Bubba Bob Posted January 31, 2006 Report Share Posted January 31, 2006 (edited) UPDATED:!!A few minutes after I posted this the sorry SOBS disconnected me! I called them back and they want me to take my computers to a shop (out of the damn question $$$) My "network usage" is 0% ALL THE TIME! I have ONE hour timer on my modem. HELP Hey Guys,Last week end my cable modem was dissabled by my cable company (Cebridge) because they claim I have some sort of Malware "Spamming the network". After running scans with Avast and Norton, both my computer came up clean. I have NO visible signs of malware! Anyway, I came home today to find a message of my answering machine with them threatening to disconnect me If i dont clean my computers!Computer ONE (Note: I have Avast installed and running usually, but due to a conflict form zone alarm I shut it down today) Also, should I be worried by "Win Logon"? ALso, again I remember after I ran the scans I ran HJT from a temp location, If anythig needs fixin ill move HJT to the correct place.Logfile of HijackThis v1.99.1Scan saved at 4:29:51 PM, on 1/31/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\LEXPPS.EXEC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEk:\Program Files\Alwil Software\Avast4\ashServ.exeC:\WINDOWS\System32\svchost.exeK:\Program Files\Logitech\iTouch\iTouch.exeK:\All Programs\Mozilla\firefox.exeC:\WINDOWS\system32\taskmgr.exeC:\DOCUME~1\Admin\LOCALS~1\Temp\Rar$EX00.828\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - K:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dllO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dllO3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)O4 - HKLM\..\Run: [zBrowser Launcher] k:\Program Files\Logitech\iTouch\iTouch.exeO4 - HKLM\..\Run: [avast!] k:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeO4 - HKLM\..\Run: [Zone Labs Client] k:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeO4 - HKCU\..\Run: [skype] "K:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimizedO4 - Startup: Trillian.lnk = K:\Program Files\Trillian Pro\trillian.exeO8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.htmlO8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.htmlO8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.htmlO8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.htmlO8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.htmlO8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.htmlO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {55F2FE00-C6E1-11D4-84BC-009027889212} - http://www.seagate.com/support/disc/asp/dw...in/npdscwiz.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136216580406O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136216572296O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cabO20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLLO23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - k:\Program Files\Alwil Software\Avast4\aswUpdSv.exeO23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exeO23 - Service: avast! Antivirus - Unknown owner - k:\Program Files\Alwil Software\Avast4\ashServ.exeO23 - Service: avast! Web Scanner - Unknown owner - k:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXEO23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exeO23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeO23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exeComputer TWOLogfile of HijackThis v1.99.1Scan saved at 4:33:01 PM, on 1/31/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\System32\igfxtray.exeC:\WINDOWS\System32\hkcmd.exeE:\Program Files\Java\jre1.5.0_06\bin\jusched.exeE:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeC:\Program Files\Messenger\msmsgs.exee:\Program Files\Alwil Software\Avast4\aswUpdSv.exee:\Program Files\Alwil Software\Avast4\ashServ.exee:\Program Files\Alwil Software\Avast4\ashWebSv.exeC:\DOCUME~1\Lori\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exeO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] E:\Program Files\Java\jre1.5.0_06\bin\jusched.exeO4 - HKLM\..\Run: [MPFTray] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exeO4 - HKLM\..\Run: [avast!] e:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeO4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /backgroundO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXEO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...83/mcinsctl.cabO16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cabO16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,20/mcgdmgr.cabO18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - e:\Program Files\Alwil Software\Avast4\aswUpdSv.exeO23 - Service: avast! Antivirus - Unknown owner - e:\Program Files\Alwil Software\Avast4\ashServ.exeO23 - Service: avast! Web Scanner - Unknown owner - e:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) Edited January 31, 2006 by Bubba Bob Link to post Share on other sites
Besttechie Posted January 31, 2006 Report Share Posted January 31, 2006 Hey Bubba Bob,Both PC's look clean, so that's good. However, to make sure you have nothing hidding or anything, we're going to do a few things.First off, on Computer One - close all windows except HJT and have it fix the following:O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)Then on Computer Two - close all windows except HJT and have it fix the following:O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)Please go HERE to run Panda's ActiveScanOnce you are on the Panda site click the Scan your PC buttonA new window will open...click the Check Now buttonEnter your CountryEnter your State/ProvinceEnter your e-mail address and click sendSelect either Home User or CompanyClick the big Scan Now buttonIf it wants to install an ActiveX component allow itIt will start downloading the files it requires for the scan (Note: It may take a couple of minutes)When download is complete, click on My Computer to start the scanWhen the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan reportAlso for your next post:Please download Rootkit Revealer (link is at the very bottom of the page)Unzip it to your desktop.Open the rootkitrevealer folder and double-click rootkitrevealer.exeClick the Scan button (bottom right)It may take a while to scan (don't do anything while it's running)When it's done, go up to File > Save. Choose to save it to your desktop.Open rootkitrevealer.txt on your desktop and copy the entire contents and paste them hereGood luck! B Link to post Share on other sites
Bubba Bob Posted January 31, 2006 Author Report Share Posted January 31, 2006 (edited) Thanks B I dont have time for the Panda scan (In half an hour they will disconnect me again), however, I ran it last week after the first time i was idsconnected and it came up clean. Anyway, computer #2 came up clean with Root Revealer. Computer 1 has several hundered entries, but gives me an error every time I try to save it. ANy suggestions? Edited January 31, 2006 by Bubba Bob Link to post Share on other sites
Besttechie Posted January 31, 2006 Report Share Posted January 31, 2006 What's the error? Try saving it in a different location...B Link to post Share on other sites
Bubba Bob Posted January 31, 2006 Author Report Share Posted January 31, 2006 "Rootkit detection utility has encountered a problem and needs to close. We are sorry for the inconvenience."Ive tried several places. Link to post Share on other sites
Besttechie Posted January 31, 2006 Report Share Posted January 31, 2006 Ok, let's try something else...You may want to print out these instructions for reference, since you will have to restart your computer during the fix.Please download AproposFix from here:http://swandog46.geekstogo.com/aproposfix.exeSave it to your desktop but do NOT run it yet.Then please reboot your computer in Safe Mode by doing the following:1) Restart your computer2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.3) Instead of Windows loading as normal, a menu should appear4) Select the first option, to run Windows in Safe Mode.Once in Safe Mode, please double-click aproposfix.exe and unzip it to the desktop. Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.When the tool is finished, please reboot back into normal mode, and post a new HijackThis log, along with the entire contents of the log.txt file in the aproposfix folder.Also, Download and run F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtmlRun the program, accept statement>next>click> scan>next. If any items are detected have blacklite rename them except for "wbemtest.exe". Do not rename "wbemtest.exe" its a windows file. If there are any other files you THINK may be valid don't rename them. Help is available HEREThe tool will ask if you want to reboot (restart) choose yes. please post the contents of report.txt (it should open; If it does not open or you close it..find a copy in c:\fixwareout folder.) a new HijackThis log log from blacklight; log will be named fsbl-<date/time>.log eg. fsbl-20051213134642.log.Good luck! B Link to post Share on other sites
jwbirdsong Posted February 1, 2006 Report Share Posted February 1, 2006 (edited) You've got a bunch of poeple pulling for you in this race Bubba_Bob...good luck Edited February 1, 2006 by jwbirdsong Link to post Share on other sites
Bubba Bob Posted February 1, 2006 Author Report Share Posted February 1, 2006 Thanks B.While Im doing all that, Ive got a question. I called teh cable comp again, and this time they told me to run AVG. (poor guy never heard of Avast) So, ive run AVG and one computer came up with "Java/OPenstream". Ya know anything about that? Link to post Share on other sites
Besttechie Posted February 1, 2006 Report Share Posted February 1, 2006 Does it give like a filename and a location of the file? If so, can you post that information? Thanks.B Link to post Share on other sites
Bubba Bob Posted February 1, 2006 Author Report Share Posted February 1, 2006 THe file is in the Java folder in my "Aplication Data". Link to post Share on other sites
Besttechie Posted February 1, 2006 Report Share Posted February 1, 2006 Sounds like the Java ByteVerify virus, it's not at all that harmful and easy to remove. Also, for more info on it ... http://www3.ca.com/securityadvisor/virusin...s.aspx?id=36725 <-- looks like they also have some kind of removal procedure/tool - I'd use their removal procedure/tool to make sure AVG is not pulling a false positive. B Link to post Share on other sites
Bubba Bob Posted February 1, 2006 Author Report Share Posted February 1, 2006 (edited) Ok, Ill do that. THanks B.EDIT: Oops, forgot to post the other results. Here is the Blbeta results:01/31/06 18:29:37 [info]: BlackLight Engine 1.0.30 initialized01/31/06 18:29:37 [info]: OS: 5.1 build 2600 (Service Pack 2)01/31/06 18:29:37 [Note]: 7019 401/31/06 18:29:37 [Note]: 7005 001/31/06 18:29:40 [Note]: 7006 001/31/06 18:29:40 [Note]: 7011 188401/31/06 18:29:41 [Note]: FSRAW library version 1.7.101401/31/06 18:29:56 [info]: Hidden file: C:\WINDOWS\system32\drivers\i386p.sys01/31/06 18:29:56 [Note]: 7002 001/31/06 18:29:56 [Note]: 7003 101/31/06 18:29:56 [Note]: 10002 101/31/06 18:29:59 [info]: Hidden file: C:\WINDOWS\system32\msctl32.dll01/31/06 18:29:59 [Note]: 10002 101/31/06 18:30:30 [Note]: 7007 0_______________________________________________________________________Heres the Apropsfix results. Log of AproposFix v1.1 ************ Running from directory: C:\Documents and Settings\Admin\Desktop\aproposfix************ Registry entries found: ************ No service found! Removing hidden folder: No folder found! Deleting files: Backing up files: Done! Removing registry entries: REGEDIT4 Done! Finished! _________________________________________________________New HJT Log.Logfile of HijackThis v1.99.1Scan saved at 6:21:15 PM, on 1/31/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\LEXPPS.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEK:\Program Files\Logitech\iTouch\iTouch.exek:\Program Files\Alwil Software\Avast4\aswUpdSv.exeK:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeK:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exeK:\Program Files\Skype\Phone\Skype.exek:\Program Files\Alwil Software\Avast4\ashServ.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeC:\WINDOWS\system32\HPZipm12.exeK:\Program Files\PRTG Traffic Grapher\PRTG Traffic Grapher.exeK:\Program Files\PRTG Traffic Grapher\PRTG Traffic Grapher.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\ZoneLabs\vsmon.exeK:\All Programs\Mozilla\firefox.exeC:\WINDOWS\system32\wuauclt.exeC:\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - K:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dllO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dllO4 - HKLM\..\Run: [zBrowser Launcher] k:\Program Files\Logitech\iTouch\iTouch.exeO4 - HKLM\..\Run: [avast!] k:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeO4 - HKLM\..\Run: [Zone Labs Client] k:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeO4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUPO4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -kO4 - HKCU\..\Run: [skype] "K:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimizedO4 - Startup: Trillian.lnk = K:\Program Files\Trillian Pro\trillian.exeO8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.htmlO8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.htmlO8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.htmlO8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.htmlO8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.htmlO8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.htmlO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {55F2FE00-C6E1-11D4-84BC-009027889212} - http://www.seagate.com/support/disc/asp/dw...in/npdscwiz.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136216580406O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136216572296O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cabO20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLLO23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - k:\Program Files\Alwil Software\Avast4\aswUpdSv.exeO23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exeO23 - Service: avast! Antivirus - Unknown owner - k:\Program Files\Alwil Software\Avast4\ashServ.exeO23 - Service: avast! Web Scanner - Unknown owner - k:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeO23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: IZ - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Admin\LOCALS~1\Temp\IZ.exeO23 - Service: KTVFGXH - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Admin\LOCALS~1\Temp\KTVFGXH.exeO23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXEO23 - Service: MOBU - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Admin\LOCALS~1\Temp\MOBU.exeO23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exeO23 - Service: PRTG Service - Paessler Router Traffic Grapher (PRTGService) - Paessler GmbH - K:\Program Files\PRTG Traffic Grapher\PRTG Traffic Grapher.exeO23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeO23 - Service: SO - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Admin\LOCALS~1\Temp\SO.exeO23 - Service: TCABC - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Admin\LOCALS~1\Temp\TCABC.exeO23 - Service: V - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Admin\LOCALS~1\Temp\V.exeO23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe Edited February 1, 2006 by Bubba Bob Link to post Share on other sites
Besttechie Posted February 1, 2006 Report Share Posted February 1, 2006 Ok, well I found your problem, I will some directions on what to do posted in a few minutes. Sit tight! B Link to post Share on other sites
Bubba Bob Posted February 1, 2006 Author Report Share Posted February 1, 2006 Ok, well I found your problem, I will some directions on what to do posted in a few minutes. Sit tight! BDamn! Cable Comp Was Right? Thanks for your work B Link to post Share on other sites
Besttechie Posted February 1, 2006 Report Share Posted February 1, 2006 Yeah, you have a rootkit (trojan horse) info can be found here:http://www.symantec.com/avcenter/venc/data...or.rustock.html Please download ewido anti-malware it is a trial version of the program.Install ewido security suiteWhen installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".Launch ewido, there should be an icon on your desktop double-click it.The program will now go to the main screenYou will need to update ewido to the latest definition files.On the left hand side of the main screen click updateThen click on Start UpdateThe update will start and a progress bar will show the updates being installed.If you are having problems with the updater, you can use this link to manually update ewido.ewido manual updatesBoot into safemode to do this keep tapping F8 on your keyboard while your PC is starting up you will get a menu select safemode.Open Ewido againClick on scannerClick on Complete System Scan and the scan will begin.While the scan is in progress you will be prompted to clean files, click OKWhen it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.Once the scan has completed, there will be a button located on the bottom of the screen named Save reportClick Save report.Save the report .txt file to your desktop.Now close ewido anti-malware.Reboot and Post the report Ewido made and a new Hijackthis log here in a reply.Good luck! B Link to post Share on other sites
Bubba Bob Posted February 1, 2006 Author Report Share Posted February 1, 2006 HMm, dont see anything but cookies ______________________ewido anti-malware - Scan report--------------------------------------------------------- + Created on: 7:02:08 PM, 1/31/2006 + Report-Checksum: DCD6AEA8 + Scan result: :mozilla.17:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\g7nm8or0.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup :mozilla.18:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\g7nm8or0.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup :mozilla.19:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\g7nm8or0.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup :mozilla.20:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\g7nm8or0.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup :mozilla.21:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\g7nm8or0.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup :mozilla.46:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\g7nm8or0.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup :mozilla.47:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\g7nm8or0.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup :mozilla.48:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\g7nm8or0.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup :mozilla.49:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\g7nm8or0.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup :mozilla.59:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\g7nm8or0.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup :mozilla.60:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\g7nm8or0.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup :mozilla.61:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\g7nm8or0.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup :mozilla.63:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\g7nm8or0.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup :mozilla.66:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\g7nm8or0.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup :mozilla.73:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\g7nm8or0.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup :mozilla.74:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\g7nm8or0.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup :mozilla.75:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\g7nm8or0.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup :mozilla.76:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\g7nm8or0.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup :mozilla.77:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\g7nm8or0.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup :mozilla.95:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\g7nm8or0.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup :mozilla.96:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\g7nm8or0.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup :mozilla.97:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\g7nm8or0.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup :mozilla.98:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\g7nm8or0.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup :mozilla.99:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\g7nm8or0.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup :mozilla.101:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\g7nm8or0.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup :mozilla.104:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\g7nm8or0.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup :mozilla.105:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\g7nm8or0.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup :mozilla.106:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\g7nm8or0.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup :mozilla.107:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\g7nm8or0.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup :mozilla.108:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\g7nm8or0.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup :mozilla.109:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\g7nm8or0.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup :mozilla.110:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\g7nm8or0.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup :mozilla.121:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\g7nm8or0.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup :mozilla.122:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\g7nm8or0.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup :mozilla.140:C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\g7nm8or0.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup::Report End________________________________Logfile of HijackThis v1.99.1Scan saved at 7:06:16 PM, on 1/31/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\LEXPPS.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEk:\Program Files\Alwil Software\Avast4\aswUpdSv.exeK:\Program Files\Logitech\iTouch\iTouch.exeK:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeK:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exeK:\Program Files\Skype\Phone\Skype.exek:\Program Files\Alwil Software\Avast4\ashServ.exeK:\Program Files\Trillian Pro\trillian.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeC:\Program Files\ewido anti-malware\ewidoctrl.exeC:\WINDOWS\system32\HPZipm12.exeK:\Program Files\PRTG Traffic Grapher\PRTG Traffic Grapher.exeK:\Program Files\PRTG Traffic Grapher\PRTG Traffic Grapher.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\ZoneLabs\vsmon.exeC:\WINDOWS\system32\wuauclt.exeC:\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - K:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dllO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dllO4 - HKLM\..\Run: [zBrowser Launcher] k:\Program Files\Logitech\iTouch\iTouch.exeO4 - HKLM\..\Run: [avast!] k:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeO4 - HKLM\..\Run: [Zone Labs Client] k:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeO4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUPO4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -kO4 - HKCU\..\Run: [skype] "K:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimizedO4 - Startup: Trillian.lnk = K:\Program Files\Trillian Pro\trillian.exeO8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.htmlO8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.htmlO8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.htmlO8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.htmlO8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.htmlO8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.htmlO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {55F2FE00-C6E1-11D4-84BC-009027889212} - http://www.seagate.com/support/disc/asp/dw...in/npdscwiz.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136216580406O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136216572296O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cabO20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLLO23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - k:\Program Files\Alwil Software\Avast4\aswUpdSv.exeO23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exeO23 - Service: avast! Antivirus - Unknown owner - k:\Program Files\Alwil Software\Avast4\ashServ.exeO23 - Service: avast! Web Scanner - Unknown owner - k:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeO23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeO23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: IZ - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Admin\LOCALS~1\Temp\IZ.exeO23 - Service: KTVFGXH - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Admin\LOCALS~1\Temp\KTVFGXH.exeO23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXEO23 - Service: MOBU - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Admin\LOCALS~1\Temp\MOBU.exeO23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exeO23 - Service: PRTG Service - Paessler Router Traffic Grapher (PRTGService) - Paessler GmbH - K:\Program Files\PRTG Traffic Grapher\PRTG Traffic Grapher.exeO23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeO23 - Service: SO - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Admin\LOCALS~1\Temp\SO.exeO23 - Service: TCABC - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Admin\LOCALS~1\Temp\TCABC.exeO23 - Service: V - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Admin\LOCALS~1\Temp\V.exeO23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe Link to post Share on other sites
Besttechie Posted February 1, 2006 Report Share Posted February 1, 2006 (edited) Ok, we're going to have to take a different approach.Boot to safe mode and do the following:Create a Startup List Open HiJackThis Click on the "Open the Misc Tools Section" Check off the 2 boxes next to the Box that says "Generate StartupList log" Click on the button "Generate StartupList log" Copy and past the StartupList from the notepad into your next postB Edited February 1, 2006 by Besttechie Link to post Share on other sites
Bubba Bob Posted February 1, 2006 Author Report Share Posted February 1, 2006 THnks BStartupList report, 1/31/2006, 7:23:48 PMStartupList version: 1.52.2Started from : C:\HijackThis.EXEDetected: Windows XP SP2 (WinNT 5.01.2600)Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)* Using default options* Including empty and uninteresting sections* Showing rarely important sections==================================================Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\LEXPPS.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEk:\Program Files\Alwil Software\Avast4\aswUpdSv.exeK:\Program Files\Logitech\iTouch\iTouch.exeK:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeK:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exeK:\Program Files\Skype\Phone\Skype.exek:\Program Files\Alwil Software\Avast4\ashServ.exeK:\Program Files\Trillian Pro\trillian.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeC:\Program Files\ewido anti-malware\ewidoctrl.exeC:\WINDOWS\system32\HPZipm12.exeK:\Program Files\PRTG Traffic Grapher\PRTG Traffic Grapher.exeK:\Program Files\PRTG Traffic Grapher\PRTG Traffic Grapher.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\ZoneLabs\vsmon.exeK:\ALLPRO~1\MOZILLA\FIREFOX.EXEC:\HijackThis.exe--------------------------------------------------Listing of startup folders:Shell folders Startup:[C:\Documents and Settings\Admin\Start Menu\Programs\Startup]Trillian.lnk = K:\Program Files\Trillian Pro\trillian.exeShell folders AltStartup:*Folder not found*User shell folders Startup:*Folder not found*User shell folders AltStartup:*Folder not found*Shell folders Common Startup:[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]*No files*Shell folders Common AltStartup:*Folder not found*User shell folders Common Startup:*Folder not found*User shell folders Alternate Common Startup:*Folder not found*--------------------------------------------------Checking Windows NT UserInit:[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]UserInit = C:\WINDOWS\system32\userinit.exe,[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]*Registry key not found*[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]*Registry value not found*[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]*Registry key not found*--------------------------------------------------Autorun entries from Registry:HKLM\Software\Microsoft\Windows\CurrentVersion\RunzBrowser Launcher = k:\Program Files\Logitech\iTouch\iTouch.exeavast! = k:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeZone Labs Client = k:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeAVG7_CC = C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP--------------------------------------------------Autorun entries from Registry:HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce*No values found*--------------------------------------------------Autorun entries from Registry:HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx*No values found*--------------------------------------------------Autorun entries from Registry:HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices*Registry key not found*--------------------------------------------------Autorun entries from Registry:HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce*Registry key not found*--------------------------------------------------Autorun entries from Registry:HKCU\Software\Microsoft\Windows\CurrentVersion\RunSkype = "K:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized--------------------------------------------------Autorun entries from Registry:HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce*No values found*--------------------------------------------------Autorun entries from Registry:HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx*Registry key not found*--------------------------------------------------Autorun entries from Registry:HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices*Registry key not found*--------------------------------------------------Autorun entries from Registry:HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce*Registry key not found*--------------------------------------------------Autorun entries from Registry:HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run*Registry key not found*--------------------------------------------------Autorun entries from Registry:HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run*Registry key not found*--------------------------------------------------Autorun entries in Registry subkeys of:HKLM\Software\Microsoft\Windows\CurrentVersion\Run[OptionalComponents]*No values found*--------------------------------------------------Autorun entries in Registry subkeys of:HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce*No subkeys found*--------------------------------------------------Autorun entries in Registry subkeys of:HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx*No subkeys found*--------------------------------------------------Autorun entries in Registry subkeys of:HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices*Registry key not found*--------------------------------------------------Autorun entries in Registry subkeys of:HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce*Registry key not found*--------------------------------------------------Autorun entries in Registry subkeys of:HKCU\Software\Microsoft\Windows\CurrentVersion\Run*No subkeys found*--------------------------------------------------Autorun entries in Registry subkeys of:HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce*No subkeys found*--------------------------------------------------Autorun entries in Registry subkeys of:HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx*Registry key not found*--------------------------------------------------Autorun entries in Registry subkeys of:HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices*Registry key not found*--------------------------------------------------Autorun entries in Registry subkeys of:HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce*Registry key not found*--------------------------------------------------Autorun entries in Registry subkeys of:HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run*Registry key not found*--------------------------------------------------Autorun entries in Registry subkeys of:HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run*Registry key not found*--------------------------------------------------File association entry for .EXE:HKEY_CLASSES_ROOT\exefile\shell\open\command(Default) = "%1" %*--------------------------------------------------File association entry for .COM:HKEY_CLASSES_ROOT\comfile\shell\open\command(Default) = "%1" %*--------------------------------------------------File association entry for .BAT:HKEY_CLASSES_ROOT\batfile\shell\open\command(Default) = "%1" %*--------------------------------------------------File association entry for .PIF:HKEY_CLASSES_ROOT\piffile\shell\open\command(Default) = "%1" %*--------------------------------------------------File association entry for .SCR:HKEY_CLASSES_ROOT\scrfile\shell\open\command(Default) = "%1" /S--------------------------------------------------File association entry for .HTA:HKEY_CLASSES_ROOT\htafile\shell\open\command(Default) = C:\WINDOWS\System32\mshta.exe "%1" %*--------------------------------------------------File association entry for .TXT:HKEY_CLASSES_ROOT\txtfile\shell\open\command(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1--------------------------------------------------Enumerating Active Setup stub paths:HKLM\Software\Microsoft\Active Setup\Installed Components(* = disabled by HKCU twin)[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP[>{26923b43-4d38-484f-9b9e-de460746276c}] *StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT[{4b218e3e-bc98-4770-93d3-2731b9329278}] *StubPath = %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub[{7790769C-0471-11d2-AF11-00C04FA35D02}] *StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install[{89820200-ECBD-11cf-8B85-00AA005B4340}] *StubPath = regsvr32.exe /s /n /i:U shell32.dll[{89820200-ECBD-11cf-8B85-00AA005B4383}] *StubPath = %SystemRoot%\system32\ie4uinit.exe--------------------------------------------------Enumerating ICQ Agent Autostart apps:HKCU\Software\Mirabilis\ICQ\Agent\Apps*Registry key not found*--------------------------------------------------Load/Run keys from C:\WINDOWS\WIN.INI:load=*INI section not found*run=*INI section not found*Load/Run keys from Registry:HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*HKCU\..\Windows NT\CurrentVersion\Windows: load=HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL--------------------------------------------------Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:Shell=*INI section not found*SCRNSAVE.EXE=*INI section not found*drivers=*INI section not found*Shell & screensaver key from Registry:Shell=explorer.exeSCRNSAVE.EXE=*Registry value not found*drivers=*Registry value not found*Policies Shell key:HKCU\..\Policies: Shell=*Registry value not found*HKLM\..\Policies: Shell=*Registry value not found*--------------------------------------------------Checking for EXPLORER.EXE instances:C:\WINDOWS\Explorer.exe: PRESENT!C:\Explorer.exe: not presentC:\WINDOWS\Explorer\Explorer.exe: not presentC:\WINDOWS\System\Explorer.exe: not presentC:\WINDOWS\System32\Explorer.exe: not presentC:\WINDOWS\Command\Explorer.exe: not presentC:\WINDOWS\Fonts\Explorer.exe: not present--------------------------------------------------Checking for superhidden extensions:.lnk: HIDDEN! (arrow overlay: yes).pif: HIDDEN! (arrow overlay: yes).exe: not hidden.com: not hidden.bat: not hidden.hta: not hidden.scr: not hidden.shs: HIDDEN!.shb: HIDDEN!.vbs: not hidden.vbe: not hidden.wsh: not hidden.scf: HIDDEN! (arrow overlay: NO!).url: HIDDEN! (arrow overlay: yes).js: not hidden.jse: not hidden--------------------------------------------------Verifying REGEDIT.EXE integrity:- Regedit.exe found in C:\WINDOWS- .reg open command is normal (regedit.exe %1)- Company name OK: 'Microsoft Corporation'- Original filename OK: 'REGEDIT.EXE'- File description: 'Registry Editor'Registry check passed--------------------------------------------------Enumerating Browser Helper Objects:(no name) - K:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(no name) - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(no name) - c:\program files\google\googletoolbar1.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}--------------------------------------------------Enumerating Task Scheduler jobs:Symantec NetDetect.job--------------------------------------------------Enumerating Download Program Files:[DirectAnimation Java Classes]CODEBASE = file://C:\WINDOWS\Java\classes\dajava.cabOSD = C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd[Microsoft XML Parser for Java]CODEBASE = file://C:\WINDOWS\Java\classes\xmldso.cabOSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd[Windows Genuine Advantage Validation Tool]InProcServer32 = C:\WINDOWS\System32\LegitCheckControl.DLLCODEBASE = http://go.microsoft.com/fwlink/?linkid=39204[{33564D57-9980-0010-8000-00AA00389B71}]CODEBASE = http://download.microsoft.com/download/D/0...D0C/wmv9dmo.cab[{55F2FE00-C6E1-11D4-84BC-009027889212}]CODEBASE = http://www.seagate.com/support/disc/asp/dw...in/npdscwiz.cab[WUWebControl Class]InProcServer32 = C:\WINDOWS\System32\wuweb.dllCODEBASE = http://update.microsoft.com/microsoftupdat...b?1136216580406[MUWebControl Class]InProcServer32 = C:\WINDOWS\System32\muweb.dllCODEBASE = http://update.microsoft.com/microsoftupdat...b?1136216572296[Java Plug-in]InProcServer32 = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllCODEBASE = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab[ActiveScan Installer Class]InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dllCODEBASE = http://acs.pandasoftware.com/activescan/as5free/asinst.cab[Java Plug-in]InProcServer32 = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllCODEBASE = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab[Java Plug-in 1.5.0_06]InProcServer32 = C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dllCODEBASE = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab--------------------------------------------------Enumerating Winsock LSP files:NameSpace #1: C:\WINDOWS\System32\mswsock.dllNameSpace #2: C:\WINDOWS\System32\winrnr.dllNameSpace #3: C:\WINDOWS\System32\mswsock.dllProtocol #1: C:\WINDOWS\system32\mswsock.dllProtocol #2: C:\WINDOWS\system32\mswsock.dllProtocol #3: C:\WINDOWS\system32\mswsock.dllProtocol #4: C:\WINDOWS\system32\rsvpsp.dllProtocol #5: C:\WINDOWS\system32\rsvpsp.dllProtocol #6: C:\WINDOWS\system32\mswsock.dllProtocol #7: C:\WINDOWS\system32\mswsock.dllProtocol #8: C:\WINDOWS\system32\mswsock.dllProtocol #9: C:\WINDOWS\system32\mswsock.dllProtocol #10: C:\WINDOWS\system32\mswsock.dllProtocol #11: C:\WINDOWS\system32\mswsock.dllProtocol #12: C:\WINDOWS\system32\mswsock.dllProtocol #13: C:\WINDOWS\system32\mswsock.dllProtocol #14: C:\WINDOWS\system32\mswsock.dllProtocol #15: C:\WINDOWS\system32\mswsock.dllProtocol #16: C:\WINDOWS\system32\mswsock.dllProtocol #17: C:\WINDOWS\system32\mswsock.dll--------------------------------------------------Enumerating Windows NT/2000/XP servicesMicrosoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)Belkin USB Ethernet Adapter: system32\DRIVERS\NET8511.SYS (manual start)Adobe LM Service: "C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe" (manual start)Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (system)Intel AGP Bus Filter: System32\DRIVERS\agp440.sys (system)Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter: System32\DRIVERS\AN983.sys (manual start)Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)avast! iAVS4 Control Service: "k:\Program Files\Alwil Software\Avast4\aswUpdSv.exe" (autostart)RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)Ati HotKey Poller: %SystemRoot%\system32\Ati2evxx.exe (autostart)ATI Smart: C:\WINDOWS\system32\ati2sgag.exe (autostart)ati2mtag: System32\DRIVERS\ati2mtag.sys (manual start)ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)avast! Antivirus: "k:\Program Files\Alwil Software\Avast4\ashServ.exe" (autostart)avast! Web Scanner: "k:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (manual start)AVG7 Alert Manager Server: C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe (autostart)AVG7 Kernel: \SystemRoot\System32\Drivers\avg7core.sys (system)AVG7 Wrap Driver: \SystemRoot\System32\Drivers\avg7rsw.sys (system)AVG7 Resident Driver XP: \SystemRoot\System32\Drivers\avg7rsxp.sys (system)AVG7 Update Service: C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe (autostart)AVG E-mail Scanner: C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe (autostart)AVG Network Redirector: \SystemRoot\System32\Drivers\avgtdi.sys (autostart)Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)C-Media PCI Audio Driver (WDM): system32\drivers\cmaudio.sys (manual start)COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)Disk Driver: System32\DRIVERS\disk.sys (system)Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)dmboot: System32\drivers\dmboot.sys (disabled)dmio: System32\drivers\dmio.sys (disabled)dmload: System32\drivers\dmload.sys (disabled)Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)AVProtect advances service: \??\C:\WINDOWS\system32\docentd.sys (system)Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)Event Log: %SystemRoot%\system32\services.exe (autostart)COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)ewido security suite control: C:\Program Files\ewido anti-malware\ewidoctrl.exe (autostart)Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)FltMgr: system32\drivers\fltmgr.sys (system)Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)Game Port Enumerator: System32\DRIVERS\gameenum.sys (manual start)Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)HID Input Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)Microsoft HID Class Driver: System32\DRIVERS\hidusb.sys (manual start)IEEE-1284.4 Driver HPZid412: system32\DRIVERS\HPZid412.sys (manual start)Print Class Driver for IEEE-1284.4 HPZipr12: system32\DRIVERS\HPZipr12.sys (manual start)USB to IEEE-1284.4 Translation Driver HPZius12: system32\DRIVERS\HPZius12.sys (manual start)HTTP: System32\Drivers\HTTP.sys (manual start)HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)InstallDriver Table Manager: "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe" (manual start)CD-Burning Filter Driver: System32\DRIVERS\imapi.sys (system)IMAPI CD-Burning COM Service: C:\WINDOWS\System32\imapi.exe (manual start)Intel Processor Driver: System32\DRIVERS\intelppm.sys (system)IPv6 Windows Firewall Driver: system32\drivers\ip6fw.sys (manual start)IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)IPSEC driver: System32\DRIVERS\ipsec.sys (system)IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)IZ: C:\DOCUME~1\Admin\LOCALS~1\Temp\IZ.exe (manual start)Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)Keyboard HID Driver: System32\DRIVERS\kbdhid.sys (system)Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)KTVFGXH: C:\DOCUME~1\Admin\LOCALS~1\Temp\KTVFGXH.exe (manual start)Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)Logitech USB Filter Driver: System32\Drivers\LCcFltr.Sys (manual start)LexBce Server: C:\WINDOWS\system32\LEXBCES.EXE (autostart)Logitech HID/USB Mouse Filter Driver: system32\DRIVERS\LHidFlt2.Sys (manual start)Logitech USB Receiver device driver: System32\Drivers\LHidUsb.Sys (manual start)TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)Logitech Mouse Class Filter Driver: system32\DRIVERS\LMouFlt2.Sys (manual start)Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)MOBU: C:\DOCUME~1\Admin\LOCALS~1\Temp\MOBU.exe (manual start)Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)Mouse HID Driver: System32\DRIVERS\mouhid.sys (manual start)WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)MRXSMB: System32\DRIVERS\mrxsmb.sys (system)Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)Windows Installer: C:\WINDOWS\System32\msiexec.exe /V (manual start)Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)Microsoft System Management BIOS Driver: System32\DRIVERS\mssmbios.sys (manual start)Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)NetBIOS Interface: System32\DRIVERS\netbios.sys (system)NetBios over Tcpip: System32\DRIVERS\netbt.sys (system)Network DDE: %SystemRoot%\system32\netdde.exe (disabled)Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)Net Logon: %SystemRoot%\System32\lsass.exe (manual start)Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)NetGroup Packet Filter Driver: system32\drivers\npf.sys (manual start)NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)Parallel port driver: System32\DRIVERS\parport.sys (manual start)PCI Bus Driver: System32\DRIVERS\pci.sys (system)PCIIde: System32\DRIVERS\pciide.sys (system)Plug and Play: %SystemRoot%\system32\services.exe (autostart)Pml Driver HPZ12: C:\WINDOWS\system32\HPZipm12.exe (autostart)IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)Processor Driver: System32\DRIVERS\processr.sys (system)Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)PRTG Service - Paessler Router Traffic Grapher: K:\Program Files\PRTG Traffic Grapher\PRTG Traffic Grapher.exe (autostart)QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)PxHelp20: System32\Drivers\PxHelp20.sys (system)Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)Direct Parallel: System32\DRIVERS\raspti.sys (manual start)Rdbss: System32\DRIVERS\rdbss.sys (system)RDPCDD: System32\DRIVERS\RDPCDD.sys (system)Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)Rio universal USB driver: System32\Drivers\RIOUNIV.sys (manual start)Microsoft Legacy Modem Driver: System32\Drivers\RootMdm.sys (manual start)Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)Secdrv: System32\DRIVERS\secdrv.sys (autostart)Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)Serial port driver: System32\DRIVERS\serial.sys (system)Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)Symantec Network Drivers Service: "C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe" (manual start)SO: C:\DOCUME~1\Admin\LOCALS~1\Temp\SO.exe (manual start)Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)System Restore Filter Driver: System32\DRIVERS\sr.sys (system)System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)Srv: System32\DRIVERS\srv.sys (manual start)SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{9AE1FE12-948C-4C54-9EA6-285580052AAE} (manual start)SymEvent: \??\C:\Program Files\Symantec\SYMEVENT.SYS (manual start)SYMREDRV: \SystemRoot\System32\Drivers\SYMREDRV.SYS (manual start)SYMTDI: \SystemRoot\System32\Drivers\SYMTDI.SYS (system)Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)TCABC: C:\DOCUME~1\Admin\LOCALS~1\Temp\TCABC.exe (manual start)TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)Terminal Device Driver: System32\DRIVERS\termdd.sys (system)Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)Print Port Scanner Driver: system32\DRIVERS\umaxpcls.sys (autostart)Windows User Mode Driver Framework: C:\WINDOWS\System32\wdfmgr.exe (autostart)Microcode Update Driver: System32\DRIVERS\update.sys (manual start)Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)Microsoft USB Generic Parent Driver: System32\DRIVERS\usbccgp.sys (manual start)Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: System32\DRIVERS\usbehci.sys (manual start)Microsoft USB Standard Hub Driver: System32\DRIVERS\usbhub.sys (manual start)Microsoft USB PRINTER Class: System32\DRIVERS\usbprint.sys (manual start)USB Scanner Driver: System32\DRIVERS\usbscan.sys (manual start)Motorola USB Modem Driver: system32\DRIVERS\usbser.sys (manual start)Motorola USB Modem Driver for MPT: system32\DRIVERS\usbsermpt.sys (manual start)USB Mass Storage Driver: system32\DRIVERS\USBSTOR.SYS (manual start)Microsoft USB Universal Host Controller Miniport Driver: System32\DRIVERS\usbuhci.sys (manual start)V: C:\DOCUME~1\Admin\LOCALS~1\Temp\V.exe (manual start)VGA Display Controller.: \SystemRoot\System32\drivers\vga.sys (system)vsdatant: System32\vsdatant.sys (system)TrueVector Internet Monitor: C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service (autostart)Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)Logitech Virtual Bus Enumerator Driver: system32\drivers\WmBEnum.sys (manual start)Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)Logitech WingMan HID Filter Driver: system32\drivers\WmFilter.sys (manual start)WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)Logitech Virtual Hid Device Driver: system32\drivers\WmVirHid.sys (manual start)Logitech WingMan Translation Layer Driver: system32\drivers\WmXlCore.sys (manual start)Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)--------------------------------------------------Enumerating Windows NT logon/logoff scripts:*No scripts set to run*Windows NT checkdisk command:BootExecute = autocheck autochk *Windows NT 'Wininit.ini':PendingFileRenameOperations: *Registry value not found*--------------------------------------------------Enumerating ShellServiceObjectDelayLoad items:PostBootReminder: C:\WINDOWS\system32\SHELL32.dllCDBurn: C:\WINDOWS\system32\SHELL32.dllWebCheck: C:\WINDOWS\System32\webcheck.dllSysTray: C:\WINDOWS\System32\stobject.dll--------------------------------------------------Autorun entries from Registry:HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run*Registry key not found*--------------------------------------------------Autorun entries from Registry:HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run*Registry key not found*--------------------------------------------------End of report, 35,097 bytesReport generated in 0.141 secondsCommand line options: /verbose - to add additional info on each section /complete - to include empty sections and unsuspicious data /full - to include several rarely-important sections /force9x - to include Win9x-only startups even if running on WinNT /forcent - to include WinNT-only startups even if running on Win9x /forceall - to include all Win9x and WinNT startups, regardless of platform /history - to list version history only Link to post Share on other sites
Besttechie Posted February 1, 2006 Report Share Posted February 1, 2006 (edited) Ok, let's try this:Start --> Run --> type: sc stop i386pPress Enterthen type: sc delete i386pPress EnterRebootLet me know when you've done that.B Edited February 1, 2006 by Besttechie Link to post Share on other sites
Bubba Bob Posted February 1, 2006 Author Report Share Posted February 1, 2006 I did that, rebooted and AVG found i386p and called it a trojan. I then moved it into quarientine. Link to post Share on other sites
Besttechie Posted February 1, 2006 Report Share Posted February 1, 2006 Ok, now we're going to try and use a program called Killbox to delete the files.Please download the Killbox by Option^Explicit.Note: In the event you already have Killbox, this is a new version that I need you to download. Save it to your desktop. Please double-click Killbox.exe to run it. Select: Delete on Reboot then Click on the All Files button.[*]Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):C:\WINDOWS\system32\drivers\i386p.sysC:\WINDOWS\system32\msctl32.dll[*] Return to Killbox, go to the File menu, and choose Paste from Clipboard.[*]Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).If your computer does not restart automatically, please restart it manually.If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.Post back after you've done that. B Link to post Share on other sites
Bubba Bob Posted February 1, 2006 Author Report Share Posted February 1, 2006 Done. Link to post Share on other sites
Besttechie Posted February 1, 2006 Report Share Posted February 1, 2006 Ok, boot to safe mode and run Backlight again, just like last time.Run the program, accept statement>next>click> scan>next. If any items are detected have blacklite rename them except for "wbemtest.exe". Do not rename "wbemtest.exe" its a windows file. If there are any other files you THINK may be valid don't rename them. Help is available HEREThe tool will ask if you want to reboot (restart) choose yes. please post the contents of report.txt (it should open; If it does not open or you close it..find a copy in c:\fixwareout folder.) a new HijackThis log log from blacklight; log will be named fsbl-<date/time>.log eg. fsbl-20051213134642.log.Also, open the search program -- Start --> Search --> search for i386p.sys after that search, search for msctl32.dll Let me know if the search finds those files or not.Good luck! B Link to post Share on other sites
Bubba Bob Posted February 1, 2006 Author Report Share Posted February 1, 2006 "Backlight Cant Be used In Safemode"Hehehe. BRB Link to post Share on other sites
Besttechie Posted February 1, 2006 Report Share Posted February 1, 2006 Oh my bad. Got so used to typing safe mode, my mistake. Run it in normal mode. Link to post Share on other sites
Recommended Posts