application Data\MP3Rocket

2008-10-01 21:28 --------- d-----w C:\Program Files\TuneUp Utilities 2007

2008-09-29 21:36 --------- d-----w C:\Program Files\Common Files\Adobe

2008-09-29 04:00 --------- d-----w C:\Documents and Settings\Admin\Application Data\AdobeUM

2008-09-25 17:32 --------- d-----w C:\Program Files\Common Files\Symantec Shared

2008-09-15 18:40 --------- d-----w C:\Program Files\MP3 Rocket

2008-08-14 21:43 160,792 ----a-w C:\WINDOWS\system32\drivers\pctfw2.sys

2008-08-14 17:41 --------- d-----w C:\Program Files\Common Files\PC Tools

2008-08-14 17:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Tools

2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll

2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe

2008-07-19 02:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll

2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll

2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll

2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll

2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll

2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll

2008-07-03 20:43 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008070320080704\index.dat

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DW6"="C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2008-06-10 785520]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]

"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-19 68856]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-19 68856]

 

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Fantastic Flame Agent.lnk - C:\Program Files\Fantastic Flame Screensaver\FantasticFlameAgent.exe [2006-10-14 25600]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"

"Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"

"Unshare"=C:\Program Files\safe-share\SafeShare.exe

"NAV CfgWiz"="C:\Program Files\Norton AntiVirus\CfgWiz.exe" /GUID {0D7956A2-5A08-4ec2-A72C-DF8495A66016} /MODE CfgWiz /CMDLINE "REBOOT"

"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime

"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Program Files\\MP3 Rocket\\MP3Rocket.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\javaw.exe"=

"C:\\Program Files\\iTunes\\iTunes.exe"=

 

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

UxTuneUp

.

Contents of the 'Scheduled Tasks' folder

 

2008-08-30 C:\WINDOWS\Tasks\1-Click Maintenance.job

- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe [2007-08-02 19:35]

 

2008-07-23 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]

 

2008-07-19 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Admin.job

- C:\PROGRA~1\NORTON~1\Navw32.exe [2004-08-18 03:44]

 

2008-09-29 C:\WINDOWS\Tasks\Symantec NetDetect.job

- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE [2004-07-19 17:26]

.

- - - - ORPHANS REMOVED - - - -

 

HKCU-Run-Uniblue RegistryBooster 2009 - C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe

 

 

 

**************************************************************************

 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-10-10 19:09:00

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

 

**************************************************************************

.

Completion time: 2008-10-10 19:11:05

ComboFix-quarantined-files.txt 2008-10-10 23:10:03

ComboFix2.txt 2008-10-08 17:59:23

ComboFix3.txt 2008-10-06 06:44:33

ComboFix4.txt 2008-10-04 16:59:08

 

Pre-Run: 93,496,373,248 bytes free

Post-Run: 93,601,943,552 bytes free

 

141 --- E O F --- 2008-09-14 19:57:15

 

 

 

 

 

 

Antivirus Version Last Update Result

AhnLab-V3 2008.10.10.1 2008.10.10 -

AntiVir 7.8.1.34 2008.10.10 -

Authentium 5.1.0.4 2008.10.10 -

Avast 4.8.1248.0 2008.10.10 -

AVG 8.0.0.161 2008.10.10 -

BitDefender 7.2 2008.10.11 -

CAT-QuickHeal 9.50 2008.10.10 -

ClamAV 0.93.1 2008.10.10 -

DrWeb 4.44.0.09170 2008.10.10 -

eSafe 7.0.17.0 2008.10.08 -

eTrust-Vet 31.6.6141 2008.10.10 -

Ewido 4.0 2008.10.10 -

F-Prot 4.4.4.56 2008.10.10 -

F-Secure 8.0.14332.0 2008.10.11 -

Fortinet 3.113.0.0 2008.10.10 -

GData 19 2008.10.10 -

Ikarus T3.1.1.34.0 2008.10.10 -

K7AntiVirus 7.10.490 2008.10.10 -

Kaspersky 7.0.0.125 2008.10.11 -

McAfee 5403 2008.10.11 -

Microsoft 1.4005 2008.10.11 -

NOD32 3513 2008.10.10 -

Norman 5.80.02 2008.10.10 -

Panda 9.0.0.4 2008.10.10 -

PCTools 4.4.2.0 2008.10.10 -

Prevx1 V2 2008.10.11 -

Rising 20.65.42.00 2008.10.10 -

SecureWeb-Gateway 6.7.6 2008.10.10 -

Sophos 4.34.0 2008.10.10 -

Sunbelt 3.1.1715.1 2008.10.10 -

Symantec 10 2008.10.11 -

TheHacker 6.3.1.0.106 2008.10.10 -

TrendMicro 8.700.0.1004 2008.10.10 -

VBA32 3.12.8.6 2008.10.10 -

ViRobot 2008.10.10.1416 2008.10.10 -

VirusBuster 4.5.11.0 2008.10.10 -

Additional information

File size: 13312 bytes

MD5...: 84885f9b82f4d55c6146ebf6065d75d2

SHA1..: 6473b34c05bc63eb0d66cad83355e6938cbe97e9

SHA256: 76fe1b6c432b6c74fc283de52d14ef668f8c4aad0d139f362635efb30482b4ed

SHA512: 68d217690b71dcaea8e528f29f996e124b4e3c7ac0680fda38a176912045fd65

fd7f58a61895da54dcd4522fbc45819799bafc290fb667edcd2f1bfe6d8bfff7

PEiD..: -

TrID..: File type identification

Win32 Executable Generic (42.3%)

Win32 Dynamic Link Library (generic) (37.6%)

Generic Win/DOS Executable (9.9%)

DOS Executable Generic (9.9%)

Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)

PEInfo: PE Structure information

 

( base data )

entrypointaddress.: 0x10014bd

timedatestamp.....: 0x41107b4d (Wed Aug 04 05:59:41 2004)

machinetype.......: 0x14c (I386)

 

( 3 sections )

name viradd virsiz rawdsiz ntrpy md5

.text 0x1000 0x10d0 0x1200 6.01 d107b4f218abee66665545859fb9cc89

.data 0x3000 0x6c 0x200 0.20 86a789a893c60d5e207d053188cdc250

.rsrc 0x4000 0x1b40 0x1c00 7.16 e4a0d77578ef1aa0158f6be8dfc6d37a

 

( 5 imports )

> ADVAPI32.dll: FreeSid, CheckTokenMembership, AllocateAndInitializeSid, OpenThreadToken, ImpersonateSelf, RevertToSelf

> KERNEL32.dll: CloseHandle, GetCurrentThread, ExitThread, SetUnhandledExceptionFilter, SetErrorMode, QueryPerformanceCounter, GetTickCount, GetCurrentThreadId, GetCurrentProcessId, GetSystemTimeAsFileTime, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, RtlUnwind, InterlockedExchange, VirtualQuery

> ntdll.dll: NtSetInformationProcess, RtlInitUnicodeString, NtCreateEvent, NtOpenEvent, NtSetEvent, NtClose, NtRaiseHardError, RtlAdjustPrivilege, NtShutdownSystem, RtlUnhandledExceptionFilter

> LSASRV.dll: LsaISetupWasRun, LsapDsDebugInitialize, LsapAuOpenSam, LsapCheckBootMode, ServiceInit, LsapInitLsa, LsapDsInitializePromoteInterface, LsapDsInitializeDsStateInfo

> SAMSRV.dll: SamIInitialize, SampUsingDsData

 

( 0 exports )

 

ThreatExpert info: http://www.threatexpert.com/report.aspx?md...146ebf6065d75d2

 

 

 

 

 

 

AhnLab-V3 2008.10.10.1 2008.10.10 -

AntiVir 7.8.1.34 2008.10.10 -

Authentium 5.1.0.4 2008.10.11 -

Avast 4.8.1248.0 2008.10.10 -

AVG 8.0.0.161 2008.10.10 -

BitDefender 7.2 2008.10.11 -

CAT-QuickHeal 9.50 2008.10.10 -

ClamAV 0.93.1 2008.10.10 -

DrWeb 4.44.0.09170 2008.10.10 -

eSafe 7.0.17.0 2008.10.08 -

eTrust-Vet 31.6.6141 2008.10.10 -

Ewido 4.0 2008.10.10 -

F-Prot 4.4.4.56 2008.10.10 -

F-Secure 8.0.14332.0 2008.10.11 -

Fortinet 3.113.0.0 2008.10.10 -

GData 19 2008.10.10 -

Ikarus T3.1.1.34.0 2008.10.10 -

K7AntiVirus 7.10.490 2008.10.10 -

Kaspersky 7.0.0.125 2008.10.11 -

McAfee 5403 2008.10.11 -

Microsoft 1.4005 2008.10.11 -

NOD32 3513 2008.10.10 -

Norman 5.80.02 2008.10.10 -

Panda 9.0.0.4 2008.10.10 -

PCTools 4.4.2.0 2008.10.10 -

Prevx1 V2 2008.10.11 -

Rising 20.65.42.00 2008.10.10 -

SecureWeb-Gateway 6.7.6 2008.10.10 -

Sophos 4.34.0 2008.10.10 -

Sunbelt 3.1.1715.1 2008.10.10 -

Symantec 10 2008.10.11 -

TheHacker 6.3.1.0.106 2008.10.10 -

TrendMicro 8.700.0.1004 2008.10.10 -

VBA32 3.12.8.6 2008.10.10 -

ViRobot 2008.10.10.1416 2008.10.10 -

VirusBuster 4.5.11.0 2008.10.10 -

Additional information

File size: 108032 bytes

MD5...: c6ce6eec82f187615d1002bb3bb50ed4

SHA1..: b958912d139cb8dbfeeacdd38ba048c4f452174e

SHA256: cea9c880328205ae3376eb8b005412cb0f8fce52a71c6f0651ef5f9c193f6e3f

SHA512: 251744f54e33becc9f20a9ae5605ea49c23f13506f34027e797661c331caad44

0e9f6d892e85fc6c66555c605b264fba4af23b51931453066b9a40b7054fdbb8

PEiD..: -

TrID..: File type identification

Win32 Executable Generic (42.3%)

Win32 Dynamic Link Library (generic) (37.6%)

Generic Win/DOS Executable (9.9%)

DOS Executable Generic (9.9%)

Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)

PEInfo: PE Structure information

 

( base data )

entrypointaddress.: 0x100b5cc

timedatestamp.....: 0x41107eb3 (Wed Aug 04 06:14:11 2004)

machinetype.......: 0x14c (I386)

 

( 3 sections )

name viradd virsiz rawdsiz ntrpy md5

.text 0x1000 0x18f55 0x19000 6.26 b20d7426baadb5d61b21b7f45648ecfa

.data 0x1a000 0xa14 0xa00 2.05 fd6fc84823efda2858a97fe8e6dd8f76

.rsrc 0x1b000 0x7b0 0x800 3.15 d9f56ab9f5d44407cd57280022b2dd18

 

( 10 imports )

> msvcrt.dll: wcsrchr, time, _except_handler3, memmove, wcschr, _c_exit, _exit, _XcptFilter, _cexit, _wcsicmp, exit, __initenv, __getmainargs, __setusermatherr, _adjust_fdiv, __p__commode, __p__fmode, __set_app_type, _controlfp, wcslen, wcsncmp, _wtol, wcscpy, _itow, _wcsnicmp, wcscat, _initterm, wcsncpy, wcscspn, _ultow

> ADVAPI32.dll: RegOpenKeyW, ConvertSidToStringSidW, LogonUserExW, LsaStorePrivateData, LsaLookupNames, LsaQueryInformationPolicy, OpenThreadToken, RegNotifyChangeKeyValue, InitializeSecurityDescriptor, StartServiceCtrlDispatcherW, RegisterServiceCtrlHandlerW, SetServiceStatus, SystemFunction029, SystemFunction005, CheckTokenMembership, FreeSid, AllocateAndInitializeSid, SetSecurityDescriptorOwner, GetSecurityDescriptorDacl, GetLengthSid, CopySid, InitializeAcl, AddAce, SetSecurityDescriptorDacl, LsaOpenPolicy, LsaLookupSids, LsaFreeMemory, LsaClose, ImpersonateLoggedOnUser, CreateProcessAsUserW, GetTokenInformation, RegCloseKey, RegQueryValueExW, RegOpenKeyExW, InitiateSystemShutdownW, RevertToSelf

> KERNEL32.dll: TerminateProcess, SetProcessShutdownParameters, lstrcmpiW, FormatMessageW, ExitThread, ReleaseMutex, DelayLoadFailureHook, RaiseException, GetExitCodeThread, SetErrorMode, SetUnhandledExceptionFilter, LoadLibraryA, QueryPerformanceCounter, GetCurrentThreadId, GetCurrentProcess, UnhandledExceptionFilter, GetModuleHandleA, CreateMutexW, LocalAlloc, LocalFree, Sleep, LeaveCriticalSection, EnterCriticalSection, SetLastError, CloseHandle, CreateThread, GetLastError, CreateProcessW, ExpandEnvironmentStringsW, InitializeCriticalSection, HeapAlloc, HeapFree, SetConsoleCtrlHandler, WaitForSingleObject, HeapCreate, FreeLibrary, GetProcAddress, GetModuleHandleExW, InterlockedCompareExchange, CreateNamedPipeW, ReadFile, CancelIo, GetOverlappedResult, WaitForMultipleObjects, ConnectNamedPipe, TransactNamedPipe, WriteFile, GetTickCount, GetSystemTimeAsFileTime, GetModuleHandleW, GetComputerNameW, CreateEventW, SetEvent, ResetEvent, DeviceIoControl, CreateFileW, ResumeThread, GetCurrentProcessId, LoadLibraryW, GetDriveTypeW, OpenEventW, GetCurrentThread

> USER32.dll: wsprintfW, BroadcastSystemMessageW, MessageBoxW, LoadStringW, RegisterServicesProcess

> RPCRT4.dll: RpcServerRegisterAuthInfoW, RpcBindingFree, RpcEpResolveBinding, RpcBindingFromStringBindingW, RpcStringBindingComposeW, NdrClientCall2, RpcAsyncCompleteCall, RpcAsyncInitializeHandle, NdrAsyncServerCall, NdrAsyncClientCall, RpcMgmtStopServerListening, RpcMgmtWaitServerListen, NdrServerCall2, I_RpcBindingIsClientLocal, RpcRevertToSelf, I_RpcMapWin32Status, RpcImpersonateClient, RpcStringBindingParseW, RpcStringFreeW, RpcBindingToStringBindingW, RpcServerRegisterIfEx, RpcServerUseProtseqEpW, RpcServerRegisterIf, RpcServerListen, RpcServerUnregisterIf

> ntdll.dll: RtlCreateAcl, NtCreateKey, NtQueryValueKey, NtSetValueKey, NtDeleteValueKey, NtEnumerateKey, NtQuerySecurityObject, RtlFreeHeap, NtOpenKey, NtDeleteKey, RtlSetControlSecurityDescriptor, RtlValidSecurityDescriptor, RtlLengthSecurityDescriptor, NtPrivilegeObjectAuditAlarm, NtPrivilegeCheck, NtOpenThreadToken, NtAccessCheckAndAuditAlarm, NtSetInformationThread, NtAdjustPrivilegesToken, NtDuplicateToken, NtOpenProcessToken, NtQueryInformationToken, RtlQuerySecurityObject, RtlAddAccessAllowedAce, RtlValidRelativeSecurityDescriptor, RtlMapGenericMask, RtlCopyUnicodeString, NtSetInformationFile, NtQueryInformationFile, RtlAppendUnicodeStringToString, RtlAppendUnicodeToString, NtWaitForSingleObject, NtQueryDirectoryFile, NtDeleteFile, NtSetInformationProcess, RtlUnhandledExceptionFilter, NtSetEvent, RtlGetAce, RtlQueryInformationAcl, RtlGetDaclSecurityDescriptor, RtlAllocateHeap, RtlCreateSecurityDescriptor, RtlSetDaclSecurityDescriptor, RtlConvertSharedToExclusive, RtlConvertExclusiveToShared, RtlRegisterWait, RtlGetNtProductType, RtlEqualUnicodeString, RtlLengthSid, RtlCopySid, RtlUnicodeStringToAnsiString, RtlInitAnsiString, RtlAnsiStringToUnicodeString, RtlNewSecurityObject, RtlAddAce, RtlSetOwnerSecurityDescriptor, RtlSetGroupSecurityDescriptor, RtlSetSaclSecurityDescriptor, RtlSubAuthorityCountSid, NtOpenDirectoryObject, NtQueryDirectoryObject, RtlCompareUnicodeString, NtLoadDriver, NtUnloadDriver, RtlExpandEnvironmentStrings_U, RtlAdjustPrivilege, NtFlushKey, NtOpenFile, RtlDosPathNameToNtPathName_U, NtOpenSymbolicLinkObject, NtQuerySymbolicLinkObject, RtlFreeUnicodeString, RtlAreAllAccessesGranted, NtDeleteObjectAuditAlarm, NtCloseObjectAuditAlarm, RtlQueueWorkItem, RtlCopyLuid, RtlDeregisterWait, RtlReleaseResource, RtlAcquireResourceExclusive, RtlAcquireResourceShared, RtlInitializeResource, RtlDeleteSecurityObject, RtlLockBootStatusData, RtlGetSetBootStatusData, RtlUnlockBootStatusData, NtInitializeRegistry, NtQueryKey, NtClose, RtlInitUnicodeString, NtSetSystemEnvironmentValue, RtlNtStatusToDosError, NtShutdownSystem, RtlSetSecurityObject, RtlMakeSelfRelativeSD, RtlInitializeSid, RtlLengthRequiredSid, RtlSubAuthoritySid, NtSetSecurityObject

> USERENV.dll: UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW, DestroyEnvironmentBlock

> SCESRV.dll: ScesrvInitializeServer, ScesrvTerminateServer

> umpnpmgr.dll: RegisterScmCallback, PNP_SetActiveService, PNP_GetDeviceRegProp, PNP_GetDeviceListSize, PNP_GetDeviceList, PNP_HwProfFlags, RegisterServiceNotification, DeleteServicePlugPlayRegKeys

> NCObjAPI.DLL: WmiSetAndCommitObject, WmiEventSourceConnect, WmiCreateObjectWithFormat

 

( 0 exports )

 

 

 

 

 

 

 

AhnLab-V3 2008.10.10.1 2008.10.10 -

AntiVir 7.8.1.34 2008.10.10 -

Authentium 5.1.0.4 2008.10.11 -

Avast 4.8.1248.0 2008.10.10 -

AVG 8.0.0.161 2008.10.10 -

BitDefender 7.2 2008.10.11 -

CAT-QuickHeal 9.50 2008.10.10 -

ClamAV 0.93.1 2008.10.10 -

DrWeb 4.44.0.09170 2008.10.10 -

eSafe 7.0.17.0 2008.10.08 -

eTrust-Vet 31.6.6141 2008.10.10 -

Ewido 4.0 2008.10.10 -

F-Prot 4.4.4.56 2008.10.10 -

F-Secure 8.0.14332.0 2008.10.11 -

Fortinet 3.113.0.0 2008.10.10 -

GData 19 2008.10.10 -

Ikarus T3.1.1.34.0 2008.10.10 -

K7AntiVirus 7.10.490 2008.10.10 -

Kaspersky 7.0.0.125 2008.10.11 -

McAfee 5403 2008.10.11 -

Microsoft 1.4005 2008.10.11 -

Norman 5.80.02 2008.10.10 -

Panda 9.0.0.4 2008.10.10 -

PCTools 4.4.2.0 2008.10.10 -

Prevx1 V2 2008.10.11 -

Rising 20.65.42.00 2008.10.10 -

SecureWeb-Gateway 6.7.6 2008.10.10 -

Sophos 4.34.0 2008.10.10 -

Sunbelt 3.1.1715.1 2008.10.10 -

Symantec 10 2008.10.11 -

TheHacker 6.3.1.0.106 2008.10.10 -

TrendMicro 8.700.0.1004 2008.10.10 -

VBA32 3.12.8.6 2008.10.10 -

ViRobot 2008.10.10.1416 2008.10.10 -

VirusBuster 4.5.11.0 2008.10.10 -

Additional information

File size: 502272 bytes

MD5...: 01c3346c241652f43aed8e2149881bfe

SHA1..: a5396141cab8b22d9d88b28a814089537dce366a

SHA256: affd0973cd3128083417d407f62bc4a635fc25b65dbf52e91d3ab4ae2f9c1b4a

SHA512: c2b4a1fe29b84b0dfd062de79db83ef85ecb238184957649512a951e5abed874

776f0b7c128cb33cd7cbb540d68ecac3a5ab09291fccecb64660b1a874e44090

PEiD..: -

TrID..: File type identification

Win64 Executable Generic (80.9%)

Win32 Executable Generic (8.0%)

Win32 Dynamic Link Library (generic) (7.1%)

Generic Win/DOS Executable (1.8%)

DOS Executable Generic (1.8%)

PEInfo: PE Structure information

 

( base data )

entrypointaddress.: 0x103d353

timedatestamp.....: 0x41107edc (Wed Aug 04 06:14:52 2004)

machinetype.......: 0x14c (I386)

 

( 3 sections )

name viradd virsiz rawdsiz ntrpy md5

.text 0x1000 0x6f288 0x6f400 6.82 5a133ab60f38b5d739d86c8290fa5a3c

.data 0x71000 0x4d90 0x2000 6.20 baa64d00a5f8a540a38a60d2aff66f30

.rsrc 0x76000 0x9030 0x9200 3.62 b93cbbc049130e1bad3ea13d7512c074

 

( 20 imports )

> ADVAPI32.dll: ConvertStringSecurityDescriptorToSecurityDescriptorA, A_SHAInit, A_SHAUpdate, A_SHAFinal, LsaStorePrivateData, LsaRetrievePrivateData, LsaNtStatusToWinError, CryptGetUserKey, CryptGetKeyParam, CryptEncrypt, CryptSetProvParam, CryptSignHashW, CryptDeriveKey, CryptGetProvParam, RegOpenCurrentUser, RegDeleteKeyW, AddAccessAllowedAceEx, RegSetKeySecurity, I_ScSendTSMessage, MD5Init, MD5Update, MD5Final, SetFileSecurityA, AllocateLocallyUniqueId, LsaOpenPolicy, LsaQueryInformationPolicy, LsaFreeMemory, LsaClose, RegNotifyChangeKeyValue, QueryServiceConfigW, SetKernelObjectSecurity, ConvertStringSecurityDescriptorToSecurityDescriptorW, RegEnumKeyExW, GetCurrentHwProfileW, RegCloseKey, RegQueryValueExW, RegOpenKeyW, FreeSid, SetSecurityDescriptorDacl, InitializeSecurityDescriptor, AddAccessAllowedAce, InitializeAcl, GetLengthSid, AllocateAndInitializeSid, RegOpenKeyExW, CreateProcessAsUserW, DuplicateTokenEx, CloseServiceHandle, ControlService, StartServiceW, QueryServiceStatus, OpenServiceW, OpenSCManagerW, EqualSid, GetTokenInformation, RegSetValueExW, RegCreateKeyExW, CryptGenRandom, CryptDestroyHash, CryptVerifySignatureW, CryptSetHashParam, CryptGetHashParam, CryptHashData, CryptCreateHash, CryptDecrypt, ReportEventW, RegisterEventSourceW, CryptImportKey, CryptAcquireContextW, CryptReleaseContext, CryptDestroyKey, RegEnumValueW, RegQueryInfoKeyW, RegDeleteValueW, CredFree, CredDeleteW, CredEnumerateW, CopySid, GetSidLengthRequired, GetSidSubAuthority, GetSidSubAuthorityCount, GetUserNameW, OpenThreadToken, EnumServicesStatusW, ImpersonateLoggedOnUser, RegQueryValueExA, CheckTokenMembership, DeregisterEventSource, LsaGetUserName, RevertToSelf, LookupAccountSidW, IsValidSid, SetTokenInformation, LogonUserW, LookupAccountNameW, OpenProcessToken, SynchronizeWindows31FilesAndWindowsNTRegistry, QueryWindows31FilesMigration, AdjustTokenPrivileges, RegQueryInfoKeyA

> AUTHZ.dll: AuthzInitializeResourceManager, AuthzAccessCheck, AuthziFreeAuditEventType, AuthziInitializeAuditEvent, AuthziInitializeAuditParams, AuthziInitializeAuditEventType, AuthziLogAuditEvent, AuthzFreeAuditEvent, AuthzFreeResourceManager, AuthzFreeHandle

> CRYPT32.dll: CryptImportPublicKeyInfo, CryptVerifyMessageSignature, CertCreateCertificateContext, CertSetCertificateContextProperty, CertVerifyCertificateChainPolicy, CryptSignMessage, CertCloseStore, CertComparePublicKeyInfo, CryptExportPublicKeyInfo, CertFindExtension, CryptDecryptMessage, CertGetCertificateContextProperty, CertAddCertificateContextToStore, CertOpenStore, CertVerifySubjectCertificateContext, CertGetIssuerCertificateFromStore, CertDuplicateCertificateContext, CertFreeCertificateContext, CertEnumCertificatesInStore, CryptImportPublicKeyInfoEx

> GDI32.dll: RemoveFontResourceW, AddFontResourceW

> KERNEL32.dll: WTSGetActiveConsoleSessionId, GetTimeFormatW, GetUserDefaultLCID, FileTimeToSystemTime, FileTimeToLocalFileTime, GetProcAddress, LoadLibraryW, GetModuleHandleW, SystemTimeToFileTime, GetSystemTime, SetLastError, TerminateProcess, GetCurrentProcess, CreateTimerQueueTimer, CreateThread, lstrcpynW, GetShortPathNameW, GetProfileStringW, FreeLibrary, ReleaseSemaphore, CreateSemaphoreW, GetSystemInfo, GetComputerNameW, GetEnvironmentVariableW, WaitForSingleObjectEx, LoadResource, FindResourceW, SetThreadExecutionState, DeleteTimerQueueTimer, ResetEvent, GetSystemDirectoryW, TransactNamedPipe, SetNamedPipeHandleState, GetTickCount, CreateFileW, GlobalGetAtomNameW, VirtualLock, VirtualQuery, GetDriveTypeW, Beep, OpenMutexW, QueueUserWorkItem, LeaveCriticalSection, EnterCriticalSection, DisconnectNamedPipe, SearchPathW, lstrcatW, LocalReAlloc, ExpandEnvironmentStringsW, TerminateThread, ResumeThread, GetDiskFreeSpaceExW, GlobalMemoryStatusEx, DeleteFileW, WriteProfileStringW, ReadFile, FindVolumeClose, FindNextVolumeW, FindFirstVolumeW, FormatMessageW, SetPriorityClass, MoveFileExW, WaitForMultipleObjectsEx, GetExitCodeProcess, SleepEx, InterlockedExchange, FindClose, FindFirstFileW, GetWindowsDirectoryW, SetTimerQueueTimer, GetComputerNameA, GetVersionExW, VerSetConditionMask, WriteFile, WaitNamedPipeW, WaitForMultipleObjects, ConnectNamedPipe, DuplicateHandle, OpenProcess, GetOverlappedResult, GetVersionExA, lstrcmpW, SetEnvironmentVariableW, UnregisterWait, CreateNamedPipeW, CreateRemoteThread, CreateActCtxW, GetModuleFileNameW, ExitProcess, LoadLibraryExW, SetErrorMode, SetUnhandledExceptionFilter, GetPrivateProfileStringW, LocalSize, VirtualAlloc, VirtualQueryEx, DebugBreak, CreateFileA, InitializeCriticalSection, ProcessIdToSessionId, SetInformationJobObject, AssignProcessToJobObject, TerminateJobObject, PostQueuedCompletionStatus, PulseEvent, GetQueuedCompletionStatus, CreateIoCompletionPort, CreateJobObjectW, ActivateActCtx, DeactivateActCtx, InterlockedCompareExchange, LoadLibraryA, QueryPerformanceCounter, GetSystemTimeAsFileTime, UnhandledExceptionFilter, GetModuleHandleA, GetStartupInfoA, GetCurrentProcessId, SetThreadPriority, GetCurrentThreadId, lstrcmpiW, GetProfileIntW, LoadLibraryExA, lstrcpyW, lstrlenW, Sleep, LocalAlloc, CreateEventW, GetExitCodeThread, SetThreadAffinityMask, GetProcessAffinityMask, CreateWaitableTimerW, CreateMutexW, OpenEventW, RegisterWaitForSingleObject, WaitForSingleObject, CreateProcessW, SetWaitableTimer, ReleaseMutex, SetEvent, UnregisterWaitEx, CloseHandle, lstrlenA, lstrcpyA, MultiByteToWideChar, GetACP, WideCharToMultiByte, HeapAlloc, GetProcessHeap, HeapFree, lstrcpynA, UnmapViewOfFile, MapViewOfFile, CreateFileMappingW, lstrcmpiA, GetFileSize, SetFilePointer, GlobalAlloc, GlobalFree, GetLastError, LocalFree, lstrcatA, lstrcmpA, GetLogicalDriveStringsA, GetDriveTypeA, GetVolumeInformationW, GlobalMemoryStatus, CreateMutexA, FindResourceExW, LockResource, SizeofResource, VerifyVersionInfoW, GetSystemDirectoryA, GetCurrentThread, DelayLoadFailureHook, BaseInitAppcompatCacheSupport, OpenProfileUserMapping, CloseProfileUserMapping, BaseCleanupAppcompatCacheSupport, InitializeCriticalSectionAndSpinCount, VirtualProtect, CreateEventA, TlsSetValue, DeleteCriticalSection, TlsGetValue, TlsAlloc, VirtualFree, TlsFree

> msvcrt.dll: _vsnwprintf, wcslen, wcsncpy, wcsstr, atoi, wcstok, memmove, wcschr, swprintf, swscanf, _local_unwind2, _wcslwr, wcscmp, _snwprintf, malloc, _c_exit, _exit, _XcptFilter, _cexit, exit, _acmdln, __getmainargs, _initterm, __setusermatherr, _adjust_fdiv, __p__commode, __p__fmode, [email protected]@Z, [email protected]@Z, __CxxFrameHandler, _itow, _snprintf, _wtol, _strnicmp, sscanf, wcstombs, sprintf, strchr, strncmp, atof, _ftol, isspace, __set_app_type, wcscpy, _controlfp, wcsncmp, _wcsupr, ceil, wcscat, _except_handler3, free, _wcsicmp

> NDdeApi.dll: -, -, -, -

> ntdll.dll: RtlAllocateHeap, NtPowerInformation, NtSetSystemPowerState, NtRaiseHardError, RtlDeleteCriticalSection, NtOpenSymbolicLinkObject, NtReplyPort, NtCompleteConnectPort, NtReplyWaitReceivePort, NtAcceptConnectPort, NtCreatePort, RtlConvertSidToUnicodeString, RtlFreeUnicodeString, NtLockProductActivationKeys, RtlTimeToTimeFields, NtUnmapViewOfSection, NtMapViewOfSection, NtOpenSection, NtQuerySymbolicLinkObject, NtQueryVolumeInformationFile, NtSetSecurityObject, RtlAdjustPrivilege, NtOpenFile, NtFsControlFile, RtlAllocateAndInitializeSid, RtlDestroyEnvironment, RtlFreeHeap, NtQueryInformationToken, NtShutdownSystem, RtlEnterCriticalSection, RtlLeaveCriticalSection, RtlInitializeCriticalSection, RtlCreateEnvironment, RtlQueryEnvironmentVariable_U, RtlSetEnvironmentVariable, RtlInitUnicodeString, NtOpenKey, NtQueryValueKey, RtlSubAuthoritySid, RtlInitializeSid, RtlLengthRequiredSid, NtAllocateLocallyUniqueId, RtlGetDaclSecurityDescriptor, RtlCopySid, RtlLengthSid, NtSetInformationThread, NtDuplicateToken, NtDuplicateObject, RtlEqualSid, RtlSetDaclSecurityDescriptor, NtClose, RtlOpenCurrentUser, RtlCreateSecurityDescriptor, RtlAddAce, RtlCreateAcl, RtlNtStatusToDosError, NtOpenDirectoryObject, NtQuerySystemInformation, NtCreateEvent, NtCreatePagingFile, RtlDosPathNameToNtPathName_U, RtlRegisterWait, NtSetValueKey, NtCreateKey, RtlTimeToSecondsSince1980, NtQuerySystemTime, NtPrivilegeObjectAuditAlarm, NtPrivilegeCheck, NtOpenThreadToken, NtOpenProcessToken, RtlUnhandledExceptionFilter, NtQueryInformationProcess, DbgBreakPoint, RtlCheckProcessParameters, RtlSetThreadIsCritical, RtlSetProcessIsCritical, RtlInitString, NtInitiatePowerAction, DbgPrint, NtFilterToken, NtQueryInformationJobObject, NtOpenEvent, RtlGetAce, RtlQueryInformationAcl, NtQuerySecurityObject, RtlCompareUnicodeString, NtSetInformationProcess

> PROFMAP.dll: InitializeProfileMappingApi, RemapAndMoveUserW

> PSAPI.DLL: EnumProcesses, EnumProcessModules, GetModuleBaseNameW

> REGAPI.dll: RegDefaultUserConfigQueryW, RegUserConfigQuery

> RPCRT4.dll: RpcServerRegisterIfEx, RpcServerUseProtseqEpW, RpcImpersonateClient, I_RpcMapWin32Status, RpcServerRegisterIf, RpcGetAuthorizationContextForClient, RpcFreeAuthorizationContext, RpcServerListen, RpcRevertToSelf, NdrServerCall2, UuidCreate

> Secur32.dll: GetUserNameExW, LsaLookupAuthenticationPackage, LsaRegisterLogonProcess, LsaCallAuthenticationPackage

> SETUPAPI.dll: SetupDiDestroyDeviceInfoList, SetupDiEnumDeviceInfo, SetupDiGetClassDevsW, SetupDiGetDeviceRegistryPropertyW

> USER32.dll: SetFocus, EnumWindows, CreateWindowStationW, RegisterLogonProcess, RecordShutdownReason, LoadLocalFonts, UnhookWindowsHook, SetWindowsHookW, GetWindowTextW, CallNextHookEx, DialogBoxParamW, GetWindowPlacement, GetSystemMenu, DeleteMenu, SetWindowPlacement, SetUserObjectInformationW, GetAsyncKeyState, PostThreadMessageW, SetUserObjectSecurity, CreateDesktopW, KillTimer, GetMessageTime, SetLogonNotifyWindow, UnlockWindowStation, SetTimer, ReplyMessage, UnregisterHotKey, RegisterHotKey, OpenInputDesktop, GetUserObjectInformationW, CloseDesktop, RegisterDeviceNotificationW, SetThreadDesktop, CreateWindowExW, GetMessageW, TranslateMessage, RegisterWindowMessageW, SetCursor, DefWindowProcW, FindWindowW, MessageBoxW, SendNotifyMessageW, PostQuitMessage, MsgWaitForMultipleObjects, GetWindowRect, GetSystemMetrics, PeekMessageW, DispatchMessageW, SetProcessWindowStation, UpdateWindow, ShowWindow, SetWindowPos, PostMessageW, ExitWindowsEx, EnumDisplayMonitors, SystemParametersInfoW, GetDlgItem, SendMessageW, CreateDialogParamW, DestroyWindow, GetWindowLongW, GetDlgItemTextW, EndDialog, SetWindowLongW, LoadStringW, SetWindowTextW, SetDlgItemTextW, wsprintfW, wsprintfA, LockWindowStation, MBToWCSEx, SetWindowStationUser, UpdatePerUserSystemParameters, DialogBoxIndirectParamW, wvsprintfW, SetLastErrorEx, LoadCursorW, CheckDlgButton, IsDlgButtonChecked, RegisterClassW, CloseWindowStation, LoadImageW, GetParent, GetKeyState, GetDesktopWindow, SetForegroundWindow, SwitchDesktop, OpenDesktopW

> USERENV.dll: WaitForUserPolicyForegroundProcessing, GetAllUsersProfileDirectoryW, -, -, -, -, WaitForMachinePolicyForegroundProcessing, -, -, -, UnloadUserProfile, LoadUserProfileW, GetUserProfileDirectoryW, RegisterGPNotification, CreateEnvironmentBlock, DestroyEnvironmentBlock, UnregisterGPNotification, -

> VERSION.dll: GetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW

> WINSTA.dll: WinStationRequestSessionsList, WinStationQueryLogonCredentialsW, WinStationIsHelpAssistantSession, WinStationAutoReconnect, _WinStationWaitForConnect, WinStationDisconnect, _WinStationCallback, WinStationNameFromLogonIdW, _WinStationFUSCanRemoteUserDisconnect, WinStationEnumerate_IndexedW, WinStationGetMachinePolicy, WinStationQueryInformationW, WinStationFreeMemory, WinStationReset, _WinStationNotifyDisconnectPipe, WinStationConnectW, WinStationSetInformationW, WinStationShutdownSystem, WinStationCheckLoopBack, _WinStationNotifyLogon, _WinStationNotifyLogoff

> WINTRUST.dll: CryptCATCatalogInfoFromContext, CryptCATAdminCalcHashFromFileHandle, CryptCATAdminAcquireContext, CryptCATAdminEnumCatalogFromHash, CryptCATAdminReleaseCatalogContext, WTHelperProvDataFromStateData, WinVerifyTrust, WTHelperGetProvSignerFromChain, CryptCATAdminReleaseContext

> WS2_32.dll: -, getaddrinfo, -

 

( 0 exports )

 

ThreatExpert info: http://www.threatexpert.com/report.aspx?md...aed8e2149881bfe

 

 

 

 

 

 

AhnLab-V3 2008.10.10.1 2008.10.10 -

AntiVir 7.8.1.34 2008.10.10 -

Authentium 5.1.0.4 2008.10.11 -

Avast 4.8.1248.0 2008.10.10 -

AVG 8.0.0.161 2008.10.10 -

BitDefender 7.2 2008.10.11 -

CAT-QuickHeal 9.50 2008.10.10 -

ClamAV 0.93.1 2008.10.10 -

DrWeb 4.44.0.09170 2008.10.10 -

eSafe 7.0.17.0 2008.10.08 -

eTrust-Vet 31.6.6141 2008.10.10 -

Ewido 4.0 2008.10.10 -

F-Prot 4.4.4.56 2008.10.10 -

F-Secure 8.0.14332.0 2008.10.11 -

Fortinet 3.113.0.0 2008.10.10 -

GData 19 2008.10.11 -

Ikarus T3.1.1.34.0 2008.10.10 -

K7AntiVirus 7.10.490 2008.10.10 -

Kaspersky 7.0.0.125 2008.10.11 -

McAfee 5403 2008.10.11 -

Microsoft 1.4005 2008.10.11 -

NOD32 3513 2008.10.10 -

Norman 5.80.02 2008.10.10 -

Panda 9.0.0.4 2008.10.10 -

PCTools 4.4.2.0 2008.10.10 -

Prevx1 V2 2008.10.11 -

Rising 20.65.42.00 2008.10.10 -

SecureWeb-Gateway 6.7.6 2008.10.10 -

Sophos 4.34.0 2008.10.10 -

Sunbelt 3.1.1715.1 2008.10.10 -

Symantec 10 2008.10.11 -

TheHacker 6.3.1.0.106 2008.10.10 -

TrendMicro 8.700.0.1004 2008.10.10 -

VBA32 3.12.8.6 2008.10.10 -

ViRobot 2008.10.10.1416 2008.10.10 -

VirusBuster 4.5.11.0 2008.10.10 -

Additional information

File size: 14336 bytes

MD5...: 8f078ae4ed187aaabc0a305146de6716

SHA1..: da0ff4006859a7580aba81f486f692dead2014fe

SHA256: 16593943861d03d508f37f60e41240dee14221e76f625835487f73d5010ac18a

SHA512: 2f82c39b6c151d52cba42357e867910732a930a6055f6a1506d20c1044e88e6f

2cc2027a291c2ab98e21c2b35c2a957c3f5034bf975527001d927c5504776105

PEiD..: -

TrID..: File type identification

Win32 Executable Generic (42.3%)

Win32 Dynamic Link Library (generic) (37.6%)

Generic Win/DOS Executable (9.9%)

DOS Executable Generic (9.9%)

Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)

PEInfo: PE Structure information

 

( base data )

entrypointaddress.: 0x1002509

timedatestamp.....: 0x41107ed6 (Wed Aug 04 06:14:46 2004)

machinetype.......: 0x14c (I386)

 

( 3 sections )

name viradd virsiz rawdsiz ntrpy md5

.text 0x1000 0x2c00 0x2c00 6.29 6fc4d075dfb37185ffae8eacb467b822

.data 0x4000 0x1f0 0x200 1.61 553c0ebbbc67abab785f2065a062b522

.rsrc 0x5000 0x418 0x600 2.54 2997285df9158db5a62ffb42a2fd0d07

 

( 4 imports )

> ADVAPI32.dll: RegQueryValueExW, SetSecurityDescriptorDacl, SetEntriesInAclW, SetSecurityDescriptorGroup, SetSecurityDescriptorOwner, InitializeSecurityDescriptor, GetTokenInformation, OpenProcessToken, OpenThreadToken, SetServiceStatus, RegisterServiceCtrlHandlerW, RegCloseKey, RegOpenKeyExW, StartServiceCtrlDispatcherW

> KERNEL32.dll: HeapFree, GetLastError, WideCharToMultiByte, lstrlenW, LocalFree, GetCurrentProcess, GetCurrentThread, GetProcAddress, LoadLibraryExW, LeaveCriticalSection, HeapAlloc, EnterCriticalSection, LCMapStringW, FreeLibrary, lstrcpyW, ExpandEnvironmentStringsW, lstrcmpiW, ExitProcess, GetCommandLineW, InitializeCriticalSection, GetProcessHeap, SetErrorMode, SetUnhandledExceptionFilter, RegisterWaitForSingleObject, InterlockedCompareExchange, LoadLibraryA, QueryPerformanceCounter, GetTickCount, GetCurrentThreadId, GetCurrentProcessId, GetSystemTimeAsFileTime, TerminateProcess, UnhandledExceptionFilter, LocalAlloc, lstrcmpW, DelayLoadFailureHook

> ntdll.dll: NtQuerySecurityObject, RtlFreeHeap, NtOpenKey, wcscat, wcscpy, RtlAllocateHeap, RtlCompareUnicodeString, RtlInitUnicodeString, RtlInitializeSid, RtlLengthRequiredSid, RtlSubAuthoritySid, NtClose, RtlSubAuthorityCountSid, RtlGetDaclSecurityDescriptor, RtlQueryInformationAcl, RtlGetAce, RtlImageNtHeader, wcslen, RtlUnhandledExceptionFilter, RtlCopySid

> RPCRT4.dll: RpcServerUnregisterIfEx, RpcMgmtWaitServerListen, RpcMgmtSetServerStackSize, RpcServerUnregisterIf, RpcServerListen, RpcServerUseProtseqEpW, RpcServerRegisterIf, I_RpcMapWin32Status, RpcMgmtStopServerListening

 

( 0 exports )

 

ThreatExpert info: http://www.threatexpert.com/report.aspx?md...c0a305146de6716

 

 

 

 

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:52:18 PM, on 10/10/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16705)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\LEXPPS.EXE

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Fantastic Flame Screensaver\FantasticFlameAgent.exe

C:\Program Files\internet explorer\iexplore.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKUS\S-1-5-21-1482476501-1972579041-839522115-1003\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe" (User '?')

O4 - HKUS\S-1-5-21-1482476501-1972579041-839522115-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')

O4 - HKUS\S-1-5-21-1482476501-1972579041-839522115-1003\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User '?')

O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User '?')

O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')

O4 - Global Startup: Fantastic Flame Agent.lnk = C:\Program Files\Fantastic Flame Screensaver\FantasticFlameAgent.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: http://www.download.com

O15 - Trusted Zone: *.download.com

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1159208668211

O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab

O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

 

--

End of file - 6994 bytes

 

 

 

 

 

 

 

 

 

 

Besides my computer not liking Katy Perry, it seems to be getting better.

Link to post
Share on other sites

Besides my computer not liking Katy Perry, it seems to be getting better

OK, you got me....what is or who is Katy Perry.

 

OK from what I see now the logs are in much better shape.

 

Files I requested scanned came back clean from what I can tell.

 

Post back once more and let me know what issues remain.

Link to post
Share on other sites

Sorry. She sings the song I Kissed A Girl. I noticed something deleted that song.

 

Everything seems fine now except device manager is empty and I can not find plug and play. I went to the HP website and was finding out how to get all of it back but I have to enable plug and play and the closest thing is universal plug and play but they said not to use that. Don't know what to do about it.

 

And before I forget THANK YOU SO MUCH!!!

Link to post
Share on other sites

She sings the song I Kissed A Girl. I noticed something deleted that song.

C:\Documents and Settings\Admin\Shared\i kissed girl remix katy perry.mp3 Infected: Trojan-Downloader.WMA.Wimad.n 1

Don't know where you downloaded it from but it was infected and removed.

 

Don't miss or skip this next step, it remove bad files from quarantine and Clears System Restore cache and create new Restore point

 

[*] Click START then RUN

[*] Now type Combofix /u in the runbox and click OK. Note the space between the x and the /u, it needs to be there.

 

Example below

Posted Image

Everything seems fine now except device manager is empty and I can not find plug and play. I went to the HP website and was finding out how to get all of it back but I have to enable plug and play and the closest thing is universal plug and play but they said not to use that. Don't know what to do about it.

Sounds like your having a hardware issues here which I wont be much help.

 

Start - Run - (type) cmd - Enter

This will bring up a DOS style box with blinking cursor,

 

At the blinking cursor, type:

chkdsk /f /r - Enter <--- notice the required space before the "/"s.

 

CHECKDISK will inform you that it cannot be run because files are in use/locked, etc. and will invite you to allow CHECKDISK to run the next time you reboot your machine.

 

Type "Y" for yes, and then reboot.

 

The scans will take about 30-40 minutes, after which your machine will complete its boot into Windows.

You may be good-to-go after the CHKDSK, if it finds any bad-clusters and moves files to known good areas of your hard drive. However, if CHKDSK does find bad-clusters and moves files, it may be necessary to run CHKDSK a 2nd and even 3rd time, until all the bad-clusters are found and all of the affected files are safely moved.

 

 

Next:

 

Run System File Checker (to identify and replace any missing or corrupted Windows system files)

 

Start - Run - (type)sfc /scannow - Enter <-- notice the required space before the "/"

 

Let the above run then defragment your machine.

 

 

The above may or may not be of much help. What I can do from here is suggest you visit our User to User forum Here and let the tech guys there help.

And before I forget THANK YOU SO MUCH!!!

You are very welcome.
Link to post
Share on other sites

Let's try this

 

 

1. Click Start, click Run, type services.msc, and then click OK.

2. Double-click Plug and Play.

 

If you receive a Configuration Manager message, click OK.

3. In the Startup Type list, click Automatic, and then click OK.

4. Close Services.

5. Restart the computer.

Check the computer for the errors you mentioned earlier.

 

 

If no joy

 

 

Go to Start > Run > then copy and paste these commands one at a time and press OK after each

 

sc start PlugPlay

 

sc query PlugPlay

 

If query does not show "State": 4 running let me know

If it shows running, check the device manager again to see if it is populated.

 

Highlight and copy the contents of the code box below.

cd desktop
reg query HKLM\SYSTEM\CurrentControlSet\Services\PlugPlay>plugplay.txt
start notepad plugplay.txt
exit
cls

Click Start then Run and type cmd then hit Enter to open a command window.

Right click in the command window and select Paste.

The command will execute quickly then the command window will close and a log will open in notepad.

Please post the contents of that log.

 

Note - the log is named plugplay.txt and a copy will be on your desktop.

 

 

 

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

 

Please download AproposFix from here:

http://swandog46.geekstogo.com/aproposfix.exe

 

Save it to your desktop but do NOT run it yet.

 

Then please reboot your computer in Safe Mode by doing the following:

1) Restart your computer

2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.

3) Instead of Windows loading as normal, a menu should appear

4) Select the first option, to run Windows in Safe Mode.

 

 

Once in Safe Mode, please double-click aproposfix.exe and unzip it to the desktop. Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.

 

When the tool is finished, please reboot back into normal mode, and post a new HijackThis log, along with the entire contents of the log.txt file in the aproposfix folder.

 

 

 

 

NEXT**

Download Registry Search and doubleclick to start it.

Enter "adchannel" in the edit and click "Ok". Notepad will be opened with text in it (the file will be saved in the program's folder as well). Post this text.

Edited by Juliet
Link to post
Share on other sites

Welcome back

 

 

How about the rest of what I posted?

 

 

Highlight and copy the contents of the code box below.

cd desktop
reg query HKLM\SYSTEM\CurrentControlSet\Services\PlugPlay>plugplay.txt
start notepad plugplay.txt
exit
cls

Click Start then Run and type cmd then hit Enter to open a command window.

Right click in the command window and select Paste.

The command will execute quickly then the command window will close and a log will open in notepad.

Please post the contents of that log.

 

Note - the log is named plugplay.txt and a copy will be on your desktop.

 

 

 

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

 

Please download AproposFix from here:

http://swandog46.geekstogo.com/aproposfix.exe

 

Save it to your desktop but do NOT run it yet.

 

Then please reboot your computer in Safe Mode by doing the following:

1) Restart your computer

2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.

3) Instead of Windows loading as normal, a menu should appear

4) Select the first option, to run Windows in Safe Mode.

 

 

Once in Safe Mode, please double-click aproposfix.exe and unzip it to the desktop. Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.

 

When the tool is finished, please reboot back into normal mode, and post a new HijackThis log, along with the entire contents of the log.txt file in the aproposfix folder.

 

 

 

 

NEXT**

Download Registry Search and save to desktop, doubleclick to start it.

Enter "adchannel" in the edit and click "Ok". Notepad will be opened with text in it (the file will be saved in the program's folder as well). Post this text.

 

 

 

Post

 

Apropos log.txt

Reg Search.txt

HijackThis log

Link to post
Share on other sites

Ok I hope I did these right. There was nothing in the Plugplay log.

 

 

 

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 3:07:46 PM, on 10/15/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\LEXPPS.EXE

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\system32\userinit.exe

C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Fantastic Flame Screensaver\FantasticFlameAgent.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')

O4 - Global Startup: Fantastic Flame Agent.lnk = C:\Program Files\Fantastic Flame Screensaver\FantasticFlameAgent.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: http://www.download.com

O15 - Trusted Zone: *.download.com

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1159208668211

O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab

O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

 

--

End of file - 6853 bytes

 

 

 

 

 

 

 

 

Windows Registry Editor Version 5.00

 

; Registry Search 2.0 by Bobbi Flekman © 2005

; Version: 2.0.5.0

 

; Results at 10/15/2008 3:11:05 PM for strings:

; 'adchannel'

; Strings excluded from search:

; (None)

; Search in:

; Registry Keys Registry Values Registry Data

; HKEY_LOCAL_MACHINE HKEY_USERS

 

 

; End Of The Log...

Link to post
Share on other sites

I see you have updated to SP3, since doing a reboot this did not help anything?

 

Searching back over the logs I don't see a log for

Please download AproposFix from here:

http://swandog46.geekstogo.com/aproposfix.exe

 

Save it to your desktop but do NOT run it yet.

 

Then please reboot your computer in Safe Mode by doing the following:

1) Restart your computer

2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.

3) Instead of Windows loading as normal, a menu should appear

4) Select the first option, to run Windows in Safe Mode.

 

 

Once in Safe Mode, please double-click aproposfix.exe and unzip it to the desktop. Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.

 

When the tool is finished, please reboot back into normal mode, and post a new HijackThis log, along with the entire contents of the log.txt file in the aproposfix folder.

Let's do this

Download and install SubInACL from Microsoft.

 

Close out all other programs and open windows.

 

Highlight and copy the contents of the code box below.

cd /d "%ProgramFiles%\Windows Resource Kits\Tools"
subinacl /subkeyreg HKEY_LOCAL_MACHINE /owner=administrators /grant=administrators=f /grant=system=f /grant=RESTRICTED=r
subinacl /subkeyreg HKEY_CURRENT_USER /owner=administrators /grant=administrators=f /grant=system=f /grant=RESTRICTED=r
subinacl /subkeyreg HKEY_CLASSES_ROOT /owner=administrators /grant=administrators=f /grant=system=f /grant=RESTRICTED=r
subinacl /subdirectories %SystemDrive% /grant=administrators=f /grant=system=f
subinacl /subdirectories %windir%\*.* /grant=administrators=f /grant=system=f
secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb /verbose 
exit
cls
Click Start>Run and type cmd then hit enter to open a command window.

Right click in the command window and select paste.

It will take a while for the commands to process, so please be patient.

The command window should close on it's own when finished.

Reboot for the changes to take effect.

 

 

 

Then please run this again

 

Go to Start > Run > then copy and paste these commands one at a time and press OK after each

 

sc start PlugPlay

 

sc query PlugPlay

 

If query does not show "State": 4 running let me know

If it shows running, check the device manager again to see if it is populated.

 

 

 

 

Please read over the below link which applies to a few things that might be Norton related.

Empty Device Manager and No Network Connections After Installing Windows XP SP3 with Symantec SymProtect On

 

http://www.mydigitallife.info/2008/07/12/e...-symprotect-on/

 

 

 

In your next reply post:

Aproposfix log.txt

New HJT log

 

Let me know how things are at the moment.

Link to post
Share on other sites

I did the start and query PlugPlay thing. A black screen flashed real quick for both and that was it. Query didn't show "State": 4.

 

I did what they said on that website and nothing happened when I clicked on the Fixccs.exe file.

 

Here are the other logs.

 

 

 

Log of AproposFix v1.1

 

************

 

Running from directory:

C:\Documents and Settings\Admin\Desktop\aproposfix

 

************

 

 

 

Registry entries found:

 

 

************

 

No service found!

 

Removing hidden folder:

No folder found!

 

Deleting files:

 

 

Backing up files:

Done!

 

Removing registry entries:

 

REGEDIT4

 

 

Done!

 

Finished!

 

 

 

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 4:55:02 PM, on 10/15/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\LEXPPS.EXE

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\Program Files\internet explorer\iexplore.exe

C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Fantastic Flame Screensaver\FantasticFlameAgent.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')

O4 - Global Startup: Fantastic Flame Agent.lnk = C:\Program Files\Fantastic Flame Screensaver\FantasticFlameAgent.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: http://www.download.com

O15 - Trusted Zone: *.download.com

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1159208668211

O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab

O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

 

--

End of file - 6868 bytes

Link to post
Share on other sites

Let's try this and post the log it produces

 

Download driver_service_info.exe and save it to your desktop.

 

Double click the file to start the tool.

Press any key at the first screen.

At the Menu screen, press S then hit Enter.

 

Next press B and Enter.

 

At the next screen press N then Enter. ServiceGroup and LoadOrderGroup is not needed.

A log will open now. Please post it's contents.

Link to post
Share on other sites

~~~ Service Information report ~~~

 

Microsoft Windows XP Professional

Service Pack 3

5.1.2600

 

10/15/2008 11:35:55 PM

 

 

~~~Running Processes~~~

 

System Idle Process

PID: 0

Path:

Parent PID: 0

 

System

PID: 4

Path:

Parent PID: 0

 

smss.exe

PID: 648

Path: C:\WINDOWS\System32\smss.exe

Parent PID: 4

 

csrss.exe

PID: 704

Path:

Parent PID: 648

 

winlogon.exe

PID: 732

Path: C:\WINDOWS\system32\winlogon.exe

Parent PID: 648

 

services.exe

PID: 776

Path: C:\WINDOWS\system32\services.exe

Parent PID: 732

 

lsass.exe

PID: 788

Path: C:\WINDOWS\system32\lsass.exe

Parent PID: 732

 

svchost.exe

PID: 952

Path: C:\WINDOWS\system32\svchost.exe

Parent PID: 776

 

svchost.exe

PID: 1036

Path:

Parent PID: 776

 

svchost.exe

PID: 1152

Path: C:\WINDOWS\System32\svchost.exe

Parent PID: 776

 

svchost.exe

PID: 1260

Path:

Parent PID: 776

 

svchost.exe

PID: 1372

Path:

Parent PID: 776

 

ccSetMgr.exe

PID: 1416

Path: C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

Parent PID: 776

 

ccEvtMgr.exe

PID: 1444

Path: C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

Parent PID: 776

 

LEXBCES.EXE

PID: 1996

Path: C:\WINDOWS\system32\LEXBCES.EXE

Parent PID: 776

 

LEXPPS.EXE

PID: 2028

Path: C:\WINDOWS\system32\LEXPPS.EXE

Parent PID: 1996

 

navapsvc.exe

PID: 1228

Path: C:\Program Files\Norton AntiVirus\navapsvc.exe

Parent PID: 776

 

explorer.exe

PID: 1352

Path: C:\WINDOWS\Explorer.EXE

Parent PID: 1312

 

NPFMntor.exe

PID: 1392

Path: C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

Parent PID: 776

 

svchost.exe

PID: 1592

Path: C:\WINDOWS\System32\svchost.exe

Parent PID: 776

 

alg.exe

PID: 548

Path:

Parent PID: 776

 

jusched.exe

PID: 1328

Path: C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

Parent PID: 1352

 

iexplore.exe

PID: 1784

Path: C:\Program Files\internet explorer\iexplore.exe

Parent PID: 1352

 

DesktopWeather.exe

PID: 1800

Path: C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe

Parent PID: 1352

 

ctfmon.exe

PID: 1336

Path: C:\WINDOWS\system32\ctfmon.exe

Parent PID: 1352

 

FantasticFlameAgent.exe

PID: 1580

Path: C:\Program Files\Fantastic Flame Screensaver\FantasticFlameAgent.exe

Parent PID: 1352

 

wuauclt.exe

PID: 2444

Path: C:\WINDOWS\system32\wuauclt.exe

Parent PID: 1152

 

driver_service_info.exe

PID: 2728

Path: C:\Documents and Settings\Admin\Desktop\driver_service_info.exe

Parent PID: 1352

 

cmd.exe

PID: 1148

Path: C:\WINDOWS\system32\cmd.exe

Parent PID: 2728

 

wmiprvse.exe

PID: 2880

Path:

Parent PID: 952

 

cscript.exe

PID: 2704

Path: C:\WINDOWS\system32\cscript.exe

Parent PID: 1148

 

findstr.exe

PID: 2912

Path: C:\WINDOWS\system32\findstr.exe

Parent PID: 1148

 

 

~~~Running Services by PID~~~

 

PID: 548

Application Layer Gateway Service

PID: 1444

Symantec Event Manager

PID: 1416

Symantec Settings Manager

PID: 1152

Cryptographic Services

DHCP Client

Error Reporting Service

COM+ Event System

Fast User Switching Compatibility

Help and Support

Server

Workstation

Network Connections

Network Location Awareness (NLA)

Removable Storage

Secondary Logon

System Event Notification

Windows Firewall/Internet Connection Sharing (ICS)

Shell Hardware Detection

System Restore Service

Themes

Distributed Link Tracking Client

TuneUp Theme Extension

Windows Time

Windows Management Instrumentation

Security Center

Automatic Updates

Wireless Zero Configuration

PID: 952

DCOM Server Process Launcher

Terminal Services

PID: 1260

DNS Client

PID: 1996

LexBce Server

PID: 1372

TCP/IP NetBIOS Helper

Remote Registry

WebClient

PID: 1228

Norton AntiVirus Auto-Protect Service

PID: 1392

Norton AntiVirus Firewall Monitor Service

PID: 1036

Remote Procedure Call (RPC)

PID: 1592

Windows Image Acquisition (WIA)

 

 

~~~Running Services Configuration~~~

 

PID: 548

Service: ALG

Displayed: Application Layer Gateway Service

Image: C:\WINDOWS\System32\alg.exe

Start Mode: Manual

 

PID: 1444

Service: ccEvtMgr

Displayed: Symantec Event Manager

Image: "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"

Start Mode: Auto

 

PID: 1416

Service: ccSetMgr

Displayed: Symantec Settings Manager

Image: "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"

Start Mode: Auto

 

PID: 1152

Service: CryptSvc

Displayed: Cryptographic Services

Image: C:\WINDOWS\system32\svchost.exe -k netsvcs

Start Mode: Auto

 

PID: 952

Service: DcomLaunch

Displayed: DCOM Server Process Launcher

Image: C:\WINDOWS\system32\svchost -k DcomLaunch

Start Mode: Auto

 

PID: 1152

Service: Dhcp

Displayed: DHCP Client

Image: C:\WINDOWS\System32\svchost.exe -k netsvcs

Start Mode: Auto

 

PID: 1260

Service: Dnscache

Displayed: DNS Client

Image: C:\WINDOWS\System32\svchost.exe -k NetworkService

Start Mode: Auto

 

PID: 1152

Service: ERSvc

Displayed: Error Reporting Service

Image: C:\WINDOWS\System32\svchost.exe -k netsvcs

Start Mode: Auto

 

PID: 1152

Service: EventSystem

Displayed: COM+ Event System

Image: C:\WINDOWS\System32\svchost.exe -k netsvcs

Start Mode: Manual

 

PID: 1152

Service: FastUserSwitchingCompatibility

Displayed: Fast User Switching Compatibility

Image: C:\WINDOWS\System32\svchost.exe -k netsvcs

Start Mode: Manual

 

PID: 1152

Service: helpsvc

Displayed: Help and Support

Image: C:\WINDOWS\System32\svchost.exe -k netsvcs

Start Mode: Auto

 

PID: 1152

Service: lanmanserver

Displayed: Server

Image: C:\WINDOWS\system32\svchost.exe -k netsvcs

Start Mode: Auto

 

PID: 1152

Service: lanmanworkstation

Displayed: Workstation

Image: C:\WINDOWS\System32\svchost.exe -k netsvcs

Start Mode: Auto

 

PID: 1996

Service: LexBceS

Displayed: LexBce Server

Image: C:\WINDOWS\system32\LEXBCES.EXE

Start Mode: Auto

 

PID: 1372

Service: LmHosts

Displayed: TCP/IP NetBIOS Helper

Image: C:\WINDOWS\system32\svchost.exe -k LocalService

Start Mode: Auto

 

PID: 1228

Service: navapsvc

Displayed: Norton AntiVirus Auto-Protect Service

Image: "C:\Program Files\Norton AntiVirus\navapsvc.exe"

Start Mode: Auto

 

PID: 1152

Service: Netman

Displayed: Network Connections

Image: C:\WINDOWS\System32\svchost.exe -k netsvcs

Start Mode: Manual

 

PID: 1152

Service: Nla

Displayed: Network Location Awareness (NLA)

Image: C:\WINDOWS\System32\svchost.exe -k netsvcs

Start Mode: Manual

 

PID: 1392

Service: NPFMntor

Displayed: Norton AntiVirus Firewall Monitor Service

Image: "C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe"

Start Mode: Auto

 

PID: 1152

Service: NtmsSvc

Displayed: Removable Storage

Image: C:\WINDOWS\system32\svchost.exe -k netsvcs

Start Mode: Auto

 

PID: 1372

Service: RemoteRegistry

Displayed: Remote Registry

Image: C:\WINDOWS\system32\svchost.exe -k LocalService

Start Mode: Auto

 

PID: 1036

Service: RpcSs

Displayed: Remote Procedure Call (RPC)

Image: C:\WINDOWS\system32\svchost -k rpcss

Start Mode: Auto

 

PID: 1152

Service: seclogon

Displayed: Secondary Logon

Image: C:\WINDOWS\System32\svchost.exe -k netsvcs

Start Mode: Auto

 

PID: 1152

Service: SENS

Displayed: System Event Notification

Image: C:\WINDOWS\system32\svchost.exe -k netsvcs

Start Mode: Auto

 

PID: 1152

Service: SharedAccess

Displayed: Windows Firewall/Internet Connection Sharing (ICS)

Image: C:\WINDOWS\System32\svchost.exe -k netsvcs

Start Mode: Auto

 

PID: 1152

Service: ShellHWDetection

Displayed: Shell Hardware Detection

Image: C:\WINDOWS\System32\svchost.exe -k netsvcs

Start Mode: Auto

 

PID: 1152

Service: srservice

Displayed: System Restore Service

Image: C:\WINDOWS\System32\svchost.exe -k netsvcs

Start Mode: Auto

 

PID: 1592

Service: stisvc

Displayed: Windows Image Acquisition (WIA)

Image: C:\WINDOWS\System32\svchost.exe -k imgsvc

Start Mode: Auto

 

PID: 952

Service: TermService

Displayed: Terminal Services

Image: C:\WINDOWS\System32\svchost -k DComLaunch

Start Mode: Manual

 

PID: 1152

Service: Themes

Displayed: Themes

Image: C:\WINDOWS\System32\svchost.exe -k netsvcs

Start Mode: Auto

 

PID: 1152

Service: TrkWks

Displayed: Distributed Link Tracking Client

Image: C:\WINDOWS\system32\svchost.exe -k netsvcs

Start Mode: Auto

 

PID: 1152

Service: UxTuneUp

Displayed: TuneUp Theme Extension

Image: C:\WINDOWS\System32\svchost.exe -k netsvcs

Start Mode: Auto

 

PID: 1152

Service: W32Time

Displayed: Windows Time

Image: C:\WINDOWS\System32\svchost.exe -k netsvcs

Start Mode: Auto

 

PID: 1372

Service: WebClient

Displayed: WebClient

Image: C:\WINDOWS\System32\svchost.exe -k LocalService

Start Mode: Auto

 

PID: 1152

Service: winmgmt

Displayed: Windows Management Instrumentation

Image: C:\WINDOWS\system32\svchost.exe -k netsvcs

Start Mode: Auto

 

PID: 1152

Service: wscsvc

Displayed: Security Center

Image: C:\WINDOWS\System32\svchost.exe -k netsvcs

Start Mode: Auto

 

PID: 1152

Service: wuauserv

Displayed: Automatic Updates

Image: C:\WINDOWS\system32\svchost.exe -k netsvcs

Start Mode: Auto

 

PID: 1152

Service: WZCSVC

Displayed: Wireless Zero Configuration

Image: C:\WINDOWS\System32\svchost.exe -k netsvcs

Start Mode: Auto

 

 

~~~Inactive Services Configuration~~~

 

Service: Alerter

Displayed: Alerter

Path: C:\WINDOWS\System32\svchost.exe -k LocalService

Start Mode: Disabled

 

Service: Apple Mobile Device

Displayed: Apple Mobile Device

Path: "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"

Start Mode: Auto

 

Service: AppMgmt

Displayed: Application Management

Path: C:\WINDOWS\system32\svchost.exe -k netsvcs

Start Mode: Manual

 

Service: aspnet_state

Displayed: ASP.NET State Service

Path: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe

Start Mode: Manual

 

Service: AudioSrv

Displayed: Windows Audio

Path: C:\WINDOWS\System32\svchost.exe -k netsvcs

Start Mode: Auto

 

Service: BITS

Displayed: Background Intelligent Transfer Service

Path: C:\WINDOWS\system32\svchost.exe -k netsvcs

Start Mode: Manual

 

Service: Browser

Displayed: Computer Browser

Path: C:\WINDOWS\system32\svchost.exe -k netsvcs

Start Mode: Auto

 

Service: ccPwdSvc

Displayed: Symantec Password Validation

Path: "C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe"

Start Mode: Manual

 

Service: cisvc

Displayed: Indexing Service

Path: C:\WINDOWS\system32\cisvc.exe

Start Mode: Manual

 

Service: ClipSrv

Displayed: ClipBook

Path: C:\WINDOWS\system32\clipsrv.exe

Start Mode: Manual

 

Service: clr_optimization_v2.0.50727_32

Displayed: .NET Runtime Optimization Service v2.0.50727_X86

Path: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Start Mode: Manual

 

Service: COMSysApp

Displayed: COM+ System Application

Path: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}

Start Mode: Manual

 

Service: dmadmin

Displayed: Logical Disk Manager Administrative Service

Path: C:\WINDOWS\System32\dmadmin.exe /com

Start Mode: Manual

 

Service: dmserver

Displayed: Logical Disk Manager

Path: C:\WINDOWS\System32\svchost.exe -k netsvcs

Start Mode: Auto

 

Service: Dot3svc

Displayed: Wired AutoConfig

Path: C:\WINDOWS\System32\svchost.exe -k dot3svc

Start Mode: Manual

 

Service: EapHost

Displayed: Extensible Authentication Protocol Service

Path: C:\WINDOWS\System32\svchost.exe -k eapsvcs

Start Mode: Manual

 

Service: gusvc

Displayed: Google Updater Service

Path: "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"

Start Mode: Manual

 

Service: HidServ

Displayed: Human Interface Device Access

Path: C:\WINDOWS\System32\svchost.exe -k netsvcs

Start Mode: Disabled

 

Service: hkmsvc

Displayed: Health Key and Certificate Management Service

Path: C:\WINDOWS\System32\svchost.exe -k netsvcs

Start Mode: Manual

 

Service: HTTPFilter

Displayed: HTTP SSL

Path: C:\WINDOWS\System32\svchost.exe -k HTTPFilter

Start Mode: Manual

 

Service: IDriverT

Displayed: InstallDriver Table Manager

Path: "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe"

Start Mode: Manual

 

Service: ImapiService

Displayed: IMAPI CD-Burning COM Service

Path: C:\WINDOWS\system32\imapi.exe

Start Mode: Manual

 

Service: iPod Service

Displayed: iPod Service

Path: "C:\Program Files\iPod\bin\iPodService.exe"

Start Mode: Manual

 

Service: Messenger

Displayed: Messenger

Path: C:\WINDOWS\system32\svchost.exe -k netsvcs

Start Mode: Auto

 

Service: mnmsrvc

Displayed: NetMeeting Remote Desktop Sharing

Path: C:\WINDOWS\System32\mnmsrvc.exe

Start Mode: Manual

 

Service: MSDTC

Displayed: Distributed Transaction Coordinator

Path: C:\WINDOWS\System32\msdtc.exe

Start Mode: Manual

 

Service: MSIServer

Displayed: Windows Installer

Path: C:\WINDOWS\system32\msiexec.exe /V

Start Mode: Manual

 

Service: napagent

Displayed: Network Access Protection Agent

Path: C:\WINDOWS\System32\svchost.exe -k netsvcs

Start Mode: Manual

 

Service: NetDDE

Displayed: Network DDE

Path: C:\WINDOWS\system32\netdde.exe

Start Mode: Manual

 

Service: NetDDEdsdm

Displayed: Network DDE DSDM

Path: C:\WINDOWS\system32\netdde.exe

Start Mode: Manual

 

Service: ose

Displayed: Office Source Engine

Path: "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"

Start Mode: Manual

 

Service: RasAuto

Displayed: Remote Access Auto Connection Manager

Path: C:\WINDOWS\System32\svchost.exe -k netsvcs

Start Mode: Manual

 

Service: RasMan

Displayed: Remote Access Connection Manager

Path: C:\WINDOWS\System32\svchost.exe -k netsvcs

Start Mode: Manual

 

Service: RDSessMgr

Displayed: Remote Desktop Help Session Manager

Path: C:\WINDOWS\system32\sessmgr.exe

Start Mode: Manual

 

Service: RemoteAccess

Displayed: Routing and Remote Access

Path: C:\WINDOWS\System32\svchost.exe -k netsvcs

Start Mode: Disabled

 

Service: RpcLocator

Displayed: Remote Procedure Call (RPC) Locator

Path: C:\WINDOWS\System32\locator.exe

Start Mode: Manual

 

Service: RSVP

Displayed: QoS RSVP

Path: C:\WINDOWS\System32\rsvp.exe

Start Mode: Manual

 

Service: SAVScan

Displayed: SAVScan

Path: "C:\Program Files\Norton AntiVirus\SAVScan.exe"

Start Mode: Manual

 

Service: SBService

Path: C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

Start Mode: Auto

 

Service: SCardSvr

Displayed: Smart Card

Path: C:\WINDOWS\System32\SCardSvr.exe

Start Mode: Manual

 

Service: Schedule

Displayed: Schedule

Path: C:\WINDOWS\System32\svchost.exe -k netsvcs

Start Mode: Auto

 

Service: sdAuxService

Displayed: PC Tools Auxiliary Service

Path: C:\Program Files\Spyware Doctor\pctsAuxs.exe

Start Mode: Manual

 

Service: sdCoreService

Displayed: PC Tools Security Service

Path: C:\Program Files\Spyware Doctor\pctsSvc.exe

Start Mode: Manual

 

Service: SNDSrvc

Displayed: Symantec Network Drivers Service

Path: "C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe"

Start Mode: Manual

 

Service: SPBBCSvc

Displayed: Symantec SPBBCSvc

Path: "C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe"

Start Mode: Manual

 

Service: spupdsvc

Displayed: Windows Service Pack Installer update service

Path: C:\WINDOWS\system32\spupdsvc.exe

Start Mode: Auto

 

Service: SSDPSRV

Displayed: SSDP Discovery Service

Path: C:\WINDOWS\System32\svchost.exe -k LocalService

Start Mode: Manual

 

Service: SwPrv

Displayed: MS Software Shadow Copy Provider

Path: C:\WINDOWS\System32\dllhost.exe /Processid:{597E1045-09A8-46B3-8475-3688E6D04A9F}

Start Mode: Manual

 

Service: Symantec Core LC

Displayed: Symantec Core LC

Path: C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Start Mode: Manual

 

Service: SysmonLog

Displayed: Performance Logs and Alerts

Path: C:\WINDOWS\system32\smlogsvc.exe

Start Mode: Manual

 

Service: TapiSrv

Displayed: Telephony

Path: C:\WINDOWS\System32\svchost.exe -k netsvcs

Start Mode: Manual

 

Service: TlntSvr

Displayed: Telnet

Path: C:\WINDOWS\System32\tlntsvr.exe

Start Mode: Manual

 

Service: UMWdf

Displayed: Windows User Mode Driver Framework

Path: C:\WINDOWS\system32\wdfmgr.exe

Start Mode: Auto

 

Service: upnphost

Displayed: Universal Plug and Play Device Host

Path: C:\WINDOWS\System32\svchost.exe -k LocalService

Start Mode: Manual

 

Service: UPS

Displayed: Uninterruptible Power Supply

Path: C:\WINDOWS\System32\ups.exe

Start Mode: Manual

 

Service: VSS

Displayed: Volume Shadow Copy

Path: C:\WINDOWS\System32\vssvc.exe

Start Mode: Manual

 

Service: WmdmPmSN

Displayed: Portable Media Serial Number Service

Path: C:\WINDOWS\System32\svchost.exe -k netsvcs

Start Mode: Manual

 

Service: Wmi

Displayed: Windows Management Instrumentation Driver Extensions

Path: C:\WINDOWS\System32\svchost.exe -k netsvcs

Start Mode: Manual

 

Service: WmiApSrv

Displayed: WMI Performance Adapter

Path: C:\WINDOWS\System32\wbem\wmiapsrv.exe

Start Mode: Manual

 

Service: xmlprov

Displayed: Network Provisioning Service

Path: C:\WINDOWS\System32\svchost.exe -k netsvcs

Start Mode: Manual

 

 

~~~ svchost Export ~~~

 

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost

LocalService REG_MULTI_SZ

Alerter

WebClient

LmHosts

RemoteRegistry

upnphost

SSDPSRV

NetworkService REG_MULTI_SZ

DnsCache

netsvcs REG_MULTI_SZ

6to4

AppMgmt

AudioSrv

Browser

CryptSvc

DMServer

DHCP

ERSvc

EventSystem

FastUserSwitchingCompatibility

HidServ

Ias

Iprip

Irmon

LanmanServer

LanmanWorkstation

Messenger

Netman

Nla

Ntmssvc

NWCWorkstation

Nwsapagent

Rasauto

Rasman

Remoteaccess

Schedule

Seclogon

SENS

Sharedaccess

SRService

Tapisrv

Themes

TrkWks

UxTuneUp

W32Time

WZCSVC

Wmi

WmdmPmSp

winmgmt

TermService

wuauserv

BITS

ShellHWDetection

helpsvc

WmdmPmSN

xmlprov

wscsvc

napagent

hkmsvc

rpcss REG_MULTI_SZ

RpcSs

imgsvc REG_MULTI_SZ

StiSvc

termsvcs REG_MULTI_SZ

TermService

HTTPFilter REG_MULTI_SZ

HTTPFilter

DcomLaunch REG_MULTI_SZ

DcomLaunch

TermService

eapsvcs REG_MULTI_SZ

eaphost

dot3svc REG_MULTI_SZ

dot3svc

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\DComLaunch

CoInitializeSecurityParam REG_DWORD 0x1

DefaultRpcStackSize REG_DWORD 0x8

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\dot3svc

AuthenticationCapabilities REG_DWORD 0x3020

CoInitializeSecurityParam REG_DWORD 0x1

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\eapsvcs

AuthenticationCapabilities REG_DWORD 0x3020

CoInitializeSecurityParam REG_DWORD 0x1

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\HTTPFilter

CoInitializeSecurityParam REG_DWORD 0x1

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\LocalService

CoInitializeSecurityParam REG_DWORD 0x1

AuthenticationCapabilities REG_DWORD 0x2000

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\netsvcs

CoInitializeSecurityParam REG_DWORD 0x1

AuthenticationCapabilities REG_DWORD 0x3020

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\PCHealth

CoInitializeSecurityParam REG_DWORD 0x2

AuthenticationCapabilities REG_DWORD 0x40

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\termsvcs

CoInitializeSecurityParam REG_DWORD 0x1

DefaultRpcStackSize REG_DWORD 0x8

 

~~~End of Report~~~

Link to post
Share on other sites

Highlight and copy the contents of the code box below.

@echo off
reg add HKLM\SYSTEM\CurrentControlSet\Services\PlugPlay /f
reg add HKLM\SYSTEM\CurrentControlSet\Services\PlugPlay /v Description /t REG_SZ /d "Enables a computer to recognize and adapt to hardware changes with little or no user input. Stopping or disabling this service will result in system instability." /f
reg add HKLM\SYSTEM\CurrentControlSet\Services\PlugPlay /v DisplayName /t REG_SZ /d "Plug and Play" /f
reg add HKLM\SYSTEM\CurrentControlSet\Services\PlugPlay /v ErrorControl /t REG_DWORD /d 1 /f
reg add HKLM\SYSTEM\CurrentControlSet\Services\PlugPlay /v Group /t REG_SZ /d PlugPlay /f
reg add HKLM\SYSTEM\CurrentControlSet\Services\PlugPlay /v ImagePath /t REG_EXPAND_SZ /d %"systemroot"%\system32\services.exe /f
reg add HKLM\SYSTEM\CurrentControlSet\Services\PlugPlay /v ObjectName /t REG_SZ /d LocalSystem /f
reg add HKLM\SYSTEM\CurrentControlSet\Services\PlugPlay /v PlugPlayServiceType /t REG_DWORD /d 3 /f
reg add HKLM\SYSTEM\CurrentControlSet\Services\PlugPlay /v Start /t REG_DWORD /d 2 /f
reg add HKLM\SYSTEM\CurrentControlSet\Services\PlugPlay /v Type /t REG_DWORD /d 32 /f
reg add HKLM\SYSTEM\CurrentControlSet\Services\PlugPlay\Security /f
reg query HKLM\SYSTEM\CurrentControlSet\Services\Spooler\Security | findstr /i "reg_binary" >temp0
for /f "tokens=3" %3 in (temp0) do set num=%3
reg add HKLM\SYSTEM\CurrentControlSet\Services\PlugPlay\Security /v Security /t REG_BINARY  /d %num% /f
del /q temp0
exit
cls
Click Start>Run and type cmd then hit enter to open a command window. Right click in the command window and select paste. The command window will close on it's own.

Restart your computer then check the Plug and Play service.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
×
×
  • Create New...