 |  |  |  |  |  |  |  |
zapchast.reg
Thread Solved
 |
I have a zapchest trojen on my system. Looked through my hi jack this log and can't see anything that obvious as to whats causing it. Any help much appreciated.
dave
•
•
•
•
Logfile of HijackThis v1.99.1
Scan saved at 09:35:55, on 15/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\RAM Def\ramdef.exe
C:\Program Files\Razer\Habu\razerhid.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\lExplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Razer\Habu\razertra.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Razer\Habu\razerofa.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\BHODemon 2\BHODemon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Opera\Opera.exe
C:\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [RAMDef] C:\Program Files\RAM Def\ramdef.exe -tray
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Habu] C:\Program Files\Razer\Habu\razerhid.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [lnternet Update] lExplore.exe
O4 - HKLM\..\RunServices: [lnternet Update] lExplore.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1186512785546
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
Download
SDFix
and save it to your desktop.
Please then reboot your computer in Safe Mode by doing the
following :
SDFix
and save it to your desktop.
Please then reboot your computer in Safe Mode by doing the
following :
- Restart your computer
- After hearing your computer beep once during startup, but before the
Windows icon appears, tap the F8 key continually; - Instead of Windows loading as normal, a menu with options should appear;
- Select the first option, to run Windows in Safe Mode, then press "Enter".
- Choose your usual account.
- In Safe Mode, right click the SDFix.zip folder and choose Extract
All, - Open the extracted folder and double click RunThis.bat to
start the script. - Type Y to begin the script.
- It will remove the Trojan Services then make some repairs to the
registry and prompt you to press any key to Reboot. - Press any Key and it will restart the PC.
- Your system will take longer that normal to restart as the fixtool
will be running and removing files. - When the desktop loads the Fixtool will complete the removal and
display Finished, then press any key to end the script and load
your desktop icons. - Finally open the SDFix folder on your desktop and copy and paste the
contents of the results file Report.txt back onto the forum with
a new HijackThis log
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Opera AVAST anti-virus Comodo Firewall Spywareblaster
good day cruchie,
this is the result/log after i run the sdfix:
SDFix: Version 1.168
Run by JOEMITH on Thu 04/10/2008 at 10:05 AM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\DOCUME~1\JOEMITH\Desktop\SDFix
Checking Services :
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting
Checking Files :
Trojan Files Found:
C:\WINDOWS\system32\setting.ini - Deleted
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1351.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-10 10:11:46
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:00000067
"TracesSuccessful"=dword:00000002
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services :
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe
:enabled
xpsp2res.dll,-22019"
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe:Enabled:avgemc.exe"
"E:\\JOEMETH\\Fireworks MX\\Fireworks.exe"="E:\\JOEMETH\\Fireworks MX\\Fireworks.exe:Enabled:Fireworks MX"
"D:\\LimeWire\\LimeWire.exe"="D:\\LimeWire\\LimeWire.exe:Enabled:LimeWire"
"C:\\PVSW\\Bin\\w3dbsmgr.exe"="C:\\PVSW\\Bin\\w3dbsmgr.exe:Enabled
atabase Service Manager"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:Enabled:Yahoo! FT Server"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:Enabledxpsp3res.dll,-20000"
"E:\\JOEMETH\\Yahoo Messenger\\Messenger\\YahooMessenger.exe"="E:\\JOEMETH\\Yahoo Messenger\\Messenger\\YahooMessenger.exe:Enabled:Yahoo! Messenger"
"E:\\JOEMETH\\Yahoo Messenger\\Messenger\\YServer.exe"="E:\\JOEMETH\\Yahoo Messenger\\Messenger\\YServer.exe:Enabled:Yahoo! FT Server"
"D:\\back up\\BitLord\\BitLord.exe"="D:\\back up\\BitLord\\BitLord.exe:Enabled:BitLord"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:Enabled:LimeWire"
"E:\\JOEMETH\\Bitlord\\BitLord.exe"="E:\\JOEMETH\\Bitlord\\BitLord.exe:Enabled:BitLord"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:Enabled:æTorrent"
"D:\\back up\\Bitdownload\\BitDownload.exe"="D:\\back up\\Bitdownload\\BitDownload.exe:Enabled:Warez3"
"C:\\Program Files\\BitTorrent_DNA\\dna.exe"="C:\\Program Files\\BitTorrent_DNA\\dna.exe:Enabled:BitTorrent DNA"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:Enabled:BitTorrent"
"E:\\JOEMETH\\Mozilla Firefox\\firefox.exe"="E:\\JOEMETH\\Mozilla Firefox\\firefox.exe:Enabled:firefox.exe"
"C:\\WINDOWS\\system32\\vpwuqumv.exe"="C:\\WINDOWS\\system32\\vpw"
"C:\\WINDOWS\\system32\\wnvzfn.exe"="C:\\WINDOWS\\system32\\wnvzfn.exe:Enabled:wnvzfn"
"C:\\Program Files\\DNA\\btdna.exe"="C:\\Program Files\\DNA\\btdna.exe:EnabledNA"
"C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"="C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe:Enabled:McAfee Framework Service"
"C:\\WINDOWS\\system32\\msconfig.exe"="C:\\WINDOWS\\system32\\msconfig.exeisabled:msconfig"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:enabledxpsp2res.dll,-22019"
"C:\\PVSW\\Bin\\w3dbsmgr.exe"="C:\\PVSW\\Bin\\w3dbsmgr.exe:Enabledatabase Service Manager"
"E:\\JOEMETH\\Fireworks MX\\Fireworks.exe"="E:\\JOEMETH\\Fireworks MX\\Fireworks.exe:Enabled:Fireworks MX"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:Enabled:Yahoo! FT Server"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:Enabledxpsp3res.dll,-20000"
"D:\\LimeWire\\LimeWire.exe"="D:\\LimeWire\\LimeWire.exe:Enabled:LimeWire"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:Enabled:avgemc.exe"
Remaining Files :
File Backups: - C:\DOCUME~1\JOEMITH\Desktop\SDFix\backups\backups.zip
Files with Hidden Attributes :
Tue 21 Aug 2007 2,516 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Wed 13 Jun 2007 1,287,695 ..SHR --- "C:\WINDOWS\system32\msconfig.exe"
Wed 13 Jun 2007 839,680 ..SHR --- "C:\WINDOWS\system32\wnvzfn.exe"
Fri 4 Aug 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 22 Jul 2002 418,816 ...HR --- "C:\WINDOWS\system32\Tools\All.exe"
Fri 19 Jul 2002 390,144 ...HR --- "C:\WINDOWS\system32\Tools\Change.exe"
Fri 19 Jul 2002 574,464 ...HR --- "C:\WINDOWS\system32\Tools\CheckPath.exe"
Tue 20 Aug 2002 430,592 ...HR --- "C:\WINDOWS\system32\Tools\Counter.exe"
Tue 23 Jul 2002 390,656 ...HR --- "C:\WINDOWS\system32\Tools\DelFolders.exe"
Fri 22 Nov 2002 399,872 ...HR --- "C:\WINDOWS\system32\Tools\DirectSetup.exe"
Fri 19 Jul 2002 388,096 ...HR --- "C:\WINDOWS\system32\Tools\RegClean.exe"
Fri 19 Jul 2002 388,608 ...HR --- "C:\WINDOWS\system32\Tools\Regexe.exe"
Fri 19 Jul 2002 388,096 ...HR --- "C:\WINDOWS\system32\Tools\RunRegexe.exe"
Thu 1 Feb 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Finished!
thanks for the helpful info.
this is the result/log after i run the sdfix:
SDFix: Version 1.168
Run by JOEMITH on Thu 04/10/2008 at 10:05 AM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\DOCUME~1\JOEMITH\Desktop\SDFix
Checking Services :
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting
Checking Files :
Trojan Files Found:
C:\WINDOWS\system32\setting.ini - Deleted
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1351.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-10 10:11:46
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:00000067
"TracesSuccessful"=dword:00000002
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services :
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe
:enabledxpsp2res.dll,-22019""C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe
:Enabled:avginet.exe""C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe
:Enabled:avgemc.exe""E:\\JOEMETH\\Fireworks MX\\Fireworks.exe"="E:\\JOEMETH\\Fireworks MX\\Fireworks.exe
:Enabled:Fireworks MX""D:\\LimeWire\\LimeWire.exe"="D:\\LimeWire\\LimeWire.exe
:Enabled:LimeWire""C:\\PVSW\\Bin\\w3dbsmgr.exe"="C:\\PVSW\\Bin\\w3dbsmgr.exe
:Enabledatabase Service Manager""C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe
:Enabled:Yahoo! Messenger""C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe
:Enabled:Yahoo! FT Server""%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe
:Enabledxpsp3res.dll,-20000""E:\\JOEMETH\\Yahoo Messenger\\Messenger\\YahooMessenger.exe"="E:\\JOEMETH\\Yahoo Messenger\\Messenger\\YahooMessenger.exe
:Enabled:Yahoo! Messenger""E:\\JOEMETH\\Yahoo Messenger\\Messenger\\YServer.exe"="E:\\JOEMETH\\Yahoo Messenger\\Messenger\\YServer.exe
:Enabled:Yahoo! FT Server""D:\\back up\\BitLord\\BitLord.exe"="D:\\back up\\BitLord\\BitLord.exe
:Enabled:BitLord""C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe
:Enabled:LimeWire""E:\\JOEMETH\\Bitlord\\BitLord.exe"="E:\\JOEMETH\\Bitlord\\BitLord.exe
:Enabled:BitLord""C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe
:Enabled:æTorrent""D:\\back up\\Bitdownload\\BitDownload.exe"="D:\\back up\\Bitdownload\\BitDownload.exe
:Enabled:Warez3""C:\\Program Files\\BitTorrent_DNA\\dna.exe"="C:\\Program Files\\BitTorrent_DNA\\dna.exe
:Enabled:BitTorrent DNA""C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe
:Enabled:BitTorrent""E:\\JOEMETH\\Mozilla Firefox\\firefox.exe"="E:\\JOEMETH\\Mozilla Firefox\\firefox.exe
:Enabled:firefox.exe""C:\\WINDOWS\\system32\\vpwuqumv.exe"="C:\\WINDOWS\\system32\\vpw"
"C:\\WINDOWS\\system32\\wnvzfn.exe"="C:\\WINDOWS\\system32\\wnvzfn.exe
:Enabled:wnvzfn""C:\\Program Files\\DNA\\btdna.exe"="C:\\Program Files\\DNA\\btdna.exe
:EnabledNA""C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"="C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe
:Enabled:McAfee Framework Service""C:\\WINDOWS\\system32\\msconfig.exe"="C:\\WINDOWS\\system32\\msconfig.exe
isabled:msconfig"[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe
:enabledxpsp2res.dll,-22019""C:\\PVSW\\Bin\\w3dbsmgr.exe"="C:\\PVSW\\Bin\\w3dbsmgr.exe
:Enabledatabase Service Manager""E:\\JOEMETH\\Fireworks MX\\Fireworks.exe"="E:\\JOEMETH\\Fireworks MX\\Fireworks.exe
:Enabled:Fireworks MX""C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe
:Enabled:Yahoo! Messenger""C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe
:Enabled:Yahoo! FT Server""%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe
:Enabledxpsp3res.dll,-20000""D:\\LimeWire\\LimeWire.exe"="D:\\LimeWire\\LimeWire.exe
:Enabled:LimeWire""C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe
:Enabled:avginet.exe""C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe
:Enabled:avgamsvr.exe""C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe
:Enabled:avgcc.exe""C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe
:Enabled:avgemc.exe"Remaining Files :
File Backups: - C:\DOCUME~1\JOEMITH\Desktop\SDFix\backups\backups.zip
Files with Hidden Attributes :
Tue 21 Aug 2007 2,516 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Wed 13 Jun 2007 1,287,695 ..SHR --- "C:\WINDOWS\system32\msconfig.exe"
Wed 13 Jun 2007 839,680 ..SHR --- "C:\WINDOWS\system32\wnvzfn.exe"
Fri 4 Aug 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 22 Jul 2002 418,816 ...HR --- "C:\WINDOWS\system32\Tools\All.exe"
Fri 19 Jul 2002 390,144 ...HR --- "C:\WINDOWS\system32\Tools\Change.exe"
Fri 19 Jul 2002 574,464 ...HR --- "C:\WINDOWS\system32\Tools\CheckPath.exe"
Tue 20 Aug 2002 430,592 ...HR --- "C:\WINDOWS\system32\Tools\Counter.exe"
Tue 23 Jul 2002 390,656 ...HR --- "C:\WINDOWS\system32\Tools\DelFolders.exe"
Fri 22 Nov 2002 399,872 ...HR --- "C:\WINDOWS\system32\Tools\DirectSetup.exe"
Fri 19 Jul 2002 388,096 ...HR --- "C:\WINDOWS\system32\Tools\RegClean.exe"
Fri 19 Jul 2002 388,608 ...HR --- "C:\WINDOWS\system32\Tools\Regexe.exe"
Fri 19 Jul 2002 388,096 ...HR --- "C:\WINDOWS\system32\Tools\RunRegexe.exe"
Thu 1 Feb 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Finished!
thanks for the helpful info.
Are you the original poster? If not, welcome to Daniweb, but please start a new thread.
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Opera AVAST anti-virus Comodo Firewall Spywareblaster
|
Similar Threads
- Hidden program installs .dlls with randomly generated names in random "notify" reg. (Viruses, Spyware and other Nasties)
- whats this " power reg scheduler" (Viruses, Spyware and other Nasties)
- It Constantly Keeps Re-booting Itself. Plz Help (Viruses, Spyware and other Nasties)
- Error message Apple Reg.ink (Windows NT / 2000 / XP)
- Spyware causing lsass.exe/services.exe to terminate crashing pc (Viruses, Spyware and other Nasties)
- NAV popup trojan.cachecachekit (Viruses, Spyware and other Nasties)
- Changeing Font Based on Reg Settings (VB.NET)
- 'restrictanonymous' reg key (Viruses, Spyware and other Nasties)
Other Threads in the Viruses, Spyware and other Nasties Forum
- Previous Thread: Data error [47 0F 94 93 F4 K5]
- Next Thread: Need help cleaning PC
| Thread Tools | Search this Thread |
You need to join our community in order to build your list of favorite forums. You can visit the forum index for a listing of all forums.
Related Forum Features
Latest Viruses, Spyware and other Nasties Posts
adware anti-malware anti-virussitesaccessissue antivirus apple audio avg backtoschoolspeech bar blackhat botnet botnets censorship china commercial commercials conficker connect control crosssitescripting cyber cybercrime cyberwarfare domains e-mafia education email europe exam facebook fake fancheckvirus gaming gtaiv halloween hijack hosting internet iphone kaspersky legal logfiles mail malware mcafee messagelabs microsoft mobile msn nazi news obama onlinethreats paedophile panel parents patch phishing police policeprovirusmba-mblockedinternetaccess president privacy pro problem reliability report research risk rogueantivirus samhain sans scareware school search security seopoisoning sites software spam spyware spywareexternalwindows7adminstratortrojans sqlinjection symantec system teen translate trojan unabletoaccessanti-virussites unwanted update usa virus viruses war warning windows worm yahoo zeroday