| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 84924 | 2007-11-23 08:44:00 | HijackThis | mkms (12127) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 614319 | 2007-11-23 08:44:00 | My system is very slow and I have given below the log file for your expertise instruction. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 2:51:00 PM, on 23/11/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\Explorer.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb1 0.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\system32\SSCVIHOST.exe C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe C:\WINDOWS\system32\SSCVIHOST.exe C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe C:\Program Files\ Yahoo! \Messenger\ymsgr_tray.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Common Files\Teleca Shared\Generic.exe C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe C:\Program Files\Spamihilator\spamihilator.exe C:\DOCUME~1\mukundh\Desktop\Magic.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\DOCUME~1\mukundh\LOCALS~1\Temp\Rar$EX04.547\Hij ackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.eastern-engineering.com F2 - REG:system.ini: Shell=Explorer.exe SSCVIHOST.exe O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb1 0.exe O4 - HKLM\..\Run: [Spamihilator] "C:\Program Files\Spamihilator\spamihilator.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -onlytray O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog O4 - HKCU\..\Run: [Yahoo Messengger] C:\WINDOWS\system32\SSCVIHOST.exe O4 - HKCU\..\Run: [ Yahoo! Pager] C:\Program Files\ Yahoo! \Messenger\ypager.exe -quiet O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user') O4 - Startup: DATEwise3.lnk = C:\Program Files\BizWare Magic DATEwise\DATEwise3.exe O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1 O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - www.adobe.com O17 - HKLM\System\CCS\Services\Tcpip\..\{B34CEC76-A870-43A9-8F9C-93F5104213FB}: NameServer = 218.248.240.23,218.248.240.135 O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe -- End of file - 7028 bytes Please let me know the solution for this. |
mkms (12127) | ||
| 614320 | 2007-11-23 10:15:00 | OK - To start with... Turn off system restore - its in there already probably can you open task manager? If you can, click on this entry and end task C:\WINDOWS\system32\SSCVIHOST.exe run HJT and fix these (Nasty) F2 - REG:system.ini: Shell=Explorer.exe SSCVIHOST.exe O4 - HKCU\..\Run: [Yahoo Messengger] C:\WINDOWS\system32\SSCVIHOST.exe O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1 Are you in India ? If not, fix this too O17 - HKLM\System\CCS\Services\Tcpip\..\{B34CEC76-A870-43A9-8F9C-93F5104213FB}: NameServer = 218.248.240.23,218.248.240.135 |
bevy121 (117) | ||
| 614321 | 2007-11-23 10:45:00 | I would have thought AVG would detect that SOHANAD worm - do a scan see if it picks it up I think Avira AntiVir (http://www.free-av.com/) does so try that if avg doesn't Also download and run Rogueremover, Trojan remover and Boclean which you'll find in Speedy Gonzales Sig here (forums.pcworld.co.nz) Hows regedit and control panel ? can you access those as well, or are they disabled |
bevy121 (117) | ||
| 614322 | 2007-11-23 11:04:00 | I tried with AVG but it did not solve the prob. The regedit & control panel are working, but not the task manager. It says the task manager is disabled by the administrator. There was also a Trojen Remover Alert "Restrictive Windows Explorer Policies Found", which says the DisableTaskMgr and NoFolderOptions. Becuase of this the Folder Options in the Menu of Windows Explorer is not available. Even after running The trojan Remover, the above is not getting cleared. :help: Also, while shutting down the PC, the WMS Idle does not close and every time I need to press end now. please .......:help: |
mkms (12127) | ||
| 614323 | 2007-11-23 16:30:00 | Run trojan remover again (and update it), then select all options under the utilities menu. Put hijackthis in its own folder first, then run hijackthis again Close browser/s. Did u tick the entries Bevy posted? These? Nasty C:\WINDOWS\system32\SSCVIHOST.exe C:\WINDOWS\system32\SSCVIHOST.exe F2 - REG:system.ini: Shell=Explorer.exe SSCVIHOST.exe Safe O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) Safe, but dont have to run on startup O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" If you dont use Nero Home, tick this O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" Nasty O4 - HKCU\..\Run: [Yahoo Messengger] C:\WINDOWS\system32\SSCVIHOST.exe Safe O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet Nasty O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1 |
Speedy Gonzales (78) | ||
| 614324 | 2007-11-24 00:17:00 | You will need to clean this right out as it does contain other files . . . C:\WINDOWS\system32\SSCVIHOST . exe Download SDFix and save it to your desktop . . andymanchesta . com/RemovalTools/SDFix . zip" target="_blank">downloads . andymanchesta . com Please then reboot your computer in Safe Mode by doing the following : Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; Instead of Windows loading as normal, a menu with options should appear; Select the first option, to run Windows in Safe Mode, then press "Enter" . Choose your usual account . In Safe Mode, right click the SDFix . zip folder and choose Extract All, Open the extracted folder and double click RunThis . bat to start the script . Type Y to begin the script . It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot . Press any Key and it will restart the PC . Your system will take longer that normal to restart as the fixtool will be running and removing files . When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons . Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report . txt (Report . txt will also be copied to Clipboard ready for posting back on the forum) . Finally paste the contents of the Report . txt back on the forum with a new HijackThis log . ====================== As many are left in the registry and will need removing run this . . . This will help to identify any other files still on your system . Please download Combofix from HERE ( . bleepingcomputer . com/sUBs/Beta/ComboFix . exe" target="_blank">download . bleepingcomputer . com) or HERE ( . techsupportforum . com/sectools/sUBs/ComboFix . exe" target="_blank">www . techsupportforum . com) Save ComboFix to the desktop . 1 . Double click on combo . exe & follow the prompts . 2 . When finished, it will produce a logfile located at C:\ComboFix . txt . 3 . Copy and Paste the contents of that log in your next reply with a new hijackthis log . Do not use Code or html unless asked for . Note: Do not mouseclick combofix's window while it is running . That may cause your system to stall/hang . |
Pancake (6359) | ||
| 614325 | 2007-11-27 10:14:00 | The report . txt file is attached below for your reference . SDFix: Version 1 . 115 Run by mukundh on Tue 27/11/2007 at 04:02 PM Microsoft Windows XP [Version 5 . 1 . 2600] Running From: C:\SDFix Safe Mode: Checking Services: Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting . . . Normal Mode: Checking Files: Trojan Files Found: C:\WINDOWS\SYSTEM32\TEST3 . EXE - Deleted C:\WINDOWS\SYSTEM32\NHATQU~1 . EXE - Deleted C:\WINDOWS\SYSTEM32\SCVSHO~1 . EXE - Deleted C:\WINDOWS\SSCVIHOST . exe - Deleted C:\WINDOWS\system32\autorun . ini - Deleted C:\WINDOWS\system32\blastclnnn . exe - Deleted C:\WINDOWS\system32\scvshosts . exe - Deleted C:\WINDOWS\system32\setting . ini - Deleted C:\WINDOWS\system32\SSCVIHOST . exe - Deleted Removing Temp Files . . . ADS Check: C:\WINDOWS No streams found . C:\WINDOWS\system32 No streams found . C:\WINDOWS\system32\svchost . exe No streams found . C:\WINDOWS\system32\ntoskrnl . exe No streams found . Final Check: catchme 0 . 3 . 1262 . 1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www . gmer . net Rootkit scan 2007-11-27 16:06:15 Windows 5 . 1 . 2600 Service Pack 2 FAT NTAPI scanning hidden processes . . . scanning hidden services . . . scanning hidden autostart entries . . . scanning hidden files . . . scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services: ------------------ Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\standard profile\authorizedapplications\list] "%windir%\\system32\\sessmgr . exe"="%windir%\\system32\\sessmgr . exe:*:enabled:@xpsp2re s . dll,-22019" "C:\\Program Files\\ Yahoo! \\Messenger\\YPager . exe"="C:\\Program Files\\ Yahoo! \\Messenger\\YPager . exe:*:Enabled:Yah oo! Messenger" "C:\\Program Files\\ Yahoo! \\Messenger\\YServer . exe"="C:\\Program Files\\ Yahoo! \\Messenger\\YServer . exe:*:Enabled:Ya hoo! FT Server" "C:\\Program Files\\Grisoft\\AVG Free\\avginet . exe"="C:\\Program Files\\Grisoft\\AVG Free\\avginet . exe:*:Enabled:avginet . exe" "C:\\Program Files\\Grisoft\\AVG Free\\avgemc . exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgemc . exe:*:Enabled:avgemc . exe" "C:\\Program Files\\Spamihilator\\dccproc . exe"="C:\\Program Files\\Spamihilator\\dccproc . exe:*:Enabled:dccproc" "C:\\Program Files\\MSN Messenger\\msnmsgr . exe"="C:\\Program Files\\MSN Messenger\\msnmsgr . exe:*:Enabled:Windows Live Messenger 8 . 1" "C:\\Program Files\\MSN Messenger\\livecall . exe"="C:\\Program Files\\MSN Messenger\\livecall . exe:*:Enabled:Windows Live Messenger 8 . 1 (Phone)" [HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\domainpr ofile\authorizedapplications\list] "%windir%\\system32\\sessmgr . exe"="%windir%\\system32\\sessmgr . exe:*:enabled:@xpsp2re s . dll,-22019" "C:\\Program Files\\MSN Messenger\\msnmsgr . exe"="C:\\Program Files\\MSN Messenger\\msnmsgr . exe:*:Enabled:Windows Live Messenger 8 . 1" "C:\\Program Files\\MSN Messenger\\livecall . exe"="C:\\Program Files\\MSN Messenger\\livecall . exe:*:Enabled:Windows Live Messenger 8 . 1 (Phone)" Remaining Files: --------------- File Backups: - C:\SDFix\backups\backups . zip Files with Hidden Attributes: Mon 5 Nov 2007 4,348 . . SH . --- "C:\Documents and Settings\All Users\DRM\DRMv1 . bak" Thu 23 Dec 2004 76,568 . . SHR --- "C:\Program Files\Autodesk\Autodesk DWF Viewer\Setup . exe" Thu 13 Jan 2005 11,360 A . SHR --- "C:\Program Files\Autodesk\Autodesk DWF Viewer\_Setupx . dll" Wed 11 Jul 2007 20 A . . H . --- "C:\Documents and Settings\mukundh\My Documents\My Music\License Backup\drmv1lic . bak" Wed 11 Jul 2007 4,348 A . . H . --- "C:\Documents and Settings\mukundh\My Documents\My Music\License Backup\drmv1key . bak" Thu 17 May 2007 312 A . SH . --- "C:\Documents and Settings\mukundh\My Documents\My Music\License Backup\drmv2key . bak" Finished! ========================================= The Hijackthis log is also given below: Logfile of Trend Micro HijackThis v2 . 0 . 2 Scan saved at 4:23:57 PM, on 27/11/2007 Platform: Windows XP SP2 (WinNT 5 . 01 . 2600) MSIE: Internet Explorer v6 . 00 SP2 (6 . 00 . 2900 . 2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss . exe C:\WINDOWS\system32\winlogon . exe C:\WINDOWS\system32\services . exe C:\WINDOWS\system32\lsass . exe C:\WINDOWS\system32\svchost . exe C:\WINDOWS\System32\svchost . exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice . exe C:\WINDOWS\Explorer . EXE C:\WINDOWS\system32\spoolsv . exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr . exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc . exe C:\WINDOWS\system32\svchost . exe C:\WINDOWS\system32\notepad . exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc . exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc . exe C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb1 0 . exe C:\Program Files\Spamihilator\spamihilator . exe C:\Program Files\Common Files\Real\Update_OB\realsched . exe C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd . exe C:\Program Files\Adobe\Photoshop Album Starter Edition\3 . 2\Apps\apdproxy . exe C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher . exe C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1 . EXE C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf . exe C:\Program Files\MSN Messenger\msnmsgr . exe C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2 . exe C:\WINDOWS\system32\wuauclt . exe C:\Program Files\Common Files\Teleca Shared\CapabilityManager . exe C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s . exe C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1 . EXE C:\Program Files\ Yahoo! \Messenger\ymsgr_tray . exe C:\WINDOWS\System32\svchost . exe C:\Program Files\Common Files\Teleca Shared\Generic . exe C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker . exe C:\Program Files\Internet Explorer\IEXPLORE . EXE C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy . exe C:\Program Files\Trend Micro\HijackThis\HijackThis . exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = . eastern-engineering . com/index . php" target="_blank">www . eastern-engineering . com O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper . dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin . dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1 . dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1 . dll O4 - HKLM\ . . \Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc . exe /STARTUP O4 - HKLM\ . . \Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc . exe O4 - HKLM\ . . \Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck . exe O4 - HKLM\ . . \Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb1 0 . exe O4 - HKLM\ . . \Run: [Spamihilator] "C:\Program Files\Spamihilator\spamihilator . exe" O4 - HKLM\ . . \Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched . exe" -osboot O4 - HKLM\ . . \Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd . exe O4 - HKLM\ . . \Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3 . 2\Apps\apdproxy . exe" O4 - HKLM\ . . \Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8 . 0\Reader\Reader_sl . exe" O4 - HKLM\ . . \Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher . exe" /startoptions O4 - HKLM\ . . \Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1 . EXE -onlytray O4 - HKLM\ . . \Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan . exe O4 - HKCU\ . . \Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr . exe" /background O4 - HKCU\ . . \Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2 . exe /NoDialog O4 - HKCU\ . . \Run: [ Yahoo! Pager] C:\Program Files\ Yahoo! \Messenger\ypager . exe -quiet O4 - HKCU\ . . \Run: [ccleaner] "C:\Program Files\CCleaner\CCleaner . exe" /AUTO O4 - HKUS\S-1-5-19\ . . \Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw . exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\ . . \Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw . exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\ . . \Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw . exe /RUNONCE (User 'SYSTEM') O4 - HKUS\ . DEFAULT\ . . \Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw . exe /RUNONCE (User 'Default user') O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL . EXE/3000 O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER . EXE O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER . EXE O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs . exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs . exe O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - . adobe . com/products/acrobat/nos/gp . cab" target="_blank">www . adobe . com O17 - HKLM\System\CCS\Services\Tcpip\ . . \{B34CEC76-A870-43A9-8F9C-93F5104213FB}: NameServer = 218 . 248 . 240 . 23,218 . 248 . 240 . 135 O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice . exe O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv . exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s . r . o . - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr . exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s . r . o . - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc . exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService . exe O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService . exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService . exe -- End of file - 6310 bytes Now,I will try the Combofix and post it here later . regards mkms |
mkms (12127) | ||
| 614326 | 2007-11-27 10:37:00 | Hijackthis log looks good, but tick these entries Close browser/s. O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) These are safe, but dont have to run on startup O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" |
Speedy Gonzales (78) | ||
| 614327 | 2007-11-27 11:08:00 | Here is the latest hijackthis log file: Logfile of Trend Micro HijackThis v2 . 0 . 2 Scan saved at 5:14:29 PM, on 27/11/2007 Platform: Windows XP SP2 (WinNT 5 . 01 . 2600) MSIE: Internet Explorer v6 . 00 SP2 (6 . 00 . 2900 . 2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss . exe C:\WINDOWS\system32\winlogon . exe C:\WINDOWS\system32\services . exe C:\WINDOWS\system32\lsass . exe C:\WINDOWS\system32\svchost . exe C:\WINDOWS\System32\svchost . exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice . exe C:\WINDOWS\system32\spoolsv . exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr . exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc . exe C:\WINDOWS\system32\svchost . exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc . exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc . exe C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb1 0 . exe C:\Program Files\Spamihilator\spamihilator . exe C:\Program Files\Common Files\Real\Update_OB\realsched . exe C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd . exe C:\Program Files\Adobe\Photoshop Album Starter Edition\3 . 2\Apps\apdproxy . exe C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher . exe C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1 . EXE C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf . exe C:\Program Files\MSN Messenger\msnmsgr . exe C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2 . exe C:\WINDOWS\system32\wuauclt . exe C:\Program Files\Common Files\Teleca Shared\CapabilityManager . exe C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s . exe C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1 . EXE C:\Program Files\Yahoo!\Messenger\ymsgr_tray . exe C:\WINDOWS\System32\svchost . exe C:\Program Files\Common Files\Teleca Shared\Generic . exe C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker . exe C:\WINDOWS\explorer . exe C:\DOCUME~1\mukundh\Desktop\Magic . exe C:\Program Files\Trend Micro\HijackThis\HijackThis . exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = . eastern-engineering . com/index . php" target="_blank">www . eastern-engineering . com O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper . dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin . dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1 . dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1 . dll O4 - HKLM\ . . \Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc . exe /STARTUP O4 - HKLM\ . . \Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc . exe O4 - HKLM\ . . \Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck . exe O4 - HKLM\ . . \Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb1 0 . exe O4 - HKLM\ . . \Run: [Spamihilator] "C:\Program Files\Spamihilator\spamihilator . exe" O4 - HKLM\ . . \Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched . exe" -osboot O4 - HKLM\ . . \Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd . exe O4 - HKLM\ . . \Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3 . 2\Apps\apdproxy . exe" O4 - HKLM\ . . \Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8 . 0\Reader\Reader_sl . exe" O4 - HKLM\ . . \Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher . exe" /startoptions O4 - HKLM\ . . \Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1 . EXE -onlytray O4 - HKLM\ . . \Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan . exe O4 - HKCU\ . . \Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr . exe" /background O4 - HKCU\ . . \Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2 . exe /NoDialog O4 - HKCU\ . . \Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager . exe -quiet O4 - HKCU\ . . \Run: [ccleaner] "C:\Program Files\CCleaner\CCleaner . exe" /AUTO O4 - HKUS\S-1-5-19\ . . \Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw . exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\ . . \Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw . exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\ . . \Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw . exe /RUNONCE (User 'SYSTEM') O4 - HKUS\ . DEFAULT\ . . \Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw . exe /RUNONCE (User 'Default user') O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL . EXE/3000 O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs . exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs . exe O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - . adobe . com/products/acrobat/nos/gp . cab" target="_blank">www . adobe . com O17 - HKLM\System\CCS\Services\Tcpip\ . . \{B34CEC76-A870-43A9-8F9C-93F5104213FB}: NameServer = 218 . 248 . 240 . 23,218 . 248 . 240 . 135 O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice . exe O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv . exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s . r . o . - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr . exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s . r . o . - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc . exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService . exe O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService . exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService . exe -- End of file - 5867 bytes ====================================== Below is the Combofix report file: ComboFix 07-11-19 . 4 - mukundh 2007-11-27 16:27:41 . 1 - FAT32x86 Microsoft Windows XP Professional 5 . 1 . 2600 . 2 . 1252 . 1 . 1033 . 18 . 76 [GMT 5 . 5:30] Running from: C:\Documents and Settings\mukundh\Desktop\ComboFix . exe * Created a new restore point . ((((((((((((((((((((((((( Files Created from 2007-10-27 to 2007-11-27 ))))))))))))))))))))))))))))))) . 2007-11-27 16:02 <DIR> d-------- C:\WINDOWS\ERUNT 2007-11-27 15:57 <DIR> d--hs---- C:\FOUND . 003 2007-11-27 15:46 <DIR> d-------- C:\Program Files\Trend Micro 2007-11-27 14:25 <DIR> d--hs---- C:\FOUND . 002 2007-11-22 09:28 <DIR> dr-h----- C:\$VAULT$ . AVG 2007-11-20 11:19 <DIR> d-------- C:\Program Files\BizWare Magic DATEwise 2007-11-16 17:26 <DIR> d--hs---- C:\FOUND . 001 2007-11-16 16:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP 2007-11-16 16:42 <DIR> d-------- C:\Program Files\Trojan Remover 2007-11-16 16:42 <DIR> d-------- C:\Documents and Settings\mukundh\Application Data\Simply Super Software 2007-11-16 16:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Simply Super Software 2007-11-15 09:08 <DIR> d--hs---- C:\FOUND . 000 2007-11-05 11:55 38,400 --a------ C:\WINDOWS\HPLTLNK . EXE 2007-11-03 12:59 <DIR> d-------- C:\Documents and Settings\mukundh\Phone Browser 2007-11-03 12:59 <DIR> d-------- C:\Documents and Settings\mukundh\Application Data\Datalayer 2007-11-03 12:55 <DIR> d-------- C:\Documents and Settings\mukundh\Application Data\Nokia 2007-11-03 12:53 <DIR> d-------- C:\Documents and Settings\mukundh\Application Data\PC Suite 2007-11-03 12:52 <DIR> d-------- C:\Program Files\Nokia 2007-11-03 12:52 <DIR> d-------- C:\Program Files\Common Files\PCSuite 2007-11-03 12:52 <DIR> d-------- C:\Program Files\Common Files\Nokia . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )) . 2007-10-26 10:13 --------- d-----w C:\Program Files\Common Files\Symantec Shared 2007-10-26 09:46 --------- d-----w C:\Program Files\Norton Security Scan 2007-10-26 08:08 278,528 ----a-w C:\WINDOWS\system32\livesnth . dll 2007-10-25 07:06 --------- d-----w C:\Program Files\Common Files\Teleca Shared 2007-10-25 07:06 --------- d-----w C:\Documents and Settings\mukundh\Application Data\Teleca 2007-10-25 07:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sony Ericsson 2007-10-25 07:05 --------- d-----w C:\Program Files\Sony Ericsson 2007-10-25 07:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Teleca 2007-10-25 07:00 89,872 ----a-w C:\WINDOWS\system32\drivers\k750mdm . sys 2007-10-25 07:00 81,728 ----a-w C:\WINDOWS\system32\drivers\k750mgmt . sys 2007-10-25 07:00 79,488 ----a-w C:\WINDOWS\system32\drivers\k750obex . sys 2007-10-25 07:00 6,576 ----a-w C:\WINDOWS\system32\drivers\k750mdfl . sys 2007-10-25 07:00 6,144 ----a-w C:\WINDOWS\system32\drivers\k750cmnt . sys 2007-10-25 07:00 6,144 ----a-w C:\WINDOWS\system32\drivers\k750cm . sys 2007-10-25 07:00 55,216 ----a-w C:\WINDOWS\system32\drivers\k750bus . sys 2007-10-25 07:00 5,744 ----a-w C:\WINDOWS\system32\drivers\k750whnt . sys 2007-10-25 07:00 5,744 ----a-w C:\WINDOWS\system32\drivers\k750wh . sys 2007-10-22 05:21 --------- d-----w C:\Program Files\Lavasoft 2007-10-22 05:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft 2007-10-22 05:20 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2007-10-22 05:07 --------- d-----w C:\Program Files\CCleaner 2007-10-20 06:51 --------- d-----w C:\Documents and Settings\mukundh\Application Data\Share-to-Web Upload Folder 2007-10-20 06:50 --------- d-----w C:\Program Files\Common Files\Hewlett-Packard 2007-10-20 06:49 --------- d-----w C:\Program Files\Hewlett-Packard 2007-10-20 06:48 82,380 ----a-w C:\WINDOWS\system32\drivers\AFS2K . SYS 2007-10-20 04:20 --------- d-----w C:\Program Files\Common Files\xing shared 2007-10-20 04:19 --------- d-----w C:\Program Files\Real 2007-10-20 04:19 --------- d-----w C:\Program Files\Google 2007-10-20 04:19 --------- d-----w C:\Program Files\Common Files\Real 2007-10-20 04:01 --------- d-----w C:\Program Files\Common Files\Adobe 2007-10-20 04:01 --------- d-----w C:\Documents and Settings\mukundh\Application Data\AdobeUM 2007-10-19 11:30 --------- d-----w C:\Program Files\Spamihilator 2007-10-19 11:28 1,878,120 ----a-w C:\Program Files\spamihilator_0_9_9_32 . exe 2007-10-19 10:29 --------- d-----w C:\Documents and Settings\mukundh\Application Data\Ahead 2007-10-19 10:27 --------- d-----w C:\Program Files\Nero 2007-10-19 10:27 --------- d-----w C:\Program Files\Common Files\Ahead 2007-10-19 10:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero 2007-10-19 10:22 --------- d-----w C:\Program Files\InstallShield Installation Information 2007-10-19 10:22 --------- d-----w C:\Documents and Settings\mukundh\Application Data\Corel 2007-10-19 10:21 --------- d-----w C:\Program Files\Corel 2007-10-19 10:21 --------- d-----w C:\Program Files\Common Files\Corel 2007-10-19 10:20 --------- d-----w C:\Program Files\Common Files\InstallShield 2007-10-19 10:17 --------- d-----w C:\Documents and Settings\mukundh\Application Data\AVG7 2007-10-19 10:17 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7 2007-10-19 10:16 499,712 ----a-w C:\WINDOWS\system32\msvcp71 . dll 2007-10-19 10:16 348,160 ----a-w C:\WINDOWS\system32\msvcr71 . dll 2007-10-19 10:16 --------- d-----w C:\Program Files\Mjuice Media Player 2007-10-19 10:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft 2007-10-19 10:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7 2007-10-19 10:15 --------- d-----w C:\Program Files\Winamp 2007-10-19 10:15 --------- d-----w C:\Program Files\MSN Messenger 2007-10-19 10:14 --------- d-----w C:\Program Files\Yahoo! 2007-10-19 10:06 --------- d-----w C:\Program Files\AnswerWorks 4 . 0 2007-10-19 10:04 --------- d-----w C:\Program Files\AutoCAD 2006 2007-10-19 10:04 --------- d-----w C:\Documents and Settings\mukundh\Application Data\Autodesk 2007-10-19 10:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Autodesk 2007-10-19 10:03 --------- d-----w C:\Program Files\Common Files\Autodesk Shared 2007-10-19 10:03 --------- d-----w C:\Program Files\Autodesk 2007-10-19 09:26 --------- d-----w C:\Program Files\Microsoft ActiveSync 2007-10-19 09:05 --------- d-----w C:\Program Files\microsoft frontpage 2007-10-15 04:49 2,852,532 ----a-w C:\Program Files\core . aawdef 2007-10-15 04:17 1,702,219 ----a-w C:\Program Files\defs . ref . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run] "msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr . exe" [2007-01-19 12:54] "PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2 . exe" [2005-11-30 16:56] "Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager . exe" [2004-08-06 15:33] "ccleaner"="C:\Program Files\CCleaner\CCleaner . exe" [2007-09-28 13:35] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc . exe" [2007-10-25 07:34] "AVG7_EMC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc . exe" [2007-10-25 07:34] "NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck . exe" [2006-01-12 15:40] "HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb1 0 . exe" [2004-03-04 20:16] "Spamihilator"="C:\Program Files\Spamihilator\spamihilator . exe" [2007-08-17 20:54] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched . exe" [2007-10-20 09:49] "Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd . exe" [2002-04-11 04:19] "Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3 . 2\Apps\apdproxy . exe" [2007-03-09 11:09] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8 . 0\Reader\Reader_sl . exe" [2007-10-10 19:51] "Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher . exe" [2005-10-26 16:17] "PCSuiteTrayApplication"="C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1 . exe" [2005-12-13 08:49] "TrojanScanner"="C:\Program Files\Trojan Remover\Trjscan . exe" [2007-11-11 13:42] [HKEY_USERS\ . DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run] "AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw . exe" [2007-10-25 07:34] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator . lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutoCAD Startup Accelerator . lnk backup=C:\WINDOWS\pss\AutoCAD Startup Accelerator . lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office . lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office . lnk backup=C:\WINDOWS\pss\Microsoft Office . lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds] 2002-10-16 12:35 114688 -ra------ C:\WINDOWS\system32\hkcmd . exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray] 2002-10-16 12:48 155648 -ra------ C:\WINDOWS\system32\igfxtray . exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] C:\Program Files\Messenger\msmsgs . exe /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr] C:\Program Files\MSN Messenger\MsnMsgr . Exe /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan] SOUNDMAN . EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] 2001-05-01 02:27 10752 --a------ C:\Program Files\Winamp\Winampa . exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager] C:\PROGRA~1\YAHOO!\MESSEN~1\ypager . exe -quiet [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{55e69da5-8091-11dc-abec-000ae6dec701}] \Shell\AutoRun\command - G:\SSCVIHOST . exe \Shell\Open\command - G:\SSCVIHOST . exe [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{9dcb1c32-8b66-11dc-abfd-000ae6dec701}] \Shell\AutoRun\command - G:\SSCVIHOST . exe \Shell\Open\command - G:\SSCVIHOST . exe *Newly Created Service* - CATCHME . Contents of the 'Scheduled Tasks' folder "2007-11-23 09:33:08 C:\WINDOWS\Tasks\Norton Security Scan . job" - C:\Program Files\Norton Security Scan\Nss . exe "2007-11-27 09:53:22 C:\WINDOWS\Tasks\At1 . job" - C:\WINDOWS\system32\blastclnnn . exe . ************************************************** ************************ catchme 0 . 3 . 1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www . gmer . net Rootkit scan 2007-11-27 16:29:14 Windows 5 . 1 . 2600 Service Pack 2 FAT NTAPI scanning hidden processes . . . scanning hidden autostart entries . . . scanning hidden files . . . scan completed successfully hidden files: 0 ************************************************** ************************ . Completion time: 2007-11-27 16:29:43 . --- E O F --- ============================== Dear Mr . Speedy pls let me know how to remove the said files from startup . reg/mkms |
mkms (12127) | ||
| 614328 | 2007-11-27 19:42:00 | Whats G?? A hard drive, a removable USB hard drive, or something like a USB flash drive / Ipod?? Follow my previous post. Tick the entries I posted then tick fix checked. |
Speedy Gonzales (78) | ||
| 1 2 | |||||