Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

My PC needs a healing

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

My PC needs a healing

Unread postby ThisIsNotATest » November 3rd, 2007, 2:00 pm

I'm new and a rookie seeking much needed help, I am at my wit's end :shock: and looking for peace for my pc. I have ran some of the suggested online scans and S&D Spybot it appears that it cleaned up a lot of the garbage floating around. However, due to me having so many problems, I guess there is something hiding that hasn't been flushed out. I cannot download any microsoft or windows updates. I'm pretty sure, this is the reason I am infected due to updates not being current.

Thanks in advance for any help you can provide! :lol:

Anyways, here is my HiJack log:


Logfile of HijackThis v1.99.1
Scan saved at 12:42:42 PM, on 11/3/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\System32\cisvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\Explorer.EXE
C:\Program Files\BellSouth Internet Tools\blsloader.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 192.168.1.254
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :80
R3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {07DEB156-4FF0-45AC-9AB3-CF5BA6F1A402} - (no file)
O2 - BHO: BlspcHlpr Class - {15C9938F-CB96-496D-800A-B827F2E34EA1} - C:\Program Files\BellSouth Internet Tools\blspc.dll
O2 - BHO: (no name) - {23E64CEE-5FC5-47A4-92E6-8F5CE62C67D8} - C:\WINNT\system32\vtutu.dll
O2 - BHO: (no name) - {36C3C907-6601-4D81-9941-18536FF6F333} - (no file)
O2 - BHO: (no name) - {47DA2550-C94B-4DBB-8788-0DC47A255B5B} - (no file)
O2 - BHO: BellSouth Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {89AD4D75-2429-462e-BD4E-443F233F6033} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {E8DBFAED-46E1-46F1-A6A6-5AE0D37D0084} - (no file)
O2 - BHO: (no name) - {F3DD676C-4478-4953-9CD3-25958B163F61} - (no file)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: BellSouth Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O3 - Toolbar: (no name) - {ae07101b-46d4-4a98-af68-0333ea26e113} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [blspcloader] "C:\Program Files\BellSouth Internet Tools\blsloader.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: Monitor.lnk = C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/co ... mHcmsX.CAB
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/us/securityadvisor/pe ... stscan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resourc ... oscan8.cab
O16 - DPF: {6CCE3920-3183-4B3D-808A-B12EB769DE12} (CSS Web Installer Class) - http://www.commandondemand.com/eval/cod/cabs/cssweb.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/vi ... ebscan.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v ... b56649.cab
O20 - Winlogon Notify: hg - C:\WINNT\
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD File System Service (InCDsrv) - Unknown owner - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OracleOraHome90ClientCache - Unknown owner - C:\oracle\ora90\BIN\ONRSD.EXE (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Gencontrol WinVNC temporary service (VNCTEMP) - Unknown owner - C:\VNCTEMP\WinVNC.exe" -service (file missing)
User avatar
ThisIsNotATest
Active Member
 
Posts: 13
Joined: November 1st, 2007, 6:04 pm
Advertisement
Register to Remove

Unread postby Katana » November 8th, 2007, 6:21 am

Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:
1. If you don't know, stop and ask! Don't keep going on.
2. Please reply to this thread. Do not start a new topic.
3. Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)

If you can do those three things, everything should go smoothly :D

Fix With HJT
Close all other windows and then start HiJack This
Click Do A System Scan Only
When it has finished scanning put a check next to the following lines
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: (no name) - {07DEB156-4FF0-45AC-9AB3-CF5BA6F1A402} - (no file)
O2 - BHO: (no name) - {23E64CEE-5FC5-47A4-92E6-8F5CE62C67D8} - C:\WINNT\system32\vtutu.dll
O2 - BHO: (no name) - {36C3C907-6601-4D81-9941-18536FF6F333} - (no file)
O2 - BHO: (no name) - {47DA2550-C94B-4DBB-8788-0DC47A255B5B} - (no file)
O2 - BHO: (no name) - {89AD4D75-2429-462e-BD4E-443F233F6033} - (no file)
O2 - BHO: (no name) - {E8DBFAED-46E1-46F1-A6A6-5AE0D37D0084} - (no file)
O2 - BHO: (no name) - {F3DD676C-4478-4953-9CD3-25958B163F61} - (no file)

O3 - Toolbar: (no name) - {ae07101b-46d4-4a98-af68-0333ea26e113} - (no file)

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O20 - Winlogon Notify: hg - C:\WINNT\

- Close ALL open windows (especially Internet Explorer!)-
Now click Fix checked
Click yes to any prompts
Close HijackThis

VundoFix
Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

SmitFraud Look
Please download SmitfraudFix (by S!Ri)

Double-click SmitfraudFix.exe.
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

Logs/Information to Post in Reply
Please post the following logs/Information in your reply
  • Vundo Log
  • SmitFraud Log
  • A fresh HJT log
  • How are things running now ?
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Logfiles processed

Unread postby ThisIsNotATest » November 8th, 2007, 11:22 am

Thanks, Katana for your assistance. Here is the information you requested. Just a few things. Even though you did not tell me, I rebooted after each step. ;)

1. Ran HiJack some items were no longer visible to check
2. Ran Vundo did not find anything so there is no log
3. Ran Smithfraud
4. Ran HiJack produced log but err'd out did not complete - tried running it again and same results so I posted what it did create. I am using the one from the New users forum.




VUNDO:

No files were found, VundoFix V6.5.11 will now close


SMITHFRAUD:

SmitFraudFix v2.250

Scan done at 8:47:38.53, Thu 11/08/2007
Run from C:\Documents and Settings\Administrator\Desktop\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT
The filesystem type is FAT32
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\System32\cisvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\ctfmon.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
C:\WINNT\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

hosts file corrupted !

127.0.0.1 legal-at-spybot.info
127.0.0.1 http://www.legal-at-spybot.info

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrator


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrator\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\ADMINI~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Intel(R) PRO/100 VM Network Connection
DNS Server Search Order: 205.152.37.23
DNS Server Search Order: 205.152.132.23

HKLM\SYSTEM\CCS\Services\Tcpip\..\{254F53EE-B5BF-4495-9B2D-57E0B978141F}: DhcpNameServer=205.152.37.23 205.152.132.23
HKLM\SYSTEM\CS1\Services\Tcpip\..\{254F53EE-B5BF-4495-9B2D-57E0B978141F}: DhcpNameServer=205.152.37.23 205.152.132.23
HKLM\SYSTEM\CS2\Services\Tcpip\..\{254F53EE-B5BF-4495-9B2D-57E0B978141F}: DhcpNameServer=205.152.37.23 205.152.132.23
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=205.152.37.23 205.152.132.23
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=205.152.37.23 205.152.132.23
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=205.152.37.23 205.152.132.23


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End




HJT:

Logfile of HijackThis v1.99.1
Scan saved at 8:59:39 AM, on 11/8/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\System32\cisvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\explorer.exe
C:\WINNT\System32\cidaemon.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 192.168.1.254
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :80
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: BellSouth Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O4 - HKLM\..\Run: [blspcloader] "C:\Program Files\BellSouth Internet Tools\blsloader.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ScreenPrint32] C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe -startup
O4 - HKLM\..\Run: [151a1541] rundll32.exe "C:\WINNT\system32\xrxhhaaj.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: Monitor.lnk = C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/co ... mHcmsX.CAB
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/us/securityadvisor/pe ... stscan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resourc ... oscan8.cab
O16 - DPF: {6CCE3920-3183-4B3D-808A-B12EB769DE12} (CSS Web Installer Class) - http://www.commandondemand.com/eval/cod/cabs/cssweb.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/vi ... ebscan.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v ... b56649.cab
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD File System Service (InCDsrv) - Unknown owner - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OracleOraHome90ClientCache - Unknown owner - C:\oracle\ora90\BIN\ONRSD.EXE (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Gencontrol WinVNC temporary service (VNCTEMP) - Unknown owner - C:\VNCTEMP\WinVNC.exe" -service (file missing)

[/b]
User avatar
ThisIsNotATest
Active Member
 
Posts: 13
Joined: November 1st, 2007, 6:04 pm

Unread postby Katana » November 8th, 2007, 12:29 pm

It looks like you have had several infections that have been playing with different settings on your machine.

There is something still hiding :evil:
Please try not to reboot unless I ask you to, some of these nasties change the name of the active file on reboot.

Do you know anything about Gencontrol ?
Have you been getting remote help ?

Download and Run ComboFix
  • Download Combofix from one of the two links below :

    Download 1
    Download 2
  • Then double click combofix.exe & follow the prompts.
  • When finished, it will produce a log for you. Post that log in your next reply
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
ComboFix SHOULD NOT be used without supervision

Rename HJT
Please open your Hijack This folder (C:\Program Files\HijackThis)
  • Right click on Hijackthis.exe
  • Select Rename
  • Rename Hijack This to showme.exe
  • Double click showme
  • Click on the Do a system scan and save a log file button.

Restore Host File

Download HostsXpert v4.1 and unzip it to your desktop.
  • Double click on HostsXpert.exe to launch the program.
  • Click on Restore MS Hosts File to restore your Hosts file to its default condition.
  • Click on Make ReadOnly to secure it against further infection. (unless you plan to use another host file)
  • Exit the program.
Visit the Website for more information.


Logs/Information to Post in Reply
Please post the following logs/Information in your reply
  • ComboFix Log
  • Fresh HJT (showme) log
  • How are things running now ?
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

How long is the combo fix supposed to run?

Unread postby ThisIsNotATest » November 8th, 2007, 1:35 pm

:( for the reboot (rookie mistake). The Combo fix has been running for approximately 30 minutes. The screen is on AutoScan and it says - "A new window shall open to continue the disinfection process". However, a new window has not opened up yet. I have not double-clicked on anything, either.

I do not know what gencontrol is and I have not had any remote access help.

I hope this helps!
User avatar
ThisIsNotATest
Active Member
 
Posts: 13
Joined: November 1st, 2007, 6:04 pm

Unread postby Katana » November 8th, 2007, 1:46 pm

No problem on the reboot issue :)

ComboFix should not take that long ????
Can you close it down ?
Have a look on your C:\ drive, see if there is a file there called Combofix
If it is there please copy the contents here.

Can you rename HJT and post that log for me please.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

New Logs Processed

Unread postby ThisIsNotATest » November 8th, 2007, 2:15 pm

When I clicked on to try to close ComboFix, it did not respond. I made an attempt to use task manager to do a soft reboot, the screen for task manager never came up. Therefore, I had to do a hard shutdown by powering it off.

Did I still need to try and process the hostsxpert at this time? Thanks...

COMBOFIX:

ComboFix 07-11-08.1 - Administrator 11/08/2007 10:51:02.1 - FAT32x86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.68 [GMT -6:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe

HJT:

Logfile of HijackThis v1.99.1
Scan saved at 11:57, on 2007-11-08
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\System32\cisvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\ctfmon.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
C:\WINNT\System32\cidaemon.exe
C:\Program Files\HijackThis\showme.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 192.168.1.254
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :80
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {07DEB156-4FF0-45AC-9AB3-CF5BA6F1A402} - (no file)
O2 - BHO: (no name) - {47DA2550-C94B-4DBB-8788-0DC47A255B5B} - (no file)
O2 - BHO: BellSouth Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {89AD4D75-2429-462e-BD4E-443F233F6033} - (no file)
O2 - BHO: (no name) - {9EE55076-458B-43CB-A6A1-5200AC74BEAC} - C:\WINNT\system32\vtutu.dll (file missing)
O2 - BHO: (no name) - {E8DBFAED-46E1-46F1-A6A6-5AE0D37D0084} - (no file)
O2 - BHO: (no name) - {F3DD676C-4478-4953-9CD3-25958B163F61} - (no file)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: BellSouth Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O4 - HKLM\..\Run: [blspcloader] "C:\Program Files\BellSouth Internet Tools\blsloader.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ScreenPrint32] C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe -startup
O4 - HKLM\..\Run: [151a1541] rundll32.exe "C:\WINNT\system32\xrxhhaaj.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: Monitor.lnk = C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/co ... mHcmsX.CAB
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/us/securityadvisor/pe ... stscan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resourc ... oscan8.cab
O16 - DPF: {6CCE3920-3183-4B3D-808A-B12EB769DE12} (CSS Web Installer Class) - http://www.commandondemand.com/eval/cod/cabs/cssweb.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/vi ... ebscan.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v ... b56649.cab
O20 - Winlogon Notify: hg - C:\WINNT\
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD File System Service (InCDsrv) - Unknown owner - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OracleOraHome90ClientCache - Unknown owner - C:\oracle\ora90\BIN\ONRSD.EXE (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Gencontrol WinVNC temporary service (VNCTEMP) - Unknown owner - C:\VNCTEMP\WinVNC.exe" -service (file missing)




[/b]
User avatar
ThisIsNotATest
Active Member
 
Posts: 13
Joined: November 1st, 2007, 6:04 pm

Re: New Logs Processed

Unread postby Katana » November 8th, 2007, 2:38 pm

ThisIsNotATest wrote:Did I still need to try and process the hostsxpert at this time? Thanks...


yes please :)

Disable Teatimer
First step:
  • Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
  • If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
  • If you have Version 1.4, Click on Exit Spybot S&D Resident
Second step, For Either Version :
  • Open Spybot S&D
  • Click Mode, choose Advanced Mode
  • Go To the bottom of the Vertical Panel on the Left, Click Tools
  • then, also in left panel, click Resident shows a red/white shield.
  • If your firewall raises a question, say OK
  • In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
  • OK any prompts.
  • Use File, Exit to terminate Spybot
  • Reboot your machine for the changes to take effect.


Fix With HJT
Close all other windows and then start HiJack This
Click Do A System Scan Only
When it has finished scanning put a check next to the following lines
O2 - BHO: (no name) - {07DEB156-4FF0-45AC-9AB3-CF5BA6F1A402} - (no file)
O2 - BHO: (no name) - {47DA2550-C94B-4DBB-8788-0DC47A255B5B} - (no file)
O2 - BHO: (no name) - {89AD4D75-2429-462e-BD4E-443F233F6033} - (no file)
O2 - BHO: (no name) - {9EE55076-458B-43CB-A6A1-5200AC74BEAC} - C:\WINNT\system32\vtutu.dll (file missing)
O2 - BHO: (no name) - {E8DBFAED-46E1-46F1-A6A6-5AE0D37D0084} - (no file)
O2 - BHO: (no name) - {F3DD676C-4478-4953-9CD3-25958B163F61} - (no file)

O4 - HKLM\..\Run: [151a1541] rundll32.exe "C:\WINNT\system32\xrxhhaaj.dll",b
O20 - Winlogon Notify: hg - C:\WINNT\

O23 - Service: Gencontrol WinVNC temporary service (VNCTEMP) - Unknown owner - C:\VNCTEMP\WinVNC.exe" -service (file missing)

- Close ALL open windows (especially Internet Explorer!)-
Now click Fix checked
Click yes to any prompts
Close HijackThis

OTMoveIt
Please download OTMoveIt by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINNT\system32\vtutu.dll
    C:\WINNT\system32\xrxhhaaj.dll
    C:\VNCTEMP\WinVNC.exe

  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Close OTMoveIt
  • Copy and paste the contents of the results box as a reply to this topic

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


Please post the OTMoveit Log along with a fresh HJT log in your reply
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Unable to create Host file

Unread postby ThisIsNotATest » November 8th, 2007, 3:08 pm

After processing HJT and Move, I attempted to process the Host and it gave me the following error message: :x

Cannot create file c:\winnt\system32\drivers\etc\hosts



MOVE:

File/Folder C:\WINNT\system32\vtutu.dll not found.
DllUnregisterServer procedure not found in C:\WINNT\system32\xrxhhaaj.dll
C:\WINNT\system32\xrxhhaaj.dll NOT unregistered.
C:\WINNT\system32\xrxhhaaj.dll moved successfully.
C:\VNCTEMP\WinVNC.exe moved successfully.

Created on 11-08-2007 12:56:50

HJT:
Logfile of HijackThis v1.99.1
Scan saved at 12:58, on 2007-11-08
Platform: Windows 2000 SP4 (WinNT

5.00.2195)
MSIE: Internet Explorer v6.00 SP1

(6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec

Shared\ccSetMgr.exe
C:\WINNT\System32\cisvc.exe
C:\Program Files\Symantec

AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Symantec

AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Symantec

AntiVirus\Rtvscan.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec

Shared\ccEvtMgr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\ctfmon.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\Common

Files\DataViz\DvzIncMsgr.exe
C:\Program Files\ArcSoft\Media Card

Companion\MCC Monitor.exe
C:\WINNT\System32\cidaemon.exe
C:\Program Files\HijackThis\showme.exe

R1 -

HKCU\Software\Microsoft\Windows\CurrentVe

rsion\Internet Settings,AutoConfigURL =

192.168.1.254
R1 -

HKCU\Software\Microsoft\Windows\CurrentVe

rsion\Internet Settings,ProxyServer =

:80
O2 - BHO: Adobe PDF Reader Link Helper -

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -

C:\Program Files\Adobe\Acrobat

7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BellSouth Toolbar -

{4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} -

C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O2 - BHO: Spybot-S&D IE Protection -

{53707962-6F74-2D53-2644-206D7942484F} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class -

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -

C:\Program

Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio

- {8E718888-423F-11D2-876E-00A0C9082467}

- C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: BellSouth Toolbar -

{4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} -

C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O4 - HKLM\..\Run: [blspcloader]

"C:\Program Files\BellSouth Internet

Tools\blsloader.exe"
O4 - HKLM\..\Run: [Synchronization

Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ScreenPrint32]

C:\Program Files\ScreenPrint32

v3\ScreenPrint32.exe -startup
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk

= C:\Program Files\Microsoft

Office\Office10\OSA.EXE
O4 - Global Startup: HotSync Manager.lnk

= C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: DataViz Inc

Messenger.lnk = C:\Program Files\Common

Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: Monitor.lnk =

C:\Program Files\ArcSoft\Media Card

Companion\MCC Monitor.exe
O9 - Extra button: (no name) -

{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot -

Search & Destroy Configuration -

{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF:

{05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8}

(Office Genuine Advantage Validation

Tool) -

http://go.microsoft.com/fwlink/?linkid=58

813
O16 - DPF:

{0B79F48A-E8D6-11DB-9283-E25056D89593}

(F-Secure Online Scanner 3.1) -

http://support.f-secure.com/ols/fscax.cab
O16 - DPF:

{1EF9F042-C2EB-4293-8213-474CAEEF531D}

(TmHcmsX Control) -

http://www.trendsecure.com/framework/cont

rol/en-US/activex/TmHcmsX.CAB
O16 - DPF:

{56393399-041A-4650-94C7-13DFCB1F4665}

(PSFormX Control) -

http://www.ca.com/us/securityadvisor/pest

scan/pestscan.cab
O16 - DPF:

{5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} -

http://download.bitdefender.com/resources

/scan8/oscan8.cab
O16 - DPF:

{6CCE3920-3183-4B3D-808A-B12EB769DE12}

(CSS Web Installer Class) -

http://www.commandondemand.com/eval/cod/c

abs/cssweb.cab
O16 - DPF:

{7B297BFD-85E4-4092-B2AF-16A91B2EA103}

(WScanCtl Class) -

http://www.ca.com/us/securityadvisor/viru

sinfo/webscan.cab
O16 - DPF:

{B8BE5E93-A60C-4D26-A2DC-220313175592}

(MSN Games - Installer) -

http://cdn2.zone.msn.com/binFramework/v10

/ZIntro.cab56649.cab
O20 - Winlogon Notify: NavLogon -

C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: nwprovau -

C:\WINNT\SYSTEM32\nwprovau.dll
O23 - Service: pcAnywhere Host Service

(awhost32) - Symantec Corporation -

C:\Program

Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager

(ccEvtMgr) - Symantec Corporation -

C:\Program Files\Common Files\Symantec

Shared\ccEvtMgr.exe
O23 - Service: Symantec Password

Validation (ccPwdSvc) - Symantec

Corporation - C:\Program Files\Common

Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager

(ccSetMgr) - Symantec Corporation -

C:\Program Files\Common Files\Symantec

Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus

Definition Watcher (DefWatch) - Symantec

Corporation - C:\Program Files\Symantec

AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager

Administrative Service (dmadmin) -

VERITAS Software Corp. -

C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table

Manager (IDriverT) - Macrovision

Corporation - C:\Program Files\Common

Files\InstallShield\Driver\11\Intel

32\IDriverT.exe
O23 - Service: InCD File System Service

(InCDsrv) - Unknown owner - C:\Program

Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc.

- C:\Program

Files\iPod\bin\iPodService.exe
O23 - Service: OracleOraHome90ClientCache

- Unknown owner -

C:\oracle\ora90\BIN\ONRSD.EXE (file

missing)
O23 - Service: SAVRoam (SavRoam) -

symantec - C:\Program Files\Symantec

AntiVirus\SavRoam.exe
O23 - Service: ServiceLayer - Nokia. -

C:\Program Files\PC Connectivity

Solution\ServiceLayer.exe
O23 - Service: Symantec Network Drivers

Service (SNDSrvc) - Symantec Corporation

- C:\Program Files\Common Files\Symantec

Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus -

Symantec Corporation - C:\Program

Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Gencontrol WinVNC

temporary service (VNCTEMP) - Unknown

owner - C:\VNCTEMP\WinVNC.exe" -service

(file missing)
User avatar
ThisIsNotATest
Active Member
 
Posts: 13
Joined: November 1st, 2007, 6:04 pm

Unread postby Katana » November 8th, 2007, 5:52 pm

What do you use PC-Anywhere for ?

Deckard's System Scanner
Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
  1. Close all applications and windows.
  2. Double-click on dss.exe to run it, and follow the prompts.
  3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
  4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post. in your reply



ROOTKIT REVEALER

Please download Rootkit Revealer
Click>>> HERE <<<

Extract it to your desktop.

Double click the rootkitrevealer folder, and double-click rootkitrevealer.exe

Click the Scan button

Don't do anything while it's running ( It makes the log a lot longer than neccessary )

When it's done, go up to File > Save. Choose to save it to your desktop.

Open rootkitrevealer.txt on your desktop and copy the entire contents and paste them in your next reply.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Logs processed for Deckard & RootKit

Unread postby ThisIsNotATest » November 8th, 2007, 6:37 pm

PC Anywhere is no longer being used. I can remove it, if needed. It was used awhile ago when I had to dial-in to a system at work. But that has been years ago. I guess it did not register when you asked me about remote access. :oops:




Here are the logs you requested:

DSS:

Deckard's System Scanner v20071014.68
Run by Administrator on 2007-11-08 15:55:09
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 80% (more than 75%).
Total Physical Memory: 255 MiB (256 MiB recommended).


-- HijackThis (run as Administrator.exe) ---------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2007-11-08 15:55:36
Platform: Windows 2000 Service Pack 4 (5.00.2195)
MSIE: Internet Explorer (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\system32\SMSS.EXE
C:\WINNT\system32\WINLOGON.EXE
C:\WINNT\system32\SERVICES.EXE
C:\WINNT\system32\LSASS.EXE
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\system32\cisvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\mstask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\wbem\WinMgmt.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\cidaemon.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\CTFMON.EXE
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.search.msn.com/{sub_rfc1766}/srchasst/srchasst.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.microsoft.com/isapi/redir.dl ... r=iesearch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :80
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.search.msn.com/{sub_rfc1766}/srchasst/srchasst.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BellSouth Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\Program Files\blstoolbar\blstoolbar.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: BellSouth Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\Program Files\blstoolbar\blstoolbar.dll
O4 - HKLM\..\Run: [blspcloader] "C:\Program Files\BellSouth Internet Tools\blsloader.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ScreenPrint32] C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe -startup
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKUS\.DEFAULT\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: HotSync Manager.lnk = ?
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: Monitor.lnk = ?
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O10 - Unknown file in Winsock LSP: C:\WINNT\system32\NWPROVAU.DLL
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/co ... mHcmsX.CAB
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/us/securityadvisor/pe ... stscan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} () - http://download.bitdefender.com/resourc ... oscan8.cab
O16 - DPF: {6CCE3920-3183-4B3D-808A-B12EB769DE12} (CSS Web Installer Class) - http://www.commandondemand.com/eval/cod/cabs/cssweb.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/vi ... ebscan.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.6.0_02) - http://java.sun.com/update/1.6.0/jinsta ... 586-jc.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v ... b56649.cab
O16 - DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} (Office Update Installation Engine) - http://office.microsoft.com/officeupdat ... /opuc4.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shoc ... wflash.cab
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O23 - Service: pcAnywhere Host Service (awhost32) - Unknown owner - C:\PROGRAM
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\system32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD File System Service (InCDsrv) - Unknown owner - C:\PROGRAM
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: OracleOraHome90ClientCache - Unknown owner - C:\oracle\ora90\BIN\ONRSD.EXE
O23 - Service: SavRoam - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Gencontrol WinVNC temporary service (VNCTEMP) - Unknown owner - C:\VNCTEMP\WinVNC.exe


--
End of file - 7805 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\HIJACK~1\backups\) --------------------

backup-20071108-083248-553 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
backup-20071108-083248-471 R3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
backup-20071108-083248-250 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
backup-20071108-083248-646 O3 - Toolbar: (no name) - {ae07101b-46d4-4a98-af68-0333ea26e113} - (no file)
backup-20071108-083248-585 O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
backup-20071108-083248-659 O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
backup-20071108-124957-359 O2 - BHO: (no name) - {07DEB156-4FF0-45AC-9AB3-CF5BA6F1A402} - (no file)
backup-20071108-124957-897 O2 - BHO: (no name) - {47DA2550-C94B-4DBB-8788-0DC47A255B5B} - (no file)
backup-20071108-124957-676 O2 - BHO: (no name) - {89AD4D75-2429-462e-BD4E-443F233F6033} - (no file)
backup-20071108-124957-886 O2 - BHO: (no name) - {9EE55076-458B-43CB-A6A1-5200AC74BEAC} - C:\WINNT\system32\vtutu.dll (file missing)
backup-20071108-124957-646 O2 - BHO: (no name) - {E8DBFAED-46E1-46F1-A6A6-5AE0D37D0084} - (no file)
backup-20071108-124957-913 O2 - BHO: (no name) - {F3DD676C-4478-4953-9CD3-25958B163F61} - (no file)
backup-20071108-124957-112 O4 - HKLM\..\Run: [151a1541] rundll32.exe "C:\WINNT\system32\xrxhhaaj.dll",b
backup-20071108-124957-781 O20 - Winlogon Notify: hg - C:\WINNT\
backup-20071108-124957-712 O23 - Service: Gencontrol WinVNC temporary service (VNCTEMP) - Unknown owner - C:\VNCTEMP\WinVNC.exe" -service (file missing)

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 Gernuwa - c:\winnt\system32\drivers\gernuwa.sys <Not Verified; Symantec Corporation; pcAnywhere>
R1 AW_HOST - c:\winnt\system32\drivers\aw_host5.sys <Not Verified; Symantec Corporation; pcAnywhere>
R1 awlegacy - c:\winnt\system32\drivers\awlegacy.sys <Not Verified; Symantec Corporation; pcAnywhere>
R3 Afc (PPdus ASPI Shell) - c:\winnt\system32\drivers\afc.sys <Not Verified; Arcsoft, Inc.; Arcsoft(R) ASPI Shell>
R3 PLUsbbc2 (High-Speed USB Bridge Cable Driver) - c:\winnt\system32\drivers\usbbc2.sys <Not Verified; Prolific Technology Inc.; High Speed USB-USB Bridge Cable Driver>

S3 BrUsbScn (Brother MFC USB Scanner driver) - c:\winnt\system32\drivers\brusbscn.sys <Not Verified; Brother Industries Ltd.; Brother MFL Pro>
S3 catchme - c:\docume~1\admini~1\locals~1\temp\catchme.sys (file missing)
S3 CoachAud (Coach Audio) - c:\winnt\system32\drivers\coachaud.sys <Not Verified; FotoNation Inc.; Audio Port Driver for Digital Camera>
S3 CoachUsb (Coach Digital Camera on USB) - c:\winnt\system32\drivers\coachusb.sys <Not Verified; FotoNation Inc.; USB Class Driver for Digital Camera>
S3 CoachVc (Coach Video Capture) - c:\winnt\system32\drivers\coachvc.sys <Not Verified; FotoNation Inc.; Video Capture Minidriver for Digital Camera>
S3 MREMPR5 (MREMPR5 NDIS Protocol Driver) - c:\program files\common files\motive\mrempr5.sys <Not Verified; Motive, Inc.; Motive Rawether for Windows>
S3 MRENDIS5 (MRENDIS5 NDIS Protocol Driver) - c:\program files\common files\motive\mrendis5.sys <Not Verified; Motive, Inc.; Motive Rawether for Windows>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S3 awhost32 (pcAnywhere Host Service) - c:\program files\symantec\pcanywhere\awhost32.exe
S3 OracleOraHome90ClientCache - c:\oracle\ora90\bin\onrsd.exe (file missing)
S3 ServiceLayer - "c:\program files\pc connectivity solution\servicelayer.exe" <Not Verified; Nokia.; PC Connectivity Solution>
S3 VNCTEMP (Gencontrol WinVNC temporary service) - "c:\vnctemp\winvnc.exe" -service (file missing)
S4 NMIndexingService - "c:\program files\common files\ahead\lib\nmindexingservice.exe" (file missing)


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: WAN Miniport (IP)
Device ID: ROOT\MS_NDISWANIP\0001
Manufacturer: Microsoft
Name: WAN Miniport (IP) #2
PNP Device ID: ROOT\MS_NDISWANIP\0001
Service: NdisWan


-- Files created between 2007-10-08 and 2007-11-08 -----------------------------

2007-11-08 08:54:16 71232 --a------ C:\WINNT\system32\hvcdpjmq.exe <Not Verified; ; DDC>
2007-11-08 08:54:11 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_320.dat
2007-11-08 08:50:18 71232 --a------ C:\WINNT\system32\nddyjexl.exe <Not Verified; ; DDC>
2007-11-08 08:47:49 1648 --a------ C:\WINNT\system32\tmp.reg
2007-11-08 08:25:44 71232 --a------ C:\WINNT\system32\iwjesjch.exe <Not Verified; ; DDC>
2007-11-07 07:12:30 71232 --a------ C:\WINNT\system32\gootmifa.exe <Not Verified; ; DDC>
2007-11-07 07:08:23 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_314.dat
2007-11-06 17:32:27 555546 ---h----- C:\WINNT\ShellIconCache
2007-11-05 21:43:06 85568 --a------ C:\WINNT\system32\ixwppnup.dll
2007-11-04 09:53:59 86080 --a------ C:\WINNT\system32\ekmlbncv.dll
2007-11-04 08:18:34 0 d-------- C:\Program Files\Trend Micro
2007-11-03 09:53:10 87616 --a------ C:\WINNT\system32\nngqvydh.dll
2007-10-31 01:03:39 0 d-------- C:\VundoFix Backups
2007-10-30 15:52:22 0 d-------- C:\Documents and Settings\Administrator\.housecall6.6
2007-10-25 18:17:38 0 d-------- C:\Documents and Settings\Administrator\Application Data\NeroVision
2007-10-25 18:16:33 26784 -----n--- C:\WINNT\system32\drivers\incdpass.sys <Not Verified; Ahead Software; InCD>
2007-10-25 18:16:33 85360 -----n--- C:\WINNT\system32\drivers\incdfs.sys
2007-10-25 18:16:31 0 d-------- C:\WINNT\InCD
2007-10-25 18:15:23 89184 -----n--- C:\WINNT\system32\drivers\imagedrv.sys <Not Verified; Ahead Software AG and its licensors; NERO IMAGEDRIVE>
2007-10-25 18:14:56 38912 --a------ C:\WINNT\system32\picn20.dll <Not Verified; Pegasus Imaging Corp.; PEGASUS>
2007-10-25 18:14:53 544768 --a------ C:\WINNT\system32\imagx5.dll <Not Verified; Pegasus Software, LLC; ImagXpress>
2007-10-25 18:14:53 569344 --a------ C:\WINNT\system32\imagr5.dll <Not Verified; Pegasus Software,LLC; ImagXpress>
2007-10-25 18:14:50 155648 --a------ C:\WINNT\system32\NeroCheck.exe <Not Verified; Ahead Software Gmbh; Ahead Software Gmbh NeroCheck>
2007-10-25 18:14:46 0 d-------- C:\Program Files\Ahead
2007-10-25 17:42:19 0 d-------- C:\Documents and Settings\Administrator\Application Data\OfficeUpdate12
2007-10-25 17:41:28 0 d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2007-10-25 10:26:48 53248 --a------ C:\WINNT\bdoscandel.exe


-- Find3M Report ---------------------------------------------------------------

2007-10-31 18:20:40 164 --a------ C:\install.dat
2007-09-17 17:40:56 524288 --a------ C:\WINNT\opuc.dll <Not Verified; Microsoft Corporation; 2007 Microsoft Office system>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"blspcloader"="C:\Program Files\BellSouth Internet Tools\blsloader.exe" [06-11-12 15:04 ]
"Synchronization Manager"="mobsync.exe" [03-06-19 14:05 C:\WINNT\system32\mobsync.exe]
"ScreenPrint32"="C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe" [03-05-15 21:36 ]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="ctfmon.exe" [01-02-20 13:09 C:\WINNT\system32\CTFMON.EXE]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"PcSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
HotSync Manager.lnk - C:\Program Files\palmOne\Hotsync.exe [2004-06-09 14:16:08]
DataViz Inc Messenger.lnk - C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe [2006-07-17 18:24:41]
Monitor.lnk - C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe [2007-01-13 22:25:47]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B4870B70-F390-11d2-9FB9-F4ED725EA20D}"= C:\WINNT\System32\NalExpEx.dll [00-11-14 10:45 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nwprovau]
nwprovau.dll 06-08-31 23:49 140048 C:\WINNT\system32\NWPROVAU.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, msnsspc.dll, digest.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"




-- Hosts -----------------------------------------------------------------------

127.0.0.1 007guard.com
127.0.0.1 http://www.007guard.com
127.0.0.1 010402.com
127.0.0.1 032439.com
127.0.0.1 http://www.032439.com
127.0.0.1 1001-search.info
127.0.0.1 http://www.1001-search.info
127.0.0.1 100888290cs.com
127.0.0.1 http://www.100888290cs.com
127.0.0.1 100sexlinks.com

7430 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2007-11-08 15:56:17 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows 2000 Professional (build 2195) SP 4.0
Architecture: X86; Language: English

CPU 0: Intel Pentium III processor
Percentage of Memory in Use: 81%
Physical Memory (total/avail): 254.42 MiB / 46.57 MiB
Pagefile Memory (total/avail): 616.66 MiB / 386.83 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1956.61 MiB

A: is Removable (No Media)
C: is Fixed (FAT32) - 18.63 GiB total, 3.42 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - ST320011A - 18.64 GiB - 1 partition
\PARTITION0 (bootable) - Unknown - 18.64 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before install.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Administrator\Application Data
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=GREENROOM1
ComSpec=C:\WINNT\system32\cmd.exe
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Administrator
LOGONSERVER=\\GREENROOM1
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Os2LibPath=C:\WINNT\system32\os2\dll;
Path=C:\WINNT\system32;C:\WINNT;C:\WINNT\system32\wbem;C:\Program Files\PC Connectivity Solution\;C:\oracle\ora90\bin;C:\Program Files\Oracle\jre\1.1.8\bin;C:\PROGRA~1\E!PC;C:\Program Files\Symantec\pcAnywhere\;C:\Program Files\Vantive32;C:\PROGRA~1\MICROS~2\Office
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 8 Stepping 10, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=080a
ProgramFiles=C:\Program Files
PROMPT=$P$G
SystemDrive=C:
SystemRoot=C:\WINNT
TEMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
USERDOMAIN=GREENROOM1
USERNAME=Administrator
USERPROFILE=C:\Documents and Settings\Administrator
windir=C:\WINNT


-- User Profiles ---------------------------------------------------------------

admin (new local, admin)
PinkPanther (admin)
Administrator (admin)
mem-wks-admin
VSACHANT (new local, admin, net ready)
gecranme (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\WINNT\$NtServicePackUninstall$\spuninst\spuninst.exe
Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
Adobe Reader for Palm OS, 3.05 --> C:\WINNT\IsUninst.exe -f"C:\Program Files\Adobe\Adobe Reader for Palm OS\AcroDesk.isu" -c"C:\Program Files\Adobe\Adobe Reader for Palm OS\unpdf.dll"
Adobe Shockwave Player --> C:\WINNT\system32\MACROMED\SHOCKW~3\UNWISE.EXE C:\WINNT\system32\MACROMED\SHOCKW~3\INSTALL.LOG
Adobe® Photoshop® Album Starter Edition 3.0 --> MsiExec.exe /I{4BDFD2CE-6329-42E4-9801-9B3D1F10D79B}
Ahead InCD --> C:\WINNT\NuNInst.exe /UNINSTALL
Ahead Nero Burning ROM --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
Ahead NeroVision Express --> C:\WINNT\UNNeroVision.exe /UNINSTALL
Apple Software Update --> MsiExec.exe /I{492724FC-3B26-46B4-824F-3CE2722D9AA0}
ArcSoft Media Card Companion --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3580211E-3BB7-42C0-ADC3-9A8C1EFFF2CB}\SETUP.EXE" -l0x9
ArcSoft MediaConverter --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E5BD1F9C-8BBA-410E-837D-94D523269F8F}\SETUP.EXE" -l0x9
ArcSoft PhotoImpression 5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{93F599DF-519B-4706-A3F1-9530DF2590B4}\SETUP.EXE" -l0x9
BellSouth Pop-Up Catcher --> C:\Program Files\BellSouth Internet Tools\popup-setup.exe -u
BellSouth Toolbar 1.0 --> C:\Program Files\blstoolbar\uninstall.exe -uninstall -prompt
Documents To Go --> MsiExec.exe /X{BDFE199D-E889-4BB6-BECB-C4BDF5700849}
EXPStudio's CD Ripper Burner Converter FREE 4.0 --> C:\WINNT\EXPStudio's CD Ripper Burner Converter FREE 4.0 Uninstaller.exe
HijackThis 1.99.1 --> C:\Program Files\HijackThis\HijackThis.exe /uninstall
Intel(R) PRO Network Connections Drivers --> Prounstl.exe
iTunes --> MsiExec.exe /I{ABCE1C63-56ED-41FF-BEAF-57321F70DC49}
Java(TM) 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
jetAudio Basic --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DF8195AF-8E6F-4487-A0EE-196F7E3F4B8A}\setup.exe" -l0x9 -removeonly
JPEG ReSizer (remove only) --> RunDll32 advpack.dll,LaunchINFSection C:\WINNT\INF\JPEGRzEN.INF, DefaultUninstall.nt
LiveReg (Symantec Corporation) --> C:\Program Files\Common Files\Symantec Shared\LiveReg\VcSetup.exe /REMOVE
LiveUpdate 2.0 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Microsoft .NET Framework (English) --> MsiExec.exe /X{B43357AA-3A6D-4D94-B56E-43C44D09E548}
Microsoft .NET Framework (English) v1.0.3705 --> C:\WINNT\Microsoft.NET\Framework\Install.exe /u /p Microsoft .NET Framework Full v1.0.3705 (1033)
Microsoft .NET Framework 1.0 Hotfix (KB928367) --> "C:\WINNT\Microsoft.NET\Framework\v1.0.3705\Updates\hotfix.exe" "C:\WINNT\Microsoft.NET\Framework\v1.0.3705\Updates\M928367\M928367Uninstall.msp"
Microsoft .NET Framework 1.1 --> msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1 --> MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1 Hotfix (KB928366) --> "C:\WINNT\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINNT\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 2.0 --> C:\WINNT\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.exe
Microsoft Access 2002 Runtime --> MsiExec.exe /I{901C0409-6000-11D3-8CFE-0050048383C9}
Microsoft Office 2000 SR-1 Premium --> MsiExec.exe /I{00000409-78E1-11D2-B60F-006097C998E7}
Microsoft Project 2000 --> MsiExec.exe /I{2DFE1608-BDCA-11D1-B7AE-00C04FB92F3D}
Microsoft Publisher 2002 --> MsiExec.exe /I{90190409-6000-11D3-8CFE-0050048383C9}
Microsoft Publisher 98 --> C:\Program Files\Microsoft Office\Office\Setup\Setup.exe /m
Microsoft Visio 2000 --> MSIExec.exe /I {DBFA7530-0CBF-11D3-8CC0-00C04F72C04D}
Microsoft Windows Journal Viewer --> MsiExec.exe /X{43DCF766-6838-4F9A-8C91-D92DA586DFA7}
Microsoft Word Supplemental Templates and Wizards --> MsiExec.exe /I{E59219D4-23B8-11D3-A179-00C04F6C9FA4}
Microsoft XML Parser and SDK --> MsiExec.exe /I{3E908702-AF35-4611-9518-955DA24B7E07}
MP3Resizer 1.8.3 --> "C:\Program Files\MP3Resizer\unins000.exe"
MSN Messenger 7.0 --> MsiExec.exe /I{ABEB838C-A1A7-4C5D-B7E1-8B4314600820}
MSN Winks --> MsiExec.exe /I{30F6FC65-1828-4929-84A2-4570B6720FB2}
MSXML 4.0 SP2 (KB927978) --> MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 6.0 Parser --> MsiExec.exe /I{A43BF6A5-D5F0-4AAA-BF41-65995063EC44}
Nokia Connectivity Cable Driver --> MsiExec.exe /X{0FF1922C-B6C4-40BB-AF30-BEF75A482444}
Nokia PC Suite --> MsiExec.exe /I{D89AC4DF-7A00-4D0B-BA99-D582C7974A09}
palmOne --> MsiExec.exe /X{FF8157AA-F640-45BD-B7C2-BAA1016B267A}
palmOne VersaMail(tm) --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\8\INTEL3~1\IDriver.exe /M{8907EBDF-704A-4255-AAC7-52E055B60F14}
PC Connectivity Solution --> MsiExec.exe /I{AB2347E4-153B-4194-AA3B-97C0A662B369}
PCLinq2 High-Speed USB Bridge Cable --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{95381165-5D16-4CD4-9162-57799A3F3AB5}\Setup.exe" -l0x9
PMP DV --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BE3A3126-D6B4-4FCE-8FD6-E33C49B4282D}\Setup.exe"
Quick Screen Capture.exe --> "C:\Program Files\!Quick Screen Capture\unins000.exe"
ScreenPrint32 v3.5 --> C:\WINNT\st6unst.exe -n "C:\Program Files\ScreenPrint32 v3\ST6UNST.LOG"
ScreenPrint32 v3.5 (C:\Program Files\ScreenPrint32 v3\) --> C:\WINNT\st6unst.exe -n "C:\Program Files\ScreenPrint32 v3\ST6UNST.000"
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Microsoft .NET Framework 2.0 (KB928365) --> C:\WINNT\system32\msiexec.exe /promptrestart /uninstall {8056AC9E-49C5-4375-9ADE-B2F862C9DF51} /package {7131646D-CD3C-40F4-97B9-CD9E4E6262EF}
Security Update for Windows 2000 (KB904706) --> "C:\WINNT\$NtUninstallKB904706$\spuninst\spuninst.exe"
Security Update for Windows 2000 (KB923689) --> "C:\WINNT\$NtUninstallKB923689$\spuninst\spuninst.exe"
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Symantec AntiVirus --> MsiExec.exe /I{848AC794-8B81-440A-81AE-6474337DB527}
Symantec pcAnywhere --> MsiExec.exe /I{B05E8183-866A-11D3-97DF-0000F8D8F2E9}
Symantec Technical Support Web Controls --> MsiExec.exe /X{DDC63227-BA06-4855-B002-BDB49E9F677E}
Windows Genuine Advantage v1.3.0254.0 --> MsiExec.exe /I{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}
Windows Media Player 9 Hotfix [See KB885492 for more information] --> C:\WINNT\$NtUninstallKB885492$\spuninst\spuninst.exe
Windows Media Player system update (9 Series) --> C:\PROGRA~1\WINDOW~2\setup_wm.exe /Uninstall
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall


-- Application Event Log -------------------------------------------------------

Event Record #/Type1159 / Error
Event Submitted/Written: 11/08/2007 11:55:19 AM
Event ID/Source: 4126 / Ci
Event Description:
Cleaning up corrupt content index metadata on c:\system volume information\catalog.wci. Index will
be automatically restored by refiltering all documents.

Event Record #/Type1158 / Error
Event Submitted/Written: 11/08/2007 11:55:19 AM
Event ID/Source: 4124 / Ci
Event Description:
Content index on c:\system volume information\catalog.wci is corrupt. Please shutdown and restart
the Indexing Service (cisvc).

Event Record #/Type1157 / Warning
Event Submitted/Written: 11/08/2007 11:55:19 AM
Event ID/Source: 4132 / Ci
Event Description:
2 inconsistencies were detected in PropertyStore during recovery of catalog c:\system volume information\catalog.wci.

Event Record #/Type1154 / Warning
Event Submitted/Written: 11/08/2007 11:49:27 AM
Event ID/Source: 4100 / EventSystem
Event Description:
The COM+ Event System failed to create an instance of the subscriber {6295DF2D-35EE-11D1-8707-00C04FD93327}. CoCreateInstanceEx returned HRESULT 8000401A.

Event Record #/Type1141 / Warning
Event Submitted/Written: 11/08/2007 08:52:54 AM
Event ID/Source: 4100 / EventSystem
Event Description:
The COM+ Event System failed to create an instance of the subscriber {6295DF2D-35EE-11D1-8707-00C04FD93327}. CoCreateInstanceEx returned HRESULT 8000401A.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type528 / Error
Event Submitted/Written: 11/08/2007 00:45:27 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The InCD File System Service service failed to start due to the following error:
%%193

Event Record #/Type522 / Error
Event Submitted/Written: 11/08/2007 11:48:36 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The InCD File System Service service failed to start due to the following error:
%%193

Event Record #/Type517 / Error
Event Submitted/Written: 11/08/2007 08:52:27 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The InCD File System Service service failed to start due to the following error:
%%193

Event Record #/Type511 / Error
Event Submitted/Written: 11/08/2007 08:43:48 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The InCD File System Service service failed to start due to the following error:
%%193

Event Record #/Type505 / Error
Event Submitted/Written: 11/08/2007 08:35:42 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The InCD File System Service service failed to start due to the following error:
%%193



-- End of Deckard's System Scanner: finished at 2007-11-08 15:56:17 ------------

ROOTKIT:

HKU\.DEFAULT\Control Panel\international_combofixbackup 2007-11-08 10:49 0 bytes Security mismatch.
HKU\S-1-5-21-1231760897-2102998622-1458068901-500\Control Panel\international_combofixbackup 2007-11-08 10:49 0 bytes Security mismatch.
HKLM\SECURITY\Policy\Secrets\SAC* 2002-09-10 15:34 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 2002-09-10 15:34 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\XATM:a4dc039b-f12b-407d-9646-d2a8eb511755* 2002-09-17 18:30 0 bytes Key name contains embedded nulls (*)
User avatar
ThisIsNotATest
Active Member
 
Posts: 13
Joined: November 1st, 2007, 6:04 pm

Unread postby Katana » November 8th, 2007, 8:03 pm

PC Anywhere isn't a problem, I just wanted to make sure you knew it was there and what it was :)

OTMoveIt
  • Please double-click OTMoveIt.exe
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINNT\system32\hvcdpjmq.exe
    C:\WINNT\system32\nddyjexl.exe
    C:\WINNT\system32\iwjesjch.exe
    C:\WINNT\system32\gootmifa.exe
    C:\WINNT\system32\ixwppnup.dll
    C:\WINNT\system32\ekmlbncv.dll
    C:\WINNT\system32\nngqvydh.dll

  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Close OTMoveIt
  • Copy and paste the contents of the results box as a reply to this topic

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Stop/Delete A Service
Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad. Save it as "All Files" and name it FixServices.bat Please save it on your desktop.

@echo off
sc stop VNCTEMP
sc delete VNCTEMP
exit


Double click FixServices.bat. A window will open and close. This is normal.

Please try to run ComboFix again

Post a fresh HJT log along with the ComboFix Log (if you get one ) in your reply
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Unread postby ThisIsNotATest » November 9th, 2007, 1:00 am

Just a few things to note.

1. Processed moveit
2. Processed stop/delete service
3. Processed combofix
4. Processed hjt

I tried to run combofix again and of course it hung and I did catch a flash of an error stating it could not be accessed because it was in use by another process. So, I had to do the hard reset again. Once the system came back online, I went to task manager and the rtvscan was high priority on the mem usage. So, I stopped the services for Symantec Antivirus and then ran ComboFix, successfully. I hope it did not affect anything by stopping Symantec Antivirus, it is set to automatically start, so it is back online.

When combofix rebooted the system an error came up as follows as much as I can remember, maximum registry file is too small, windows may not run propery, increase registry size.

When I went to the directory to execute HJT this time, I noticed there was a new executable the same size as the showme.exe file named Adminstrator.exe. :?: I don't remember it being there before, but I am not quite sure.



Here is the information you requested:


COMBOFIX:

ComboFix 07-11-08.1 - Administrator 2007-11-08 22:26:14.4 - FAT32x86
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\#SharedObjects\4ECR2DK7\www.broadcaster.com
C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Administrator\My Documents\RACLE~1
C:\WINNT\cookies.ini
C:\WINNT\Downloaded Program Files\Quarantine
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\audio\music\mainmenumusic.ogg
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\audio\sfx\areabomb.ogg
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\audio\sfx\beetlezap.ogg
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\audio\sfx\bonusrow.ogg
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\audio\sfx\bonustimer.ogg
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\audio\sfx\bucketfilled.ogg
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\audio\sfx\clearpyramid.ogg
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\audio\sfx\cleartriangle1a.ogg
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\audio\sfx\cleartriangle1b.ogg
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\audio\sfx\cleartriangle1c.ogg
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\audio\sfx\cleartriangle2a.ogg
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\audio\sfx\cleartriangle2b.ogg
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\audio\sfx\cleartriangle2c.ogg
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\audio\sfx\colorchain.ogg
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\audio\sfx\dialogbox.ogg
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\audio\sfx\drumbeat.ogg
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\audio\sfx\fillrow.ogg
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\audio\sfx\gateopen.ogg
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\audio\sfx\helptip.ogg
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\audio\sfx\powerup.ogg
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\audio\sfx\rotateboardleft.ogg
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\audio\sfx\timerup.ogg
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\audio\sfx\warning.ogg
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\audio\sfx\warning2.ogg
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\backgrounds\artifacts-bb.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\backgrounds\bar.jpg
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\backgrounds\chamber0.jpg
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\backgrounds\chamber1.jpg
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\backgrounds\circledoor.jpg
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\backgrounds\full_screen_dialog.jpg
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\backgrounds\global-hs-bb_large.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\backgrounds\global-hs-bb_small.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\backgrounds\help-bb_large.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\backgrounds\help-bb_small.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\backgrounds\hexfield.jpg
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\backgrounds\hidden-artifact_icon.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\backgrounds\large_dialog.jpg
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\backgrounds\local-hs-bb.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\backgrounds\mainmenu.jpg
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\backgrounds\small_dialog.jpg
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\backgrounds\textfield.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\backgrounds\trifield.jpg
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\beetles\beetlehover1.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\beetles\beetlehover2.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\beetles\beetlehover3.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\beetles\beetlehover4.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\beetles\beetleshock1.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\beetles\beetleshock2.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\beetles\beetleshock3.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\beetles\beetleshock4.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\beetles\beetletatoo.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\beetles\dirt.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\beetles\scarabpost.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\beetles\scarabpostovr.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\beetles\tritop.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\arrowdown_down.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\arrowdown_over.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\arrowdown_up.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\arrowleft_down.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\arrowleft_over.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\arrowleft_up.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\arrowright_down.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\arrowright_over.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\arrowright_up.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\arrowup_down.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\arrowup_over.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\arrowup_up.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\bluearrowleft_down.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\bluearrowleft_over.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\bluearrowleft_up.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\bluearrowright_down.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\bluearrowright_over.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\bluearrowright_up.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\checkdown.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\checkup.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\long_button_down.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\long_button_over.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\long_button_up.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\orange-button_down.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\orange-button_over.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\orange-button_up.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\rotleft_down.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\rotleft_over.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\rotleft_up.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\rotright_down.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\rotright_over.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\rotright_up.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\simplebutton_down.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\simplebutton_over.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\simplebutton_up.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\sliderknob.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\sliderknobover.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\buttons\sliderrail.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\characters\anwar\look\pl0001.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\characters\bast\look\bl0001.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\characters\kristine\look\kl0001.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\crackedstopper.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\cursor.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\doorlights.txt
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\fonts\jackarmstrong.mvec
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\fonts\lithos.mvec
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\greybomb.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\helptips\arrowkeys.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\helptips\helptip.jpg
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\levels\levels.dat
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\models\disk.mesh
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\models\equilateraltriangle.mesh
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\models\flattri.mesh
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\models\pyramid.mesh
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\models\quad.mesh
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\models\rotatingpyramid.mesh
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\models\scarabpanel.mesh
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\p1icon.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\scenes\page1-0.xml
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\scenes\page1-1.xml
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\scenes\panel1-0-1.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\scenes\panel1-1-1.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\scorecloud.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\setup.xml
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\sfx\areashockwave.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\sfx\bolt_1.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\sfx\bolt_2.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\sfx\bolt_3.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\sfx\bolt_4.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\sfx\bolt_starter.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\sfx\bolt_tail.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\sfx\flash.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\sfx\rubble.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\sfx\smoke.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\sfx\smoke2.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\sfx\smoke3.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\splash\aol_logo.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\splash\playfirst_logo.jpg
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\statues\statue0\snake_dirty.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\statues\statue1\arm01_dirty.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\statues\statue1\mask01_1.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\statues\statue1\statue01_dirty.jpg
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\stopper.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\timer.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\timerglow.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\timericon.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\tm.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\trails\mouseblue1.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\trails\mouseblue2.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\trails\mouseblue3.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\trails\mousegreen1.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\trails\mousegreen2.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\trails\mousegreen3.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\trails\mousered1.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\trails\mousered2.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\trails\mousered3.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\trails\mouseyellow1.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\trails\mouseyellow2.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\trails\mouseyellow3.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\areabomb.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\areabombrollover.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\blue.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\bluerollover.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\boardfill.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\brick.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\brick1.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\brick2.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\brick3.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\bricktip.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\clearanim\cleared1.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\clearanim\cleared2.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\clearanim\cleared3.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\clearanim\cleared4.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\clearanim\cleared5.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\clearanim\cleared6.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\eye1.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\eye2.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\eye3.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\eye4.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\green.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\greenrollover.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\plain_tri-blue.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\plain_tri-bluerollover.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\plain_tri-green.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\plain_tri-greenrollover.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\plain_tri-red.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\plain_tri-redrollover.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\plain_tri-yellow.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\plain_tri-yellowrollover.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\red.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\redrollover.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\wild.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\wildrollover.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\yellow.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\triangles\yellowrollover.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\upsell\image0.jpg
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\upsell\image1.jpg
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\upsell\image2.jpg
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\upsell\image3.jpg
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\urns\bluebucket.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\urns\buckettriangle.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\urns\chainlink.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\urns\chaintip.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\urns\genericbucket.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\urns\greenbucket.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\urns\redbucket.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\urns\smallblue.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\urns\smallgreen.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\urns\smallred.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\urns\smallyellow.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\urns\urnglow.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\urns\urnplatform.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\urns\yellowbucket.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\assets\warning.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\screens\error.lua
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\screens\game.lua
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\screens\gameover.lua
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\screens\hiscore.lua
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\screens\hiscoreinfo.lua
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\screens\hiscoresubmit.lua
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\screens\instructions.lua
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\screens\leveldesign.lua
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\screens\levelover.lua
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\screens\mainarcade.lua
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\screens\mainconfirm.lua
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\screens\maincontinue.lua
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\screens\maingames.lua
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\screens\mainpuzzle.lua
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\screens\maphelptip.lua
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\screens\options.lua
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\screens\pause.lua
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\screens\quitconfirm.lua
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\screens\start.lua
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\screens\storyplayer.lua
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\screens\style.lua
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\screens\upsell.lua
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\strings.xml
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.67\TriJinx.exe
C:\WINNT\system32\driver
C:\WINNT\system32\MabryObj.dll
C:\WINNT\system32\scurit~1
C:\WINNT\system32\scurit~1\s?curity\
C:\WINNT\system32\ututv.bak2
C:\WINNT\system32\ututv.ini
C:\WINNT\system32\ututv.ini2
C:\WINNT\system32\ututv.tmp
C:\WINNT\system32\vtutu.dll
C:\WINNT\system32\wnsapisv.exe
C:\WINNT\wr.txt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\nm


-------\nm






((((((((((((((((((((((((( Files Created from 2007-10-09 to 2007-11-09 )))))))))))))))))))))))))))))))
.

2007-11-08 15:54 <DIR> d-------- C:\Deckard
2007-11-08 10:49 51,200 --a------ C:\WINNT\NirCmd.exe
2007-11-08 08:47 1,648 --a------ C:\WINNT\system32\tmp.reg
2007-11-04 08:18 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-03 11:50 271,224 --a------ C:\WINNT\system32\mucltui.dll
2007-10-31 01:03 <DIR> d-------- C:\VundoFix Backups
2007-10-30 15:53 102,664 --a------ C:\WINNT\system32\drivers\tmcomm.sys
2007-10-30 15:52 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
2007-10-25 18:17 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\NeroVision
2007-10-25 18:17 1,155,072 --------- C:\WINNT\UNNeroVision.exe
2007-10-25 18:16 <DIR> d-------- C:\WINNT\InCD
2007-10-25 18:16 1,155,072 --------- C:\WINNT\NuNinst.exe
2007-10-25 18:16 85,360 --------- C:\WINNT\system32\drivers\incdfs.sys
2007-10-25 18:16 26,784 --------- C:\WINNT\system32\drivers\incdpass.sys
2007-10-25 18:16 4,976 --------- C:\WINNT\system32\drivers\incdrec.sys
2007-10-25 18:15 89,184 --------- C:\WINNT\system32\drivers\imagedrv.sys
2007-10-25 18:14 <DIR> d-------- C:\Program Files\Ahead
2007-10-25 18:14 569,344 --a------ C:\WINNT\system32\imagr5.dll
2007-10-25 18:14 544,768 --a------ C:\WINNT\system32\imagx5.dll
2007-10-25 18:14 283,920 --a------ C:\WINNT\system32\ImagXpr5.dll
2007-10-25 18:14 155,648 --a------ C:\WINNT\system32\NeroCheck.exe
2007-10-25 18:14 38,912 --a------ C:\WINNT\system32\picn20.dll
2007-10-25 17:42 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\OfficeUpdate12
2007-10-25 17:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2007-10-25 10:26 53,248 --a------ C:\WINNT\bdoscandel.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-01 00:20 164 ----a-w C:\install.dat
2007-09-17 23:40 524,288 ----a-w C:\WINNT\opuc.dll
2005-02-04 19:39 1,349,007 ----a-w C:\Documents and Settings\My Documents\MasterMailer.exe
2002-09-10 22:09 271 ---h--w C:\Program Files\desktop.ini
2002-09-10 22:09 21,952 ---h--w C:\Program Files\folder.htt
2001-05-08 18:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
2007-02-06 03:38:00 1,682 --sha-w C:\WINNT\system32\KGyGaAvL.sys
2007-02-06 03:38:00 56 --sh--r C:\WINNT\system32\3557938702.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"blspcloader"="C:\Program Files\BellSouth Internet Tools\blsloader.exe" [06-11-12 15:04 ]
"Synchronization Manager"="mobsync.exe" [03-06-19 14:05 C:\WINNT\system32\mobsync.exe]
"ScreenPrint32"="C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe" [03-05-15 21:36 ]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="ctfmon.exe" [01-02-20 13:09 C:\WINNT\system32\CTFMON.EXE]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"PcSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
HotSync Manager.lnk - C:\Program Files\palmOne\Hotsync.exe [2004-06-09 14:16:08]
DataViz Inc Messenger.lnk - C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe [2006-07-17 18:24:41]
Monitor.lnk - C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe [2007-01-13 22:25:47]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B4870B70-F390-11d2-9FB9-F4ED725EA20D}"= C:\WINNT\System32\NalExpEx.dll [00-11-14 10:45 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nwprovau]
nwprovau.dll 06-08-31 23:49 140048 C:\WINNT\system32\NWPROVAU.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, msnsspc.dll, digest.dll, zwebauth.dll

R3 PLUsbbc2;High-Speed USB Bridge Cable Driver;C:\WINNT\system32\Drivers\usbbc2.sys
S3 BrUsbMdm;Brother MFC USB FaxModem driver;C:\WINNT\system32\Drivers\BrUsbMdm.sys
S3 BrUsbScn;Brother MFC USB Scanner driver;C:\WINNT\system32\Drivers\BrUsbScn.sys
S3 OracleOraHome90ClientCache;OracleOraHome90ClientCache;C:\oracle\ora90\BIN\ONRSD.EXE
S3 VNCTEMP;Gencontrol WinVNC temporary service;"C:\VNCTEMP\WinVNC.exe" -service

.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-08 22:33:51
Windows 5.0.2195 Service Pack 4 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-08 22:34:40 - machine was rebooted
.
--- E O F ---



HJT:

Logfile of HijackThis v1.99.1
Scan saved at 10:37:49 PM, on 11/8/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\System32\cisvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\ctfmon.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
C:\Program Files\HijackThis\showme.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 192.168.1.254
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :80
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BellSouth Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: BellSouth Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O4 - HKLM\..\Run: [blspcloader] "C:\Program Files\BellSouth Internet Tools\blsloader.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ScreenPrint32] C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe -startup
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: Monitor.lnk = C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/co ... mHcmsX.CAB
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/us/securityadvisor/pe ... stscan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resourc ... oscan8.cab
O16 - DPF: {6CCE3920-3183-4B3D-808A-B12EB769DE12} (CSS Web Installer Class) - http://www.commandondemand.com/eval/cod/cabs/cssweb.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/vi ... ebscan.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v ... b56649.cab
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD File System Service (InCDsrv) - Unknown owner - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OracleOraHome90ClientCache - Unknown owner - C:\oracle\ora90\BIN\ONRSD.EXE (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Gencontrol WinVNC temporary service (VNCTEMP) - Unknown owner - C:\VNCTEMP\WinVNC.exe" -service (file missing)
User avatar
ThisIsNotATest
Active Member
 
Posts: 13
Joined: November 1st, 2007, 6:04 pm

Unread postby Katana » November 9th, 2007, 5:05 am

Adminstrator.exe was probably created by DSS, no need to worry about it.

Can you boot normally yet ?
Do you know what MasterMailer.exe is ? If not please do the following

Submit a File For Analysis
We need to have the files below Scanned by Uploading them/it to Virus Total

Please visit Virustotal
Copy/paste the the following file path into the window
C:\Documents and Settings\My Documents\MasterMailer.exe
Click Submit/Send File
Please post back, to let me know the results.

If Virustotal is too busy please try Jotti


Custom CFScript
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    http://forum.malwareremoval.com/viewtopic.php?p=234941#234941
    
    
    Suspect::[4]
    C:\Documents and Settings\My Documents\MasterMailer.exe
    
    FileLook::
    C:\Documents and Settings\My Documents\MasterMailer.exe
    
    Driver::
    VNCTEMP
    

  • Save this as CFScript.txt and place it on your desktop.


    Image


  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.
  • A window will open asking you to ensure you are connected to the internet, this is so a file can be submitted for analysis.
  • Click OK and follow the instructions to submit the file.


CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Unread postby ThisIsNotATest » November 9th, 2007, 2:41 pm

It appears that I can reboot without any problem, as long as, Symantec Antivirus is not hogging the memory.

I am not sure what mastermailer.exe is -- the only thing that comes to mind is i remember looking at a bulk mail sender and that could possibly be it. But, if it is in question, I do not have a problem with getting rid of it. Because if I can't remember, then it must not be something used on a regular basis by myself or I am losing my mind. :lol:



File sent to BleepingComputer - Malware Submission
Your file was successfully submitted. Please
let the user helping you know that you have submitted the file.




VIRUSTOTAL:

File MasterMailer.exe_ received on 11.09.2007 19:02:00 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 2/32 (6.25%)
Loading server information...
Your file is queued in position: 8.
Estimated start time is between 65 and 94 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2007.11.10.0 2007.11.09 -
AntiVir 7.6.0.34 2007.11.09 -
Authentium 4.93.8 2007.11.09 -
Avast 4.7.1074.0 2007.11.09 -
AVG 7.5.0.503 2007.11.09 -
BitDefender 7.2 2007.11.09 -
CAT-QuickHeal 9.00 2007.11.09 -
ClamAV 0.91.2 2007.11.09 -
DrWeb 4.44.0.09170 2007.11.09 -
eSafe 7.0.15.0 2007.11.08 -
eTrust-Vet 31.2.5282 2007.11.09 -
Ewido 4.0 2007.11.09 -
FileAdvisor 1 2007.11.09 -
Fortinet 3.11.0.0 2007.10.19 -
F-Prot 4.4.2.54 2007.11.09 -
F-Secure 6.70.13030.0 2007.11.09 -
Ikarus T3.1.1.12 2007.11.09 -
Kaspersky 7.0.0.125 2007.11.09 -
McAfee 5160 2007.11.09 -
Microsoft 1.3007 2007.11.09 -
NOD32v2 2650 2007.11.09 -
Norman 5.80.02 2007.11.08 -
Panda 9.0.0.4 2007.11.09 Suspicious file
Prevx1 V2 2007.11.09 -
Rising 20.17.41.00 2007.11.09 -
Sophos 4.23.0 2007.11.09 -
Sunbelt 2.2.907.0 2007.11.09 -
Symantec 10 2007.11.09 -
TheHacker 6.2.9.122 2007.11.09 Aplicacion/Monitor.XPCSpy.200
VBA32 3.12.2.4 2007.11.08 -
VirusBuster 4.3.26:9 2007.11.09 -
Webwasher-Gateway 6.0.1 2007.11.09 -
Additional information
File size: 1349007 bytes
MD5: 657e4d37dea37522aaeccb62b81c25c2
SHA1: ce3a9c795a07cba65d5121e5fdef7636919f3ee3
packers: ASProtect


COMBO:

ComboFix 07-11-08.1 - Administrator 11/09/2007 12:20:37.5 - FAT32x86
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
.

((((((((((((((((((((((((( Files Created from 2007-10-09 to 2007-11-09 )))))))))))))))))))))))))))))))
.

2007-11-08 15:54 <DIR> d-------- C:\Deckard
2007-11-08 10:49 51,200 --a------ C:\WINNT\NirCmd.exe
2007-11-08 08:47 1,648 --a------ C:\WINNT\system32\tmp.reg
2007-11-04 08:18 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-03 11:50 271,224 --a------ C:\WINNT\system32\mucltui.dll
2007-10-31 01:03 <DIR> d-------- C:\VundoFix Backups
2007-10-30 15:53 102,664 --a------ C:\WINNT\system32\drivers\tmcomm.sys
2007-10-30 15:52 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
2007-10-25 18:17 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\NeroVision
2007-10-25 18:17 1,155,072 --------- C:\WINNT\UNNeroVision.exe
2007-10-25 18:16 <DIR> d-------- C:\WINNT\InCD
2007-10-25 18:16 1,155,072 --------- C:\WINNT\NuNinst.exe
2007-10-25 18:16 85,360 --------- C:\WINNT\system32\drivers\incdfs.sys
2007-10-25 18:16 26,784 --------- C:\WINNT\system32\drivers\incdpass.sys
2007-10-25 18:16 4,976 --------- C:\WINNT\system32\drivers\incdrec.sys
2007-10-25 18:15 89,184 --------- C:\WINNT\system32\drivers\imagedrv.sys
2007-10-25 18:14 <DIR> d-------- C:\Program Files\Ahead
2007-10-25 18:14 569,344 --a------ C:\WINNT\system32\imagr5.dll
2007-10-25 18:14 544,768 --a------ C:\WINNT\system32\imagx5.dll
2007-10-25 18:14 283,920 --a------ C:\WINNT\system32\ImagXpr5.dll
2007-10-25 18:14 155,648 --a------ C:\WINNT\system32\NeroCheck.exe
2007-10-25 18:14 38,912 --a------ C:\WINNT\system32\picn20.dll
2007-10-25 17:42 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\OfficeUpdate12
2007-10-25 17:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2007-10-25 10:26 53,248 --a------ C:\WINNT\bdoscandel.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-01 00:20 164 ----a-w C:\install.dat
2007-09-17 23:40 524,288 ----a-w C:\WINNT\opuc.dll
2005-02-04 19:39 1,349,007 ----a-w C:\Documents and Settings\My Documents\MasterMailer.exe
2002-09-10 22:09 271 ---h--w C:\Program Files\desktop.ini
2002-09-10 22:09 21,952 ---h--w C:\Program Files\folder.htt
2001-05-08 18:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
2007-02-06 03:38:00 1,682 --sha-w C:\WINNT\system32\KGyGaAvL.sys
2007-02-06 03:38:00 56 --sh--r C:\WINNT\system32\3557938702.sys
.

((((((((((((((((((((((((((((( snapshot@Thu 2007-11-08_22.34.11.89 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-09 18:24:02 16,384 ----a-w C:\WINNT\system32\Perflib_Perfdata_37c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"blspcloader"="C:\Program Files\BellSouth Internet Tools\blsloader.exe" [06-11-12 15:04 ]
"Synchronization Manager"="mobsync.exe" [03-06-19 14:05 C:\WINNT\system32\mobsync.exe]
"ScreenPrint32"="C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe" [03-05-15 21:36 ]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="ctfmon.exe" [01-02-20 13:09 C:\WINNT\system32\CTFMON.EXE]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"PcSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
HotSync Manager.lnk - C:\Program Files\palmOne\Hotsync.exe [2004-06-09 14:16:08]
DataViz Inc Messenger.lnk - C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe [2006-07-17 18:24:41]
Monitor.lnk - C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe [2007-01-13 22:25:47]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B4870B70-F390-11d2-9FB9-F4ED725EA20D}"= C:\WINNT\System32\NalExpEx.dll [00-11-14 10:45 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nwprovau]
nwprovau.dll 06-08-31 23:49 140048 C:\WINNT\system32\NWPROVAU.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, msnsspc.dll, digest.dll, zwebauth.dll

R3 PLUsbbc2;High-Speed USB Bridge Cable Driver;C:\WINNT\system32\Drivers\usbbc2.sys
S3 BrUsbMdm;Brother MFC USB FaxModem driver;C:\WINNT\system32\Drivers\BrUsbMdm.sys
S3 BrUsbScn;Brother MFC USB Scanner driver;C:\WINNT\system32\Drivers\BrUsbScn.sys
S3 OracleOraHome90ClientCache;OracleOraHome90ClientCache;C:\oracle\ora90\BIN\ONRSD.EXE

.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-09 12:24:28
Windows 5.0.2195 Service Pack 4 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-09 12:25:31 - machine was rebooted
C:\ComboFix2.txt ... 07-11-08 22:34
.
--- E O F ---
User avatar
ThisIsNotATest
Active Member
 
Posts: 13
Joined: November 1st, 2007, 6:04 pm
Advertisement
Register to Remove

Next

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 199 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware