View Full Version : HJT Panda and trouble
kwagner_51
08-18-2007, 03:36 PM
PC Freezes when playing games. I updated my video driver yesterday and I am just about ready to just do a clean wipes and start over. I keep getting kernel inpage errors and blue screen of death.
I ran AdAware spyblaster, and Spy bot S & D. After reading about Ad Aware I deleted it and then ran Spyblaster. Everything came back clean on S & D Then I ran Panda and the results follow.
Here is HJT Report:
Logfile of HijackThis v1.99.1
Scan saved at 1:29:16 PM, on 8/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\PROGRA~1\YAHOO!\PARENT~1\ypc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\abelhadigital.com\HostsMan\hm.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Pyrenean\eDexter\eDexter.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\SYSTEM32\YPCSER~1.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\YAHOO!\browser\ycommon.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.firehouse.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - C:\Program Files\Popup Manager\PopupMgr_1.0.2.1P.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [YPC] C:\PROGRA~1\YAHOO!\PARENT~1\ypc.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\YAHOO!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [HostsMan] C:\Program Files\abelhadigital.com\HostsMan\hm.exe -s
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - Startup: eDexter.lnk = C:\Program Files\Pyrenean\eDexter\eDexter.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'ypclsp.dll' missing
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - [url]http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab[/url]
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - [url]http://housecall-beta.trendmicro.com/housecall/xscan60.cab[/url]
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - [url]https://www.genesisearth.net/CFIDE/classes/CFJava.cab[/url]
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - [url]http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB[/url]
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - [url]http://www.ipix.com/download/ipixx.cab[/url]
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - [url]http://www.musicnotes.com/download/mnviewer.cab[/url]
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - [url]http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab[/url]
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - [url]http://downloads.ewido.net/ewidoOnlineScan.cab[/url]
O16 - DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} (CPlayFirstTriJinxControl Object) - [url]http://www.shockwave.com/content/trijinx/sis/TriJinx.1.0.0.86.cab[/url]
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [url]http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1109002217328[/url]
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - [url]http://www.nick.com/common/groove/gx/GrooveAX27.cab[/url]
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - [url]http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab[/url]
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - [url]http://acs.pandasoftware.com/activescan/as5free/asinst.cab[/url]
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - [url]http://h30155.www3.hp.com/ediags/gs/install/guidedsolutions.cab[/url]
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - [url]http://support.f-secure.com/ols/fscax.cab[/url]
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - [url]http://community.webshots.com/html/WSPhotoUploader.CAB[/url]
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - [url]http://www.sibelius.com/download/software/win/ActiveXPlugin.cab[/url]
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - [url]https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx[/url]
O16 - DPF: {ABB660B6-6694-407B-950A-EDBA5A159722} (DVC Download Control) - [url]http://www.shockwave.com/content/davincicode/sis/DVC%20Download%20Control.cab[/url]
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - [url]http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab[/url]
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - [url]http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab[/url]
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - [url]http://download.toontown.com/sv1.0.15.22/ttinst.cab[/url]
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - [url]http://player.virtools.com/downloads/player/Install3.0/Installer.exe[/url]
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - [url]http://download.games.yahoo.com/games/web_games/gamehouse/frenzy/SproutLauncher.cab[/url]
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - [url]http://messenger.zone.msn.com/binary/WoF.cab31267.cab[/url]
O16 - DPF: {E9348280-2D74-4933-BE25-73D946926795} (DeviceEnum Class) - [url]http://h20270.www2.hp.com/ediags/gmn/install/hpbasicdetection3.cab[/url]
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - [url]http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326[/url]
kwagner_51
08-18-2007, 03:38 PM
Con't
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\wmfhotfix.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE
Here is the Panda report:
Incident Status Location
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\NIRCMD.EXE
Adware:adware/pesttrap Not disinfected C:\WINDOWS\SOFT.EXE
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Wagner\Local Settings\Temp\Cookies\wagner@go[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Wagner\My Documents\Anti Virus treatments\smitRem.exe[smitRem/Process.exe]
Virus:Generic Trojan Disinfected C:\Documents and Settings\Wagner\My Documents\Anti Virus treatments\ComboFix.exe
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Wagner\Cookies\wagner@go[1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Wagner\Cookies\wagner@go[3].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Wagner\Cookies\wagner@go[2].txt
Spyware:Cookie/Cd Freaks Not disinfected C:\Documents and Settings\Wagner\Cookies\wagner@club.cdfreaks[1].txt
Virus:Generic Malware Disinfected C:\Documents and Settings\Wagner\DoctorWeb\Quarantine\backup-20050325-004214-919.dll
Virus:Generic Malware Disinfected C:\Documents and Settings\Wagner\DoctorWeb\Quarantine\backup-20050328-094337-258.dll
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Wagner\DoctorWeb\Quarantine\Process.exe
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\NetworkService\Cookies\wagner@go[2].txt
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\NetworkService\Cookies\wagner@target[2].txt
Budfred
08-18-2007, 09:41 PM
Most of what is noted as problems in the Panda scan are tools or files from tools that you have run for security... This is the only one that may be a problem:
Adware:adware/pesttrap Not disinfected C:\WINDOWS\SOFT.EXE
and it may be a very nasty trojan... I suggest downloading a fresh copy of ComboFix and running it to see more clearly what might be happening:
1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall...
It has changed greatly since you last used it, so be sure to get a new version...
kwagner_51
08-18-2007, 10:36 PM
Here is the log for combo fix:
ComboFix 07-08-14.4 - "Wagner" 2007-08-18 20:27:31.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.191 [GMT -5:00]
* Created a new restore point
((((((((((((((((((((((((( Files Created from 2007-07-19 to 2007-08-19 )))))))))))))))))))))))))))))))
2007-08-17 19:03 <DIR> d--hs---- C:\FOUND.001
2007-08-17 18:25 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\NVIDIA
2007-08-17 18:21 208,896 --a------ C:\WINDOWS\SYSTEM32\NVUNINST.EXE
2007-08-17 18:21 208,896 --a------ C:\WINDOWS\SYSTEM32\nvudisp.exe
2007-08-17 18:21 <DIR> d-------- C:\WINDOWS\nview
2007-08-17 18:20 <DIR> d-------- C:\NVIDIA
2007-08-17 17:33 <DIR> d--hs---- C:\FOUND.000
2007-08-15 20:23 <DIR> d-------- C:\Program Files\iPod
2007-08-15 20:21 <DIR> d-------- C:\Program Files\QuickTime
2007-08-15 20:20 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-08-15 20:20 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
2007-06-29 11:21 --------- d-------- C:\Program Files\Mystery Case Files - Huntsville
2007-06-29 11:21 --------- d-------- C:\Program Files\BFG
2007-06-28 07:16 1315 --a------ C:\WINDOWS\system32\drivers\fwdrv.err
2007-06-26 10:13 851968 --a------ C:\WINDOWS\system32\dllcache\vgx.dll
2007-06-26 09:35 665600 --a------ C:\WINDOWS\system32\dllcache\wininet.dll
2007-06-26 01:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-26 01:08 1104896 --------- C:\WINDOWS\system32\dllcache\msxml3.dll
2007-06-19 08:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-19 08:31 282112 --------- C:\WINDOWS\system32\dllcache\gdi32.dll
2007-06-17 00:11 51200 --a------ C:\WINDOWS\nircmd.exe
2007-06-15 03:12 96256 --a------ C:\WINDOWS\system32\dllcache\inseng.dll
2007-06-15 03:12 616960 --a------ C:\WINDOWS\system32\dllcache\urlmon.dll
2007-06-15 03:12 55808 --a------ C:\WINDOWS\system32\dllcache\extmgr.dll
2007-06-15 03:12 532480 --a------ C:\WINDOWS\system32\dllcache\mstime.dll
2007-06-15 03:12 474112 --------- C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-06-15 03:12 449024 --a------ C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-06-15 03:12 39424 --a------ C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-06-15 03:12 357888 --a------ C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-06-15 03:12 3064320 --a------ C:\WINDOWS\system32\dllcache\mshtml.dll
2007-06-15 03:12 251904 --a------ C:\WINDOWS\system32\dllcache\iepeers.dll
2007-06-15 03:12 205824 --a------ C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-06-15 03:12 16384 --a------ C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-06-15 03:12 151040 --------- C:\WINDOWS\system32\dllcache\cdfview.dll
2007-06-15 03:12 1498112 --------- C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-06-15 03:12 146432 --a------ C:\WINDOWS\system32\dllcache\msrating.dll
2007-06-15 03:12 1054208 --------- C:\WINDOWS\system32\dllcache\danim.dll
2007-06-15 03:12 1022976 --------- C:\WINDOWS\system32\dllcache\browseui.dll
2007-06-14 05:32 18432 --a------ C:\WINDOWS\system32\dllcache\iedw.exe
2007-06-13 05:23 1033216 --a------ C:\WINDOWS\explorer.exe
2007-06-13 05:23 1033216 --------- C:\WINDOWS\system32\dllcache\explorer.exe
2007-06-11 23:51 10834944 --a------ C:\WINDOWS\system32\dllcache\wmp.dll
2006-06-10 08:12 774144 --a------ C:\Program Files\RngInterstitial.dll
2005-03-14 15:54 264555 --a------ C:\Program Files\rootkitrevealer.zip
2005-02-23 06:40 214533 --a------ C:\Program Files\hijackthis.zip
2005-02-19 03:47 266 ---hs---- C:\Program Files\desktop.ini
2005-02-19 03:47 11079 ---h----- C:\Program Files\folder.htt
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"YPC"="C:\PROGRA~1\YAHOO!\PARENT~1\ypc.exe" [2005-02-11 18:14]
"YOP"="C:\PROGRA~1\YAHOO!\YOP\yop.exe" [2005-04-22 19:49]
"SystemTray"="SysTray.Exe" [2001-08-23 12:00 C:\WINDOWS\SYSTEM32\systray.exe]
"Cmaudio"="cmicnfg.cpl" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-08-17 00:13]
"HostsMan"="C:\Program Files\abelhadigital.com\HostsMan\hm.exe" [2005-01-08 17:18]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-03-06 13:28]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-31 18:44]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22]
"nwiz"="nwiz.exe" [2006-10-22 12:22 C:\WINDOWS\SYSTEM32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 12:22]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"Weather"="C:\Program Files\AWS\WeatherBug\Weather.exe" [2006-04-07 15:02]
C:\Documents and Settings\Wagner\Start Menu\Programs\Startup\
eDexter.lnk - C:\Program Files\Pyrenean\eDexter\eDexter.exe [2001-07-29 19:26:12]
Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [2005-02-21 18:55:20]
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\system]
"NoDispAppearancePage"=0 (0x0)
"NoColorChoice"=0 (0x0)
"NoSizeChoice"=0 (0x0)
"NoDispBackgroundPage"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)
"NoDispCPL"=0 (0x0)
"NoVisualStyleChoice"=0 (0x0)
"NoDispSettingsPage"=0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\explorer]
"NoActiveDesktopChanges"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\explorer]
"NoThemesTab"=0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\WINDOWS\system32\wmfhotfix.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AT&T Self Support Tool.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AT&T Self Support Tool.lnk
backup=C:\WINDOWS\pss\AT&T Self Support Tool.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk
backup=C:\WINDOWS\pss\hp psc 1000 series.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C2K]
C:\WINDOWS\Cyb2k.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EssentialPIM]
"G:\Documents\HOST\EssentialPIM.exe" /autorun
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FLMK08KB]
C:\Program Files\Muiltmedia keyboard utility\1.1\MMKEYBD.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FLMOFFICE4DMOUSE]
C:\Program Files\Browser Mouse\mouse32a.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InterWARN]
C:\Program Files\InterWARN\interwarn.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OM_Monitor]
C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickLookup]
C:\Program Files\Quick Lookup\QuickLookup.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
kwagner_51
08-18-2007, 10:37 PM
con't
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
R0 viasraid;viasraid;C:\WINDOWS\system32\DRIVERS\vias raid.sys
R1 fwdrv;Firewall Driver;C:\WINDOWS\system32\drivers\fwdrv.sys
R1 khips;Kerio HIPS Driver;C:\WINDOWS\system32\drivers\khips.sys
R2 SPF4;Sunbelt Personal Firewall 4;"C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe"
R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys
S3 DUBE100;D-Link DUB-E100 USB 2.0 Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\DUBE100.sys
S3 FETNDIS;VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\fetnd5.sys
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:WIN9X /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl
Contents of the 'Scheduled Tasks' folder
2007-07-08 04:00:02 C:\WINDOWS\Tasks\Tune-up Application Start.job
2007-08-18 08:00:02 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job - C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
2007-08-18 13:42:02 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1109338904.job - C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe
2007-08-16 01:12:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
************************************************** ************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url]http://www.gmer.net[/url]
Rootkit scan 2007-08-18 20:31:18
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
C:\WINDOWS\SYSTEM32\CMD.EXE [2940] 0x81622020
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
Completion time: 2007-08-18 20:33:07
C:\ComboFix-quarantined-files.txt ... 2007-08-18 20:33
C:\ComboFix3.txt ... 2007-06-18 22:20
C:\ComboFix2.txt ... 2007-06-26 22:04
--- E O F ---
Budfred
08-19-2007, 03:44 AM
It is still not clear if you have an active infection... Please run F-Secure to see if it comes up with anything and let it fix what it finds...
* Click here (http://support.f-secure.com/enu/home/ols.shtml) to use the F-Secure Online Scanner
Then click the Start Scanning button below.
You should get a notification (bar on top) to install the activeX. Click on it and select to install the ActiveX.
Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
In case you are having problems with installing the ActiveX/starting the scan, please read here (http://support.f-secure.com/enu/home/ols-faq.shtml).
Click the Full System Scan button.
It will start to download scanner components and databases. This can take a while.
The main scan will start.
Once the scan finished scanning, click the Automatic cleaning (recommended) button
It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
The cleaning can take a while, so please be patient.
Then click the Show report button and copy and paste what's present under results in your next reply.
kwagner_51
08-20-2007, 07:46 PM
I had to take my PC back to 08/11/2007 d/t problems with activex and my settings in Spyblaster.
Here is the new ComboFix scan:
ComboFix 07-08-17.2 - "Wagner" 2007-08-20 17:36:51.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.224 [GMT -5:00]
* Created a new restore point
((((((((((((((((((((((((( Files Created from 2007-07-20 to 2007-08-20 )))))))))))))))))))))))))))))))
2007-08-19 07:36 <DIR> d--hs---- C:\FOUND.005
2007-08-19 07:36 <DIR> d--hs---- C:\FOUND.004
2007-08-19 07:36 <DIR> d--hs---- C:\FOUND.003
2007-08-19 07:36 <DIR> d--hs---- C:\FOUND.002
2007-08-19 07:36 <DIR> d-------- C:\WINDOWS\NVIEW
2007-08-19 07:36 <DIR> d-------- C:\Program Files\QuickTime
2007-08-19 07:36 <DIR> d-------- C:\Program Files\iPod
2007-08-19 07:36 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\nView_Profiles
2007-08-19 07:35 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-17 19:03 <DIR> d--hs---- C:\FOUND.001
2007-08-17 18:25 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\NVIDIA
2007-08-17 18:21 <DIR> d-------- C:\WINDOWS\nview(2)
2007-08-17 18:20 <DIR> d-------- C:\NVIDIA
2007-08-17 17:33 <DIR> d--hs---- C:\FOUND.000
2007-08-15 20:23 <DIR> d-------- C:\Program Files\iPod(2)
2007-08-15 20:21 <DIR> d-------- C:\Program Files\QuickTime(2)
2007-08-15 20:20 <DIR> d-------- C:\Program Files\Common Files\Apple
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
2007-06-29 11:21 --------- d-------- C:\Program Files\Mystery Case Files - Huntsville
2007-06-29 11:21 --------- d-------- C:\Program Files\BFG
2007-06-28 07:16 1315 --a------ C:\WINDOWS\system32\drivers\fwdrv.err
2007-06-26 10:13 851968 --a------ C:\WINDOWS\system32\dllcache\vgx.dll
2007-06-26 09:35 665600 --a------ C:\WINDOWS\system32\dllcache\wininet.dll
2007-06-26 01:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-26 01:08 1104896 --------- C:\WINDOWS\system32\dllcache\msxml3.dll
2007-06-19 08:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-19 08:31 282112 --------- C:\WINDOWS\system32\dllcache\gdi32.dll
2007-06-17 00:11 51200 --a------ C:\WINDOWS\nircmd.exe
2007-06-15 03:12 96256 --a------ C:\WINDOWS\system32\dllcache\inseng.dll
2007-06-15 03:12 616960 --a------ C:\WINDOWS\system32\dllcache\urlmon.dll
2007-06-15 03:12 55808 --a------ C:\WINDOWS\system32\dllcache\extmgr.dll
2007-06-15 03:12 532480 --a------ C:\WINDOWS\system32\dllcache\mstime.dll
2007-06-15 03:12 474112 --------- C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-06-15 03:12 449024 --a------ C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-06-15 03:12 39424 --a------ C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-06-15 03:12 357888 --a------ C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-06-15 03:12 3064320 --a------ C:\WINDOWS\system32\dllcache\mshtml.dll
2007-06-15 03:12 251904 --a------ C:\WINDOWS\system32\dllcache\iepeers.dll
2007-06-15 03:12 205824 --a------ C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-06-15 03:12 16384 --a------ C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-06-15 03:12 151040 --------- C:\WINDOWS\system32\dllcache\cdfview.dll
2007-06-15 03:12 1498112 --------- C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-06-15 03:12 146432 --a------ C:\WINDOWS\system32\dllcache\msrating.dll
2007-06-15 03:12 1054208 --------- C:\WINDOWS\system32\dllcache\danim.dll
2007-06-15 03:12 1022976 --------- C:\WINDOWS\system32\dllcache\browseui.dll
2007-06-14 05:32 18432 --a------ C:\WINDOWS\system32\dllcache\iedw.exe
2007-06-13 05:23 1033216 --a------ C:\WINDOWS\explorer.exe
2007-06-13 05:23 1033216 --------- C:\WINDOWS\system32\dllcache\explorer.exe
2007-06-11 23:51 10834944 --a------ C:\WINDOWS\system32\dllcache\wmp.dll
2006-06-10 08:12 774144 --a------ C:\Program Files\RngInterstitial.dll
2005-03-14 15:54 264555 --a------ C:\Program Files\rootkitrevealer.zip
2005-02-23 06:40 214533 --a------ C:\Program Files\hijackthis.zip
2005-02-19 03:47 266 ---hs---- C:\Program Files\desktop.ini
2005-02-19 03:47 11079 ---h----- C:\Program Files\folder.htt
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"YPC"="C:\PROGRA~1\YAHOO!\PARENT~1\ypc.exe" [2005-02-11 18:14]
"YOP"="C:\PROGRA~1\YAHOO!\YOP\yop.exe" [2005-04-22 19:49]
"SystemTray"="SysTray.Exe" [2001-08-23 12:00 C:\WINDOWS\SYSTEM32\systray.exe]
"Cmaudio"="cmicnfg.cpl" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-08-19 07:43]
"HostsMan"="C:\Program Files\abelhadigital.com\HostsMan\hm.exe" [2005-01-08 17:18]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-03-06 13:28]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-04-22 23:24]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"Weather"="C:\Program Files\AWS\WeatherBug\Weather.exe" [2006-04-07 15:02]
C:\Documents and Settings\Wagner\Start Menu\Programs\Startup\
eDexter.lnk - C:\Program Files\Pyrenean\eDexter\eDexter.exe [2001-07-29 19:26:12]
Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [2005-02-21 18:55:20]
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\system]
"NoDispAppearancePage"=0 (0x0)
"NoColorChoice"=0 (0x0)
"NoSizeChoice"=0 (0x0)
"NoDispBackgroundPage"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)
"NoDispCPL"=0 (0x0)
"NoVisualStyleChoice"=0 (0x0)
"NoDispSettingsPage"=0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\explorer]
"NoActiveDesktopChanges"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\explorer]
"NoThemesTab"=0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\WINDOWS\system32\wmfhotfix.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AT&T Self Support Tool.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AT&T Self Support Tool.lnk
backup=C:\WINDOWS\pss\AT&T Self Support Tool.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk
backup=C:\WINDOWS\pss\hp psc 1000 series.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
kwagner_51
08-20-2007, 07:46 PM
con't
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C2K]
C:\WINDOWS\Cyb2k.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EssentialPIM]
"G:\Documents\HOST\EssentialPIM.exe" /autorun
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FLMK08KB]
C:\Program Files\Muiltmedia keyboard utility\1.1\MMKEYBD.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FLMOFFICE4DMOUSE]
C:\Program Files\Browser Mouse\mouse32a.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InterWARN]
C:\Program Files\InterWARN\interwarn.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OM_Monitor]
C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickLookup]
C:\Program Files\Quick Lookup\QuickLookup.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
R0 viasraid;viasraid;C:\WINDOWS\system32\DRIVERS\vias raid.sys
R1 fwdrv;Firewall Driver;C:\WINDOWS\system32\drivers\fwdrv.sys
R1 khips;Kerio HIPS Driver;C:\WINDOWS\system32\drivers\khips.sys
R2 SPF4;Sunbelt Personal Firewall 4;"C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe"
R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys
S3 DUBE100;D-Link DUB-E100 USB 2.0 Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\DUBE100.sys
S3 FETNDIS;VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\fetnd5.sys
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:WIN9X /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl
Contents of the 'Scheduled Tasks' folder
2007-07-08 04:00:02 C:\WINDOWS\Tasks\Tune-up Application Start.job
2007-08-20 08:00:02 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job - C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
2007-08-20 13:42:02 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1109338904.job - C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe
2007-08-16 01:12:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
************************************************** ************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url]http://www.gmer.net[/url]
Rootkit scan 2007-08-20 17:40:32
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
C:\WINDOWS\system32\cmd.exe [3456] 0x8149E148
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
Completion time: 2007-08-20 17:42:19
C:\ComboFix-quarantined-files.txt ... 2007-08-20 17:42
C:\ComboFix2.txt ... 2007-08-18 20:33
C:\ComboFix3.txt ... 2007-06-26 22:04
--- E O F ---
Budfred
08-20-2007, 08:52 PM
Did you run F-Secure??
kwagner_51
08-20-2007, 09:04 PM
Here are the results of the F Secure Scan:
Scanning Report
Monday, August 20, 2007 18:01:54 - 19:01:31
Computer name: MOMSCOMPUTER
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\
--------------------------------------------------------------------------------
Result: 1 malware found
W32/Agent.AMZU (virus)
C:\PROGRAM FILES\SHOCKWAVE.COM\BOUNCE SYMPHONY\WEBDRIVERSILENTINSTALL.EXE (Submitted)
--------------------------------------------------------------------------------
Statistics
Scanned:
Files: 42644
System: 4683
Not scanned: 2
Actions:
Disinfected: 0
Renamed: 0
Deleted: 0
None: 1
Submitted: 1
Files not scanned:
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
--------------------------------------------------------------------------------
Options
Scanning engines:
F-Secure Libra: 2.4.2, 2007-08-16
F-Secure AVP: 7.0.171, 2007-08-17
F-Secure Orion: 1.2.37, 2007-08-20
F-Secure Blacklight: 1.0.64
F-Secure Draco: 1.0.35, 0260-23-12
F-Secure Pegasus: 1.19.0, 2007-07-12
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB BAT LNK ANI AVB CEO CMD LSP MAP MHT MIF PDF PHP POT WMF NWS TAR TGZ WSF ZL? {* ZIP JAR ARJ LZH TAR TGZ GZ CAB RAR BZ2 HQX
Use Advanced heuristics
--------------------------------------------------------------------------------
Copyright © 1998-2006 Product support |Send virus sample to F-Secure
kwagner_51
08-20-2007, 10:12 PM
This report is from Jotti's Malware Scan
File: WebDriverSilentInstall.exe
Status: INFECTED/MALWARE
MD5: 6c57783eeb99afa81990fdd9738f7c5e
Packers detected: -
Bit9 reports: File not found
Scanner results
Scan taken on 21 Aug 2007 01:07:50 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found W32/Agent.AMZU
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found Spy.WildTangent, Spy.WildTangent.b, Adware.WildTangent
kwagner_51
08-20-2007, 10:38 PM
Another scan from Jotti
File: WebUpdater.exe
Status: INFECTED/MALWARE
MD5: c25c05f7e1dd3d3130f42bc3dfc2f773
Packers detected: -
Bit9 reports: File not found
Scanner results
Scan taken on 21 Aug 2007 01:34:25 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found Mal/Heuri-D
VirusBuster Found nothing
VBA32 Found nothing
Budfred
08-20-2007, 11:27 PM
It isn't real clear that you have a problem with malware... We can throw some more scans at it or you can go ahead with a wipe and reinstall...
Are you having any problems other than the freezing?? It could just be a heat problem if it occurs when you are playing games...
Let me know how you want to proceed...
kwagner_51
08-21-2007, 09:08 AM
What about these?
Result: 1 malware found
W32/Agent.AMZU (virus)
C:\PROGRAM FILES\SHOCKWAVE.COM\BOUNCE SYMPHONY\WEBDRIVERSILENTINSTALL.EXE (Submitted)
Sophos Antivirus Found Mal/Heuri-D
Norman Virus Control Found W32/Agent.AMZU
VBA32 Found Spy.WildTangent, Spy.WildTangent.b, Adware.WildTangent
How do I remove them? Also All of them are in games and that is what I am having problems with, for the most part.
Thanks!!
Budfred
08-21-2007, 09:25 AM
F-Secure should have already fixed the first one and the second one seems to have been identified based on heuristics, which isn't always reliable... Actually, the first one doesn't look that convincing either and may be a false positive...
WildTangent is a bit tricky... I wouldn't have it on my computer -- it is considered to be foistware and some have speculated that it allows other infections on your computer... It has spy capabilities, but claims not to use them... You could simply remove it in Add or Remove Programs and then we can clean any leftovers in your HJT log to see if that clears up the problem... Otherwise, there isn't anything real definite there to attack...
vBulletin v3.6.1, Copyright ©2000-2012, Jelsoft Enterprises Ltd.