 |  |  |  |  |  |  |  |
Not sure whats wrong,please take a look!!
 |
•
•
Join Date: May 2005
Posts: 3,204
Reputation: 
Solved Threads: 188
Kristy, my apologies, I missed an important line with my cut and paste.... I have corrected the instruction, and taken the opp to add more files:
-you must be in an Administrator-privileged account to run this procedure...
Start Avenger; select “Input script manually” and then click the magnifying glass icon. Paste into the box these lines as one block:-
Files to delete:
C:\WINDOWS\system32\ogycsrw.exe
C:\WINDOWS\system32\hzhkhdet.exe
C:\WINDOWS\IFinst27.exe
C:\3b10545d3d62bb28bf60f37c
C:\WINDOWS\system32\pmbvkxh_nav.dat
C:\WINDOWS\system32\linkprd.exe
C:\WINDOWS\system32\ycbeg.ini2
C:\WINDOWS\system32\ycbeg.bak2
C:\WINDOWS\system32\ycbeg.bak1
C:\WINDOWS\system32\mlkkj.bak2
C:\WINDOWS\system32\mlkkj.ini2
C:\WINDOWS\system32\mlkkj.bak1
C:\WINDOWS\system32\f3pssavr.scr
C:\DOCUME~1\Kristy\APPLIC~1\bbbconfig.dat
C:\\DOCUME~1\\Kristy\\MYDOCU~1\\SCURIT~1\\TTRIB~1.EXE
C:\WINDOWS\WSYS049.SYS
C:\WINDOWS\system\tnebli.tmp
C:\WINDOWS\system32\ihhkj.tmp
C:\WINDOWS\system32\mlkkj.tmp
C:\WINDOWS\system32\ttvwa.tmp
C:\WINDOWS\system32\ycbeg.tmp
...and click Done, and finally the green light.
Follow promps to reboot your machine.
[The files, etc., that you asked Avenger to delete are zipped to C:\avenger\backup.zip.]
Avenger creates a log file that should open with the results of its actions. This file is located at C:\avenger.txt
===I want you to do a manual search for this file [i don't have a path for it...]; if you find it, delete it:
w03a1090.dll
Next do a Scan Only with hijackthis and check these two entries for fixing, and press Fix Checked:
O4 - Startup: .protected
O4 - Global Startup: .protected
See how you go..
-you must be in an Administrator-privileged account to run this procedure...
Start Avenger; select “Input script manually” and then click the magnifying glass icon. Paste into the box these lines as one block:-
Files to delete:
C:\WINDOWS\system32\ogycsrw.exe
C:\WINDOWS\system32\hzhkhdet.exe
C:\WINDOWS\IFinst27.exe
C:\3b10545d3d62bb28bf60f37c
C:\WINDOWS\system32\pmbvkxh_nav.dat
C:\WINDOWS\system32\linkprd.exe
C:\WINDOWS\system32\ycbeg.ini2
C:\WINDOWS\system32\ycbeg.bak2
C:\WINDOWS\system32\ycbeg.bak1
C:\WINDOWS\system32\mlkkj.bak2
C:\WINDOWS\system32\mlkkj.ini2
C:\WINDOWS\system32\mlkkj.bak1
C:\WINDOWS\system32\f3pssavr.scr
C:\DOCUME~1\Kristy\APPLIC~1\bbbconfig.dat
C:\\DOCUME~1\\Kristy\\MYDOCU~1\\SCURIT~1\\TTRIB~1.EXE
C:\WINDOWS\WSYS049.SYS
C:\WINDOWS\system\tnebli.tmp
C:\WINDOWS\system32\ihhkj.tmp
C:\WINDOWS\system32\mlkkj.tmp
C:\WINDOWS\system32\ttvwa.tmp
C:\WINDOWS\system32\ycbeg.tmp
...and click Done, and finally the green light.
Follow promps to reboot your machine.
[The files, etc., that you asked Avenger to delete are zipped to C:\avenger\backup.zip.]
Avenger creates a log file that should open with the results of its actions. This file is located at C:\avenger.txt
===I want you to do a manual search for this file [i don't have a path for it...]; if you find it, delete it:
w03a1090.dll
Next do a Scan Only with hijackthis and check these two entries for fixing, and press Fix Checked:
O4 - Startup: .protected
O4 - Global Startup: .protected
See how you go..
Deep, deep in the woods, but walking about.
it still says this is not a valid script and i cannot search for this file as the search function on windows doesnt work
and with hijack this it said these 2 files are in use so cannot be deleted.
and with hijack this it said these 2 files are in use so cannot be deleted. •
•
Join Date: May 2005
Posts: 3,204
Reputation:
Solved Threads: 188
Kristy, re Avenger... did you enter the whole block including the files to delete label? I can enter it into avenger on my machine and it tis quite happy about it.
Try this online scanner... we'll have to give up on panda for the while. : http://www.kaspersky.com/virusscanner post the results.
Perhaps you can try Avenger on this file- paste in this block:
Files to delete:
C:\windows\.protected
Did you manage to run f-secure's blacklight?
Try this online scanner... we'll have to give up on panda for the while. : http://www.kaspersky.com/virusscanner post the results.
Perhaps you can try Avenger on this file- paste in this block:
Files to delete:
C:\windows\.protected
Did you manage to run f-secure's blacklight?
Last edited by gerbil; Apr 29th, 2007 at 10:45 pm.
Deep, deep in the woods, but walking about.
•
•
Join Date: May 2005
Posts: 3,204
Reputation:
Solved Threads: 188
One other thing, i asked earlier for you to remove Norton/Symantec from your sys - I then assumed that this file detected by combfix was a relic from that AV - it is likely a problem file, it IS in the wrong area, and you don't want it. Please paste these two lines into the Avenger text box:
Files to delete:
C:\symlcsv1.exe
If Avenger still is not working for you, then we can try this manual way: download Unlocker 1.8.5 from http://ccollomb.free.fr/unlocker/ -install it.
You will then have to navigate to every single one of those files and rclick them and select Delete. All 23 of them.
Run ComboFix again and post its log.
Files to delete:
C:\symlcsv1.exe
If Avenger still is not working for you, then we can try this manual way: download Unlocker 1.8.5 from http://ccollomb.free.fr/unlocker/ -install it.
You will then have to navigate to every single one of those files and rclick them and select Delete. All 23 of them.
Run ComboFix again and post its log.
Last edited by gerbil; Apr 29th, 2007 at 11:27 pm.
Deep, deep in the woods, but walking about.
Status: 0xc0000034File C:\WINDOWS\system32\ycbeg.ini2 deleted successfully.File C:\WINDOWS\system32\ycbeg.bak2 deleted successfully.File C:\WINDOWS\system32\ycbeg.bak1 deleted successfully.File C:\WINDOWS\system32\mlkkj.bak2 deleted successfully.File C:\WINDOWS\system32\mlkkj.ini2 deleted successfully.File C:\WINDOWS\system32\mlkkj.bak1 deleted successfully.File C:\WINDOWS\system32\f3pssavr.scr deleted successfully.File C:\DOCUME~1\Kristy\APPLIC~1\bbbconfig.dat deleted successfully.Could not open file C:\\DOCUME~1\\Kristy\\MYDOCU~1\\SCURIT~1\\TTRIB~1.EXE for deletionDeletion of file C:\\DOCUME~1\\Kristy\\MYDOCU~1\\SCURIT~1\\TTRIB~1.EXE failed!Could not process line:C:\\DOCUME~1\\Kristy\\MYDOCU~1\\SCURIT~1\\TTRIB~1.EXEStatus: 0xc000003aFile C:\WINDOWS\WSYS049.SYS deleted successfully.File C:\WINDOWS\system\tnebli.tmp deleted successfully.File C:\WINDOWS\system32\ihhkj.tmp deleted successfully.File C:\WINDOWS\system32\mlkkj.tmp deleted successfully.File C:\WINDOWS\system32\ttvwa.tmp deleted successfully.File C:\WINDOWS\system32\ycbeg.tmp deleted successfully.Completed script processing.*******************Finished! Terminate.
"Kristy" - 07-04-30 12:54:42 Service Pack 2 ComboFix 07-04-25.4V - Running from: "C:\Program Files\AOL 9.0a\download\"(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~Folders Quarantined:C:\qoobox\purity\C\DOCUME~1C:\qoobox\purity\C\DOCUME~1\KristyC:\qoobox\purity\C\DOCUME~1\Kristy\APPLIC~1C:\qoobox\purity\C\DOCUME~1\Kristy\MYDOCU~1C:\qoobox\purity\C\DOCUME~1\Kristy\APPLIC~1\PPPATC~1C:\qoobox\purity\C\DOCUME~1\Kristy\MYDOCU~1\CROSOF~1C:\qoobox\purity\C\DOCUME~1\Kristy\MYDOCU~1\RACLE~1C:\qoobox\purity\C\DOCUME~1\Kristy\MYDOCU~1\SCURIT~1C:\qoobox\purity\C\Program Files\APPATC~1C:\qoobox\purity\C\Program Files\CURITY~1C:\qoobox\purity\C\Program Files\DOBE~1C:\qoobox\purity\C\Program Files\SCURIT~1C:\qoobox\purity\C\Program Files\WNSXS~1C:\qoobox\purity\C\Program Files\YMBOLS~1C:\qoobox\purity\C\Program Files\Common Files\DOBE~1C:\qoobox\purity\C\Program Files\Common Files\RACLE~1C:\qoobox\purity\C\Program Files\Common Files\SKS~1C:\qoobox\purity\C\WINDOWS\CROSOF~1.NETC:\qoobox\purity\C\WINDOWS\DOBE~1C:\qoobox\purity\C\WINDOWS\MANTEC~1C:\qoobox\purity\C\WINDOWS\MCROSO~1C:\qoobox\purity\C\WINDOWS\system32\DOBE~1C:\qoobox\purity\C\WINDOWS\system32\YMANTE~1((((((((((((((((((((((((((((((( Files Created from 2007-03-28 to 2007-04-30 ))))))))))))))))))))))))))))))))))2007-04-30 09:22 d-------- C:\avenger2007-04-30 09:20 60,416 --a------ C:\WINDOWS\system32\drivers\oryeobyk.sys2007-04-30 09:19 60,416 --a------ C:\WINDOWS\system32\drivers\ovygriae.sys2007-04-30 09:19 60,416 --a------ C:\WINDOWS\system32\drivers\fakofips.sys2007-04-30 09:16 126,976 --a------ C:\zip.exe2007-04-26 15:59 3,606 --a------ C:\WINDOWS\system32\tmp.reg2007-04-26 15:57 53,248 --a------ C:\WINDOWS\system32\Process.exe2007-04-26 15:57 51,200 --a------ C:\WINDOWS\system32\dumphive.exe2007-04-26 15:57 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe2007-04-26 09:19 d-------- C:\VundoFix Backups2007-04-25 19:10 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys2007-04-25 18:58 d-------- C:\Program Files\cc2007-04-25 18:53 49,152 --a------ C:\WINDOWS\nircmd.exe2007-04-25 14:42 d-------- C:\WINDOWS\system32\NtmsData2007-04-25 10:01 d-------- C:\Program Files\New Folder2007-04-24 18:46 d-------- C:\DOCUME~1\Kristy\APPLIC~1\Solitaire.Com2007-04-13 12:24 d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\InstallShield2007-04-13 12:06 d-------- C:\WINDOWS\system32\FlashAX2007-04-09 22:46 d-------- C:\Program Files\MSXML 4.02007-04-09 22:46 d-------- C:\3b10545d3d62bb28bf60f37c2007-04-09 19:50 d-------- C:\WINDOWS\network diagnostic2007-04-09 19:10 d-------- C:\WINDOWS\CAVTemp2007-04-09 15:45 95,760 --a------ C:\WINDOWS\system32\isafeif.dll2007-04-09 15:45 75,280 --a------ C:\WINDOWS\system32\vetredir.dll2007-04-09 15:45 75,280 --a------ C:\WINDOWS\system32\isafprod.dll2007-04-09 15:45 629,216 --a------ C:\WINDOWS\system32\drivers\vetefile.sys2007-04-09 15:45 32,528 --a------ C:\WINDOWS\system32\drivers\vetmonnt.sys2007-04-09 15:45 26,640 --a------ C:\WINDOWS\system32\drivers\vet-filt.sys2007-04-09 15:45 21,648 --a------ C:\WINDOWS\system32\drivers\vetfddnt.sys2007-04-09 15:45 21,392 --a------ C:\WINDOWS\system32\drivers\vet-rec.sys2007-04-09 15:45 108,544 --a------ C:\WINDOWS\system32\drivers\veteboot.sys2007-04-09 15:44 d-------- C:\Program Files\CA2007-04-09 15:44 d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\CA2007-04-09 13:57 d-------- C:\Program Files\Smart PC Solutions2007-04-09 13:57 d-------- C:\DOCUME~1\Kristy\APPLIC~1\Smart PC Solutions2007-04-09 13:19 d-------- C:\Program Files\RegistrySmart2007-04-09 13:19 d-------- C:\DOCUME~1\Kristy\APPLIC~1\RegistrySmart2007-04-06 15:05 d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Messenger Plus!2007-04-06 15:03 d-------- C:\Program Files\Messenger Plus! Live2007-04-06 14:37 d-------- C:\DOCUME~1\Kristy\APPLIC~1\MSNInstaller2007-04-05 21:57 d-------- C:\DOCUME~1\Kristy\APPLIC~1\Screenshot Sender2007-04-04 18:48 77,160 --a------ C:\WINDOWS\DSETUP.dll2007-04-04 18:48 503,144 --a------ C:\WINDOWS\DXSETUP.exe2007-04-04 18:48 1,673,576 --a------ C:\WINDOWS\dsetup32.dll2007-04-03 14:27 1,246,096 ---hs---- C:\WINDOWS\system32\ttvwa.ini22007-03-30 14:28 1,257,356 ---hs---- C:\WINDOWS\system32\ttvwa.bak22007-03-29 13:26 1,261,135 ---hs---- C:\WINDOWS\system32\ttvwa.bak1(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))2007-04-29 20:17 -------- d-------- C:\Program Files\morpheus2007-04-26 09:26 -------- d-------- C:\Program Files\norton antivirus2007-04-15 18:23 -------- d-------- C:\Program Files\gpotato2007-04-15 14:22 874 --a------ C:\DOCUME~1\Kristy\APPLIC~1\adobedlm.log2007-04-15 14:22 6 --a------ C:\DOCUME~1\Kristy\APPLIC~1\dm.ini2007-04-14 16:46 -------- d--h----- C:\Program Files\installshield installation information2007-04-13 12:16 3583 --a--c--- C:\WINDOWS\mozver.dat2007-04-09 19:10 -------- d-------- C:\Program Files\windows nt2007-04-06 15:03 -------- d-------- C:\Program Files\msn messenger2007-03-31 19:59 -------- d-------- C:\DOCUME~1\Kristy\APPLIC~1\zylom2007-03-31 18:36 -------- d-------- C:\DOCUME~1\Kristy\APPLIC~1\mysterystudio2007-03-21 16:08 142568 --a------ C:\WINDOWS\system32linkprd.exe2007-03-20 12:13 -------- d-------- C:\DOCUME~1\Kristy\APPLIC~1\magic academy2007-03-19 00:43 155411 --a------ C:\WINDOWS\system32\drivers\dump_wmimmc.sys2007-03-17 14:43 292864 --a------ C:\WINDOWS\system32\winsrv.dll2007-03-15 13:12 -------- d-------- C:\Program Files\cyberlink2007-03-15 13:09 -------- d-------- C:\Program Files\epson2007-03-15 13:06 -------- d-------- C:\Program Files\logitech2007-03-15 12:55 -------- d--h----- C:\Program Files\zero g registry2007-03-14 21:27 -------- d-------- C:\DOCUME~1\Kristy\APPLIC~1\messengerskinner2007-03-10 19:24 -------- d-------- C:\Program Files\mythwar_en2007-03-09 23:51 -------- d-------- C:\DOCUME~1\Kristy\APPLIC~1\imvu2007-03-09 20:10 -------- d-------- C:\DOCUME~1\Kristy\APPLIC~1\utorrent2007-03-08 16:36 577536 --a------ C:\WINDOWS\system32\user32.dll2007-03-08 16:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll2007-03-08 16:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll2007-03-08 14:47 1843584 --a------ C:\WINDOWS\system32\win32k.sys2007-03-06 01:23 -------- d-------- C:\Program Files\imvu2007-03-04 15:01 -------- d-------- C:\Program Files\webroot2007-02-26 11:53 164 --a------ C:\install.dat2007-02-08 00:39 6144 --ahs---- C:\Program Files\thumbs.db2007-02-05 21:17 185344 --a------ C:\WINDOWS\system32\upnphost.dll(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll{9030D464-4C02-4ABF-8ECC-5164760863C6} C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]"AOLDialer"="\"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe\"""LVCOMSX"="C:\\WINDOWS\\system32\\LVCOMSX.EXE""BluetoothAuthenticationAgent"="\"rundll32.exe\" bthprops.cpl,,BluetoothAuthenticationAgent""HostManager"="\"C:\\Program Files\\Common Files\\AOL\\1149184109\\ee\\AOLSoftware.exe\"""NvCplDaemon"="\"RUNDLL32.EXE\" C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup""MCUpdateExe"="C:\\PROGRA~1\\mcafee.com\\agent\\mcupdate.exe""Lexmark X84-X85 Button Monitor"="C:\\PROGRA~1\\LEXMAR~1\\ACMonitor_X84-X85.exe""Lexmark X84-X85 Button Manager"="C:\\PROGRA~1\\LEXMAR~1\\AcBtnMgr_X84-X85.exe""PrinTray"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\printray.exe""SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\"""cctray"="\"C:\\Program Files\\CA\\CA Internet Security Suite\\cctray\\cctray.exe\"""QOELOADER"="\"C:\\Program Files\\CA\\CA Internet Security Suite\\CA Anti-Spam\\QSP-5.0.419.0\\QOELoader.exe\"""CAVRID"="\"C:\\Program Files\\CA\\CA Internet Security Suite\\CA Anti-Virus\\CAVRID.exe\"""cafwc"="C:\\Program Files\\CA\\CA Internet Security Suite\\CA Personal Firewall\\cafw.exe -cl""wskveucd"="C:\\fbbqkmik.bat"[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe""msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]"Spyware Doctor"="""Nqnzqv"="C:\\DOCUME~1\\Kristy\\APPLIC~1\\PPPATC~1\\NPDB~1.EXE""DWQueuedReporting"="\"C:\\PROGRA~1\\COMMON~1\\MICROS~1\\DW\\dwtrig20.exe\" -t"[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]"NoCDBurning"=dword:00000000[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run][HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2] Source REG_SZ C:\Documents and Settings\Kristy\My Documents\ticker.html[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\3] Source REG_SZ C:\Documents and Settings\Kristy\My Documents\babynew.html[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\4] Source REG_SZ C:\Documents and Settings\Kristy\My Documents\baby_desktop.html[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFWHKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa Authentication Packages REG_MULTI_SZ msv1_0\0\0 Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0 Notification Packages REG_MULTI_SZ scecli\0\0[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder][HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL 9.0 Tray Icon.lnk]"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\AOL 9.0 Tray Icon.lnk""backup"="C:\\WINDOWS\\pss\\AOL 9.0 Tray Icon.lnkCommon Startup""location"="Common Startup""command"="C:\\PROGRA~1\\AOL9~1.0A\\aoltray.exe -check""item"="AOL 9.0 Tray Icon"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BTTray.lnk]"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\BTTray.lnk""backup"="C:\\WINDOWS\\pss\\BTTray.lnkCommon Startup""location"="Common Startup""command"="C:\\PROGRA~1\\Belkin\\BLUETO~1\\BTTray.exe ""item"="BTTray"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk""backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup""location"="Common Startup""command"="C:\\PROGRA~1\\MICROS~2\\Office10\\OSA.EXE -b -l""item"="Microsoft Office"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run""item"="TTRIB~1""hkey"="HKCU""command"="C:\\DOCUME~1\\Kristy\\MYDOCU~1\\SCURIT~1\\TTRIB~1.EXE""inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\%FP%Friendly fts.exe]"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run""item"="fts""hkey"="HKLM""command"="\"C:\\Program Files\\VoyagerTest\\fts.exe\"""inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ALServ]"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run""item"="ALServ""hkey"="HKLM""command"="\"C:\\Program Files\\Altec Lansing\\AMS\\ALServ.exe\"""inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run""item"="AOLDial""hkey"="HKLM""command"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe""inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BigDogPath]"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run""item"="VM_STI""hkey"="HKLM""command"="C:\\WINDOWS\\VM_STI.EXE Cammaestro 4.2GU build 1105""inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run""item"="rundll32""hkey"="HKLM""command"="rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent""inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CARPService]"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run""item"="carpserv""hkey"="HKLM""command"="carpserv.exe""inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run""item"="ctfmon""hkey"="HKCU""command"="C:\\WINDOWS\\system32\\ctfmon.exe""inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DSLAGENTEXE]"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run""item"="dslagent""hkey"="HKLM""command"="C:\\Program Files\\BT Voyager 105 ADSL Modem\\dslagent.exe""inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DSLSTATEXE]"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run""item"="dslstat""hkey"="HKLM""command"="C:\\Program Files\\BT Voyager 105 ADSL Modem\\dslstat.exe icon""inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gqxowron]"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run""item"="TTRIB~1""hkey"="HKCU""command"="C:\\DOCUME~1\\Kristy\\MYDOCU~1\\SCURIT~1\\TTRIB~1.EXE""inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run""item"="AOLHostManager""hkey"="HKLM""command"="C:\\Program Files\\Common Files\\AOL\\1149184109\\ee\\AOLHostManager.exe""inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X84-X85 Button Manager]"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run""item"="AcBtnMgr_X84-X85""hkey"="HKLM""command"="C:\\PROGRA~1\\LEXMAR~1\\AcBtnMgr_X84-X85.exe""inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X84-X85 Button Monitor]"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run""item"="ACMonitor_X84-X85""hkey"="HKLM""command"="C:\\PROGRA~1\\LEXMAR~1\\ACMonitor_X84-X85.exe""inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]"key"="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows""item"="????""hkey"="HKCU""command"="????""inimapping"="1"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run""item"="McAgent""hkey"="HKLM""command"="c:\\PROGRA~1\\mcafee.com\\agent\\McAgent.exe""inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run""item"="McUpdate""hkey"="HKLM""command"="C:\\PROGRA~1\\mcafee.com\\agent\\McUpdate.exe""inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MessengerPlus3]"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run""item"="MsgPlus""hkey"="HKLM""command"="\"C:\\Program Files\\MessengerPlus! 3\\MsgPlus.exe\"""inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run""item"="mimboot""hkey"="HKLM""command"="C:\\PROGRA~1\\MUSICM~1\\MUSICM~1\\mimboot.exe""inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mousepad]"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run""item"="mousepad12""hkey"="HKLM""command"="C:\\windows\\mousepad12.exe""inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run""item"="msnmsgr""hkey"="HKCU""command"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background""inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run""item"="NeroCheck""hkey"="HKLM""command"="C:\\WINDOWS\\system32\\NeroCheck.exe""inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run""item"="NvCpl""hkey"="HKLM""command"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup""inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run""item"="RunDLL32""hkey"="HKLM""command"="RunDLL32.exe NvMCTray.dll,NvTaskbarInit""inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run""item"="nwiz""hkey"="HKLM""command"="nwiz.exe /install""inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpiStat]"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run""item"="OpiStat""hkey"="HKLM""command"="C:\\Program Files\\OpiStat\\OpiStat\\OpiStat.exe""inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrinTray]"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run""item"="printray""hkey"="HKLM""command"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\printray.exe""inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run""item"="qttask""hkey"="HKLM""command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime""inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run""item"="PDVDServ""hkey"="HKLM""command"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\"""inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]"key"="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows""item"="????""hkey"="HKCU""command"="????""inimapping"="1"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run""item"="Skype""hkey"="HKCU""command"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized""inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run""item"="SOUNDMAN""hkey"="HKLM""command"="SOUNDMAN.EXE""inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run""item"="jusched""hkey"="HKLM""command"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe""inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SweetIM]"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run""item"="SweetIM""hkey"="HKLM""command"="C:\\Program Files\\Macrogaming\\SweetIM\\SweetIM.exe""inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\type32]"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run""item"="type32""hkey"="HKLM""command"="\"C:\\Program Files\\Microsoft IntelliType Pro\\type32.exe\"""inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run""item"="mcvsshld""hkey"="HKLM""command"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcvsshld.exe\"""inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run""item"="mcmnhdlr""hkey"="HKLM""command"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcmnhdlr.exe\" /checktask""inimapping"="0"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\w03a1090.dll]"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run""item"="RUNDLL32""hkey"="HKLM""command"="RUNDLL32.EXE w03a1090.dll,I2 00085ca3003a1090""inimapping"="0" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]HTTPFilter REG_MULTI_SZ HTTPFilter\0\0LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0NetworkService REG_MULTI_SZ DnsCache\0\0DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0rpcss REG_MULTI_SZ RpcSs\0\0imgsvc REG_MULTI_SZ StiSvc\0\0termsvcs REG_MULTI_SZ TermService\0\0bthsvcs REG_MULTI_SZ BthServ\0\0WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_ATWPKT2Contents of the 'Scheduled Tasks' folderC:\WINDOWS\tasks\A68FA4CC91845D2C.jobC:\WINDOWS\tasks\AppleSoftwareUpdate.jobC:\WINDOWS\tasks\CAAntiSpywareScan_Daily as Kristy at 15 45.jobC:\WINDOWS\tasks\McAfee.com Update Check (COMPUTER-Ed).jobC:\WINDOWS\tasks\McAfee.com Update Check (COMPUTER-Kristy).jobC:\WINDOWS\tasks\RegistrySmart Scheduled Scan.job********************************************************************catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.netRootkit scan 2007-04-30 13:11:46Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ...scanning hidden services ...scanning hidden autostart entries ...scanning hidden files ...scan completed successfullyhidden processes: 0hidden services: 0hidden files: 0********************************************************************Completion time: 07-04-30 13:13:04C:\ComboFix-quarantined-files.txt ... 07-04-30 13:13C:\ComboFix2.txt ... 07-04-25 18:53
•
•
Join Date: May 2005
Posts: 3,204
Reputation:
Solved Threads: 188
Kristy, do you have, or can you borrow, a windows installation CD? cos I think to get explorer working better you need to run system file checker. That is, start, run, type sfc /scannow -and Enter. That would/should fix any errors that some components may have.
Checking those logs you provided now...
Meanwhile, could you pls run Avenger again with this script to be pasted in?
Files to delete:
C:\windows\.protected
C:\symlcsv1.exe
C:\WINDOWS\IFinst27.exe
C:\3b10545d3d62bb28bf60f37c
C:\WINDOWS\system32\pmbvkxh_nav.dat
C:\WINDOWS\system32\linkprd.exe
C:\WINDOWS\system32\pmbvkxh_nav.dat
C:\DOCUME~1\Kristy\MYDOCU~1\SCURIT~1\TTRIB~1.EXE
Checking those logs you provided now...
Meanwhile, could you pls run Avenger again with this script to be pasted in?
Files to delete:
C:\windows\.protected
C:\symlcsv1.exe
C:\WINDOWS\IFinst27.exe
C:\3b10545d3d62bb28bf60f37c
C:\WINDOWS\system32\pmbvkxh_nav.dat
C:\WINDOWS\system32\linkprd.exe
C:\WINDOWS\system32\pmbvkxh_nav.dat
C:\DOCUME~1\Kristy\MYDOCU~1\SCURIT~1\TTRIB~1.EXE
Last edited by gerbil; Apr 30th, 2007 at 10:47 am.
Deep, deep in the woods, but walking about.
Hi everyone, my pc is running slower than usual. It keeps reading the hard disk and takes more than 10 sec to load a webpage.
Pls kindly advise and let me know if you need more info. Thanks a million
Pls see the spykill's system analyzer log (not sure if this is same as hijackthis)below:
Report generated on 5/1/2007 4:41:02 AM
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/?.intl=sg
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qsg10.hpwis.com/
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust...arch.yahoo.com
HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust...arch.yahoo.com
HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...ch/search.html
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qsg10.hpwis.com/
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qsg10.hpwis.com/
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust...arch.yahoo.com
HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
BrowserHelperObject: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [ file size: 399,424 bytes ]
BrowserHelperObject: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [ file size: 50,376 bytes ]
BrowserHelperObject: name not found - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - [ file size: File not found! ]
BrowserHelperObject: name not found - {A5366673-E8CA-11D3-9CD9-0090271D075B} - [ file size: File not found! ]
IE Toolbar: name not found - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - [ file size: File not found! ]
IE Toolbar: name not found - {8E718888-423F-11D2-876E-00A0C9082467} - [ file size: File not found! ]
IE Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [ file size: 399,424 bytes ]
HKLM\...\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [ file size: 48,752 bytes ]
HKLM\...\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe [ file size: 85,696 bytes ]
HKLM\...\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe [ file size: 693,528 bytes ]
HKCU\...\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background [ file size: 145,056,491 bytes ]
HKCU\...\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet [ file size: 3,334,144 bytes ]
HKCU\...\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe [ file size: 13,312 bytes ]
HKCU\...\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background [ file size: 145,056,491 bytes ]
Local user startup: Shortcut to BitComet.lnk = C:\Program Files\BitComet\BitComet.exe [ file size: 2,600,960 bytes ]
Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - [ file size: File not found! ]
Extra 'Tools' menu item: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - [ file size: File not found! ]
Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmestw.dll [ file size: 316,552 bytes ]
Extra 'Tools' menu item: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmestw.dll [ file size: 316,552 bytes ]
Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe [ file size: 1,482,752 bytes]
Extra 'Tools' menu item: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe [ file size: 1,482,752 bytes ]
DownloadedProgramFiles: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (name not found) - http://www.lizardtech.com/download/f...trol_en_US.cab
DownloadedProgramFiles: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
DownloadedProgramFiles: {D27CDB6E-AE6D-11CF-96B8-444553540000} (name not found) - http://download.macromedia.com/pub/s...sh/swflash.cab
Protocol handler: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll"
Protocol handler: vnd.ms.radio - {3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020} - C:\WINDOWS\System32\msdxm.ocx
Winlogon Notify: igfxcui - igfxsrvc.dll (file missing)
Winlogon Notify: MCPClient - C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll
Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
ShellServiceObjectDelayLoad: 0aMCPClient - {F5DF91F9-15E9-416B-A7C3-7519B11ECBFC} - C:\PROGRA~1\COMMON~1\Stardock\MCPCore.dll
ShellServiceObjectDelayLoad: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - %SystemRoot%\system32\SHELL32.dll
ShellServiceObjectDelayLoad: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - %SystemRoot%\system32\SHELL32.dll
ShellServiceObjectDelayLoad: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - %SystemRoot%\System32\webcheck.dll
ShellServiceObjectDelayLoad: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\System32\stobject.dll
SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - %SystemRoot%\System32\browseui.dll
SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - %SystemRoot%\System32\browseui.dll
Service: Symantec Event Manager (ccEvtMgr) - Description: Symantec Event Manager Service - Company: Symantec Corporation - Filename: C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
Service: Symantec Settings Manager (ccSetMgr) - Description: Symantec Settings Manager Service - Company: Symantec Corporation - Filename: C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
Service: Symantec AntiVirus Definition Watcher (DefWatch) - Description: Virus Definition Daemon - Company: Symantec Corporation - Filename: C:\Program Files\Symantec AntiVirus\DefWatch.exe
Service: Remote Procedure Call (RPC) (RpcSs) - Description: Unknown - Company: Unknown - Filename: Unknown
Service: StarWind iSCSI Service (StarWindService) - Description: StarWind iSCSI Target (Alcohol Edition) - Company: Rocket Division Software - Filename: C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
Service: Windows Image Acquisition (WIA) (stisvc) - Description: Unknown - Company: Unknown - Filename: Unknown
Service: Symantec AntiVirus (Symantec AntiVirus) - Description: Symantec AntiVirus - Company: Symantec Corporation - Filename: C:\Program Files\Symantec AntiVirus\Rtvscan.exe
Service: TrueVector Internet Monitor (vsmon) - Description: TrueVector Service - Company: Zone Labs Inc. - Filename: C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Pls kindly advise and let me know if you need more info. Thanks a million
Pls see the spykill's system analyzer log (not sure if this is same as hijackthis)below:Report generated on 5/1/2007 4:41:02 AM
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/?.intl=sg
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qsg10.hpwis.com/
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust...arch.yahoo.com
HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust...arch.yahoo.com
HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...ch/search.html
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qsg10.hpwis.com/
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qsg10.hpwis.com/
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust...arch.yahoo.com
HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
BrowserHelperObject: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [ file size: 399,424 bytes ]
BrowserHelperObject: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [ file size: 50,376 bytes ]
BrowserHelperObject: name not found - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - [ file size: File not found! ]
BrowserHelperObject: name not found - {A5366673-E8CA-11D3-9CD9-0090271D075B} - [ file size: File not found! ]
IE Toolbar: name not found - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - [ file size: File not found! ]
IE Toolbar: name not found - {8E718888-423F-11D2-876E-00A0C9082467} - [ file size: File not found! ]
IE Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [ file size: 399,424 bytes ]
HKLM\...\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [ file size: 48,752 bytes ]
HKLM\...\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe [ file size: 85,696 bytes ]
HKLM\...\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe [ file size: 693,528 bytes ]
HKCU\...\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background [ file size: 145,056,491 bytes ]
HKCU\...\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet [ file size: 3,334,144 bytes ]
HKCU\...\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe [ file size: 13,312 bytes ]
HKCU\...\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background [ file size: 145,056,491 bytes ]
Local user startup: Shortcut to BitComet.lnk = C:\Program Files\BitComet\BitComet.exe [ file size: 2,600,960 bytes ]
Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - [ file size: File not found! ]
Extra 'Tools' menu item: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - [ file size: File not found! ]
Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmestw.dll [ file size: 316,552 bytes ]
Extra 'Tools' menu item: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmestw.dll [ file size: 316,552 bytes ]
Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe [ file size: 1,482,752 bytes]
Extra 'Tools' menu item: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe [ file size: 1,482,752 bytes ]
DownloadedProgramFiles: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (name not found) - http://www.lizardtech.com/download/f...trol_en_US.cab
DownloadedProgramFiles: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
DownloadedProgramFiles: {D27CDB6E-AE6D-11CF-96B8-444553540000} (name not found) - http://download.macromedia.com/pub/s...sh/swflash.cab
Protocol handler: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll"
Protocol handler: vnd.ms.radio - {3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020} - C:\WINDOWS\System32\msdxm.ocx
Winlogon Notify: igfxcui - igfxsrvc.dll (file missing)
Winlogon Notify: MCPClient - C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll
Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
ShellServiceObjectDelayLoad: 0aMCPClient - {F5DF91F9-15E9-416B-A7C3-7519B11ECBFC} - C:\PROGRA~1\COMMON~1\Stardock\MCPCore.dll
ShellServiceObjectDelayLoad: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - %SystemRoot%\system32\SHELL32.dll
ShellServiceObjectDelayLoad: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - %SystemRoot%\system32\SHELL32.dll
ShellServiceObjectDelayLoad: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - %SystemRoot%\System32\webcheck.dll
ShellServiceObjectDelayLoad: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\System32\stobject.dll
SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - %SystemRoot%\System32\browseui.dll
SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - %SystemRoot%\System32\browseui.dll
Service: Symantec Event Manager (ccEvtMgr) - Description: Symantec Event Manager Service - Company: Symantec Corporation - Filename: C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
Service: Symantec Settings Manager (ccSetMgr) - Description: Symantec Settings Manager Service - Company: Symantec Corporation - Filename: C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
Service: Symantec AntiVirus Definition Watcher (DefWatch) - Description: Virus Definition Daemon - Company: Symantec Corporation - Filename: C:\Program Files\Symantec AntiVirus\DefWatch.exe
Service: Remote Procedure Call (RPC) (RpcSs) - Description: Unknown - Company: Unknown - Filename: Unknown
Service: StarWind iSCSI Service (StarWindService) - Description: StarWind iSCSI Target (Alcohol Edition) - Company: Rocket Division Software - Filename: C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
Service: Windows Image Acquisition (WIA) (stisvc) - Description: Unknown - Company: Unknown - Filename: Unknown
Service: Symantec AntiVirus (Symantec AntiVirus) - Description: Symantec AntiVirus - Company: Symantec Corporation - Filename: C:\Program Files\Symantec AntiVirus\Rtvscan.exe
Service: TrueVector Internet Monitor (vsmon) - Description: TrueVector Service - Company: Zone Labs Inc. - Filename: C:\WINDOWS\system32\ZoneLabs\vsmon.exe
•
•
Join Date: May 2005
Posts: 3,204
Reputation:
Solved Threads: 188
Kristy, it is not important but you can skip my last post #38 to you re avenger - a more complete version follows this.
Please make a restore point before you do the next step..... I need you to run this batch file - it will list several registry keys to a text file in your C:\ root folder, C:\krquery.txt, and then remove them from the registry. To run the batchfile simply copy all the text between the stars below to a notepad [turn OFF wordwrap!!], name it bugremv.bat and save it [as All files] to your desktop. Then just dclick the icon to run it. Post me the txt file please.
******************************************************************
REM file to test if all entries exist and then delete them
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run" /v wskveucd >c:\krquery.txt
reg query "HKEY_USERS\.default\software\microsoft\windows\currentversion\run" /v Nqnzqv >> c:\krquery.txt
reg query "HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg" >> c:\krquery.txt
reg query "HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gqxowron" >> c:\krquery.txt
reg query "HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load" >> c:\krquery.txt
reg query "HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run" >> c:\krquery.txt
reg query "HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\w03a1090.dll" >> c:\krquery.txt
reg delete "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run" /v wskveucd /f
reg delete "HKEY_USERS\.default\software\microsoft\windows\currentversion\run" /v Nqnzqv /f
reg delete "HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg" /va /f
reg delete "HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gqxowron" /f
reg delete "HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load" /f
reg delete "HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run" /f
reg delete "HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\w03a1090.dll" /f
******************************************************************
Now, do you have a task scheduled such as a regular backup? I can see Apple, CA, McAfee and RegistrySmart, but there is another one....? Please check Scheduled Tasks via control panel and check this one:
[C:\WINDOWS\tasks\] A68FA4CC91845D2C.job -use detail view, tell me if it is yours; if it is not, or it looks doubtful, remove it [rclick, delete].
What is this? Do you know it? No? - then delete it.
C:\zip.exe
Delete C:\qoobox folder
Please make a restore point before you do the next step..... I need you to run this batch file - it will list several registry keys to a text file in your C:\ root folder, C:\krquery.txt, and then remove them from the registry. To run the batchfile simply copy all the text between the stars below to a notepad [turn OFF wordwrap!!], name it bugremv.bat and save it [as All files] to your desktop. Then just dclick the icon to run it. Post me the txt file please.
******************************************************************
REM file to test if all entries exist and then delete them
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run" /v wskveucd >c:\krquery.txt
reg query "HKEY_USERS\.default\software\microsoft\windows\currentversion\run" /v Nqnzqv >> c:\krquery.txt
reg query "HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg" >> c:\krquery.txt
reg query "HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gqxowron" >> c:\krquery.txt
reg query "HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load" >> c:\krquery.txt
reg query "HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run" >> c:\krquery.txt
reg query "HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\w03a1090.dll" >> c:\krquery.txt
reg delete "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run" /v wskveucd /f
reg delete "HKEY_USERS\.default\software\microsoft\windows\currentversion\run" /v Nqnzqv /f
reg delete "HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg" /va /f
reg delete "HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gqxowron" /f
reg delete "HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load" /f
reg delete "HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run" /f
reg delete "HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\w03a1090.dll" /f
******************************************************************
Now, do you have a task scheduled such as a regular backup? I can see Apple, CA, McAfee and RegistrySmart, but there is another one....? Please check Scheduled Tasks via control panel and check this one:
[C:\WINDOWS\tasks\] A68FA4CC91845D2C.job -use detail view, tell me if it is yours; if it is not, or it looks doubtful, remove it [rclick, delete].
What is this? Do you know it? No? - then delete it.
C:\zip.exe
Delete C:\qoobox folder
Last edited by gerbil; May 1st, 2007 at 11:07 am.
Deep, deep in the woods, but walking about.
|
Similar Threads
- erm... not realy sure whats wrong. (Motherboards, CPUs and RAM)
- Whats wrong with my computer??? (Viruses, Spyware and other Nasties)
- Whats wrong with this class??? (C++)
- errors in my file but not sure whats wrong file attatched (Visual Basic 4 / 5 / 6)
- whats wrong with my cpu fsb and ram bus speed? (Motherboards, CPUs and RAM)
- Whats wrong with this code (PHP)
- Whats Wrong Withj This 6800 Graphic Card (Monitors, Displays and Video Cards)
- merged:nesting loops (C++)
Other Threads in the Viruses, Spyware and other Nasties Forum
- Previous Thread: Help Plz
- Next Thread: Fakes & redirects when searching
| Thread Tools | Search this Thread |
You need to join our community in order to build your list of favorite forums. You can visit the forum index for a listing of all forums.
Latest Viruses, Spyware and other Nasties Posts
Related Forum Features
adware anti-malware antivirus apple attack audio avg backtoschoolspeech bar botnet botnets censorship china commercial commercials conficker control crosssitescripting cyber cybercrime cyberwarfare ddos domains e-mafia education email exam exploit facebook fancheckvirus gaming gtaiv gumblar halloween herss.exe hijack hosting internet iphone kaspersky legal logfiles mail malware mcafee mega-d messagelabs microsoft msn nazi news obama onlinethreats paedophile panel patch phishing police policeprovirusmba-mblockedinternetaccess president privacy pro problem redirect redirecting reliability report research risk rogueantivirus samhain sans scareware school search security seopoisoning sites software spam spyware sqlinjection symantec system teen translate trojan unabletoaccessanti-virussites unwanted update virus viruses vista volume war warning windows worm yahoo zeroday
