Have something to say? Contribute New Article Reply to this Article
help needed.
m running sygate firewall and this message keeps popping up every 20-30mins
An application named Universa Application
(File name win12c4.tmp.exe)
Has been blocked from accessing the network
Im not bothered about it but just wondered if anyone knew what is it,Or related to?
I havent installed anything new lately and run a spyware and virus check. All come back clean.
Anyone know.
ive been told this is a possible hijack virus, a few people have tried helping me but its still on my system.
Could you please attach a HijackThis log?
Logfile of HijackThis v1.99.1
Scan saved at 03:20:32, on 28/02/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\soundman.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\UltimateBuddy\UltimateBuddy.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Aaron\Desktop\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Crazy Poker - {8A8A3162-B5FA-4c54-A862-4E62CBE8A255} - C:\Program Files\crazyvegasMPP\MPPoker.exe
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: bet365 Poker - {B1BA4A3F-1C95-497b-9F82-F8DA4A5C89DD} - F:\Program Files\bet365MPP\MPPoker.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - F:\Program files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - F:\Program files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - F:\Program files\Poker.com\poker.exe (HKCU)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O20 - Winlogon Notify: winexy32 - C:\WINDOWS\
O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\WINDOWS\System32\alg.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
I am a little concerned about this one
O20 - Winlogon Notify: winexy32 - C:\WINDOWS\
Check that line in HijackThis and then chooseFix Checked
Go here:
http://virusscan.jotti.org/
-Upload C:\WINDOWS\winexy32.exe and post the results back here.
i done as you said but not that file isnt on my system!
now my hijack log is this.. Has the file gone???? all i clicked was the file u said and clicked fix.
Logfile of HijackThis v1.99.1
Scan saved at 11:36:46, on 28/02/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\soundman.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\UltimateBuddy\UltimateBuddy.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Aaron\Desktop\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Crazy Poker - {8A8A3162-B5FA-4c54-A862-4E62CBE8A255} - C:\Program Files\crazyvegasMPP\MPPoker.exe
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: bet365 Poker - {B1BA4A3F-1C95-497b-9F82-F8DA4A5C89DD} - F:\Program Files\bet365MPP\MPPoker.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - F:\Program files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - F:\Program files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - F:\Program files\Poker.com\poker.exe (HKCU)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\WINDOWS\System32\alg.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
No need to worry, I figured it was gone or either inactive one of the two, so let me look at two more scans to make sure I do not see anything
Download ISeeYou from here:
http://forum.networktechs.com/attachment.php?attachmentid=22492&d=1140226765
-Save to your desktop for now
Download Blacklight from here:
http://www.f-secure.com/blacklight/try.shtml
-- Once you’ve installed it, Click Scan
-- DO NOT have it Fix or Rename anything yet
-- A Log should pop up – Please save that submit it for me when you return
Now reboot to Safe Mode
-double click ISeeYou.bat
-It will run for 10 seconds or so, then notepad will open
-Save that and attach it for me here
Hi. Firstly id like to say thanks for all the help. Is much appreciated. thank you
here are the 2 logs.
black -
02/28/06 13:34:30 [Info]: BlackLight Engine 1.0.32 initialized
02/28/06 13:34:30 [Info]: OS: 5.1 build 2600 ()
02/28/06 13:34:30 [Note]: 7019 4
02/28/06 13:34:30 [Note]: 7005 0
02/28/06 13:34:34 [Note]: 7006 0
02/28/06 13:34:34 [Note]: 7011 1260
02/28/06 13:34:35 [Note]: FSRAW library version 1.7.1015
02/28/06 13:37:29 [Note]: 7007 0
2nd log
****PLEASE NOTE THAT MOST (if not ALL) OF THE ITEMS BELOW ARE NOT BADDIES!
****PLEASE CONSULT A KNOWLEDGEABLE PERSON BEFORE TAKING ANY ACTION.
Microsoft Windows XP [Version 5.1.2600]
28/02/2006
13:47
--------------------------------------------------------------------------
Items Found in ZoneMap\Domains:
--------------------------------------------------------------------------
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
@=""
--------------------------------------------------------------------------
STARTUP ITEMS DISABLED VIA MSCONFIG:
--------------------------------------------------------------------------
--------------------------------------------------------------------------
LOG for Microsoft® Windows® Malicious Software Removal Tool:
--------------------------------------------------------------------------
Microsoft Windows MRT Log NOT Found!
--------------------------------------------------------------------------
Select RunOnce Registry Key Items:
--------------------------------------------------------------------------
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
----------------------------------------------
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
--------------------------------------------------------------------------
Shared Task Scheduler Registry Items:
--------------------------------------------------------------------------
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
--------------------------------------------------------------------------
ENUMERATING SCHEDULED TASKS:
--------------------------------------------------------------------------
Volume in drive C has no label.
Volume Serial Number is C897-6DBF
Directory of C:\WINDOWS\tasks
25/02/2006 12:21 .
25/02/2006 12:21 ..
18/08/2001 20:00 65 desktop.ini
25/02/2006 12:21 530 Norton AntiVirus - Run Full System Scan - Aaron.job
28/02/2006 13:43 6 SA.DAT
25/02/2006 15:18 364 Symantec NetDetect.job
4 File(s) 965 bytes
2 Dir(s) 7,635,304,448 bytes free
HR C:\WINDOWS\tasks\desktop.ini
A C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - Aaron.job
A H C:\WINDOWS\tasks\SA.DAT
A C:\WINDOWS\tasks\Symantec NetDetect.job
--------------------------------------------------------------------------
CHECKING SELECT POLICIES KEYS:
--------------------------------------------------------------------------
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091
----------------------------------------------
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
----------------------------------------------
--------------------------------------------------------------------------
ENUMERATING RECENT DOWNLOADED PROGRAM FILES:
--------------------------------------------------------------------------
C:\WINDOWS\DOWNLOADED PROGRAM FILES
27/02/2006 20:37 ..
27/02/2006 20:37 .
22/02/2006 18:11 878 avsniff.inf
22/02/2006 13:14 161,480 rufsi.dll
22/02/2006 13:14 198,304 avsniffdlgs.dll
22/02/2006 13:14 231,072 avsniff.dll
22/02/2006 13:11 241 CabSA.inf
22/02/2006 13:09 6,850 navapi.vxd
22/02/2006 13:09 201,896 navapi32.dll
22/02/2006 13:07 42,112 ecmldr32.dll
22/02/2006 13:07 537,704 AXXPEE.dll
22/02/2006 06:00 6,899 ecbootil.vxd
22/02/2006 06:00 2,390 catalog.dat
22/02/2006 06:00 288,376 ecmsvr32.dll
22/02/2006 06:00 3,093,134 virscan9.dat
22/02/2006 06:00 387,048 virscan6.dat
22/02/2006 06:00 2,138,104 virscan5.dat
22/02/2006 06:00 320,086 virscan4.dat
22/02/2006 06:00 32 virscant.dat
22/02/2006 06:00 1,491,742 virscan8.dat
22/02/2006 06:00 124,584 naveng32.dll
22/02/2006 06:00 788,136 navex32a.dll
22/02/2006 06:00 145,388 virscan3.dat
22/02/2006 06:00 560,980 virscan2.dat
22/02/2006 06:00 3,219,298 virscan7.dat
22/02/2006 06:00 944,229 virscan1.dat
22/02/2006 06:00 97,072 scrauth.dat
22/02/2006 06:00 106,244 virscan.inf
22/02/2006 06:00 14 symaveng.cat
22/02/2006 06:00 901 symaveng.inf
22/02/2006 06:00 43,448 tcdefs.dat
22/02/2006 06:00 927,699 tcscan7.dat
22/02/2006 06:00 264,108 tcscan8.dat
22/02/2006 06:00 519,170 tcscan9.dat
22/02/2006 06:00 453 tinf.dat
22/02/2006 06:00 148 tinfidx.dat
22/02/2006 06:00 1,957 tinfl.dat
22/02/2006 06:00 48,353 tscan1.dat
22/02/2006 06:00 1,237 tscan1hd.dat
22/02/2006 06:00 5,516 v.grd
22/02/2006 06:00 2,242 v.sig
22/02/2006 06:00 224 zdone.dat
27/08/2005 13:30 5,065 swflash.inf
09/03/2005 20:43 6,828 scanoptions.tsi
09/03/2005 20:42 6,742 lang.ini
09/03/2005 20:40 475,136 oscan8.ocx
01/03/2005 19:08 53,248 ipsupd.dll
01/03/2005 19:08 118,784 bdupd.dll
01/03/2005 16:15 1,246 oscan8.inf
18/02/2005 21:22 126 live.ini
--------------------------------------------------------------------------
CHECKING RECENTLY ADDED DRIVERS:
--------------------------------------------------------------------------
C:\WINDOWS\system32\drivers
27/02/2006 20:38 28,672 CO_Mon.sys
27/02/2006 20:07 ..
27/02/2006 20:07 .
25/02/2006 12:07 10,344 symlcbrd.sys
19/02/2006 14:09 etc
15/02/2006 17:26 195,776 symtdi.sys
15/02/2006 17:26 24,768 symredrv.sys
15/02/2006 17:26 28,352 symndis.sys
15/02/2006 17:26 31,936 symids.sys
15/02/2006 17:26 110,784 symfw.sys
15/02/2006 17:26 12,992 symdns.sys
14/02/2006 12:05 107,696 SYMEVENT.SYS
19/02/2006 14:09 ..
19/02/2006 14:09 .
05/02/2006 04:34 734 hosts
06/05/2005 08:56 20 SymRedir.cat
06/05/2005 08:56 1,133 SymRedir.inf
--------------------------------------------------------------------------
CHECKING SYSTEM.INI:
--------------------------------------------------------------------------
; for 16-bit app support
[drivers]
wave=mmdrv.dll
timer=timer.drv
[mci]
[driver32]
[386enh]
woafont=app850.FON
EGA80WOA.FON=EGA80850.FON
EGA40WOA.FON=EGA40850.FON
CGA80WOA.FON=CGA80850.FON
CGA40WOA.FON=CGA40850.FON
--------------------------------------------------------------------------
CHECKING WIN.INI:
--------------------------------------------------------------------------
; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
[MCI Extensions.BAK]
aif=MPEGVideo
aifc=MPEGVideo
aiff=MPEGVideo
asf=MPEGVideo2
asx=MPEGVideo2
au=MPEGVideo
m1v=MPEGVideo
m3u=MPEGVideo2
mp2=MPEGVideo
mp2v=MPEGVideo
mp3=MPEGVideo2
mpa=MPEGVideo
mpe=MPEGVideo
mpeg=MPEGVideo
mpg=MPEGVideo
mpv2=MPEGVideo
snd=MPEGVideo
wax=MPEGVideo2
wm=MPEGVideo2
wma=MPEGVideo2
wmp=MPEGVideo2
wmv=MPEGVideo2
wmx=MPEGVideo2
wvx=MPEGVideo2
wpl=MPEGVideo
[Internal]
Install=1140829842
Install2=1140829842
Device2=x8vIzbrLzsy6vM6+zL7Mx8bJvLk=
--------------------------------------------------------------------------
MISCELLANEOUS DETECTIONS:
--------------------------------------------------------------------------
*** i386p.* Stealthing Tool NOT Found by this tool! ***
*** msctl32.dll SpamBot NOT Found by this tool! ***
*** ibm000*.* KeyLogger NOT Found by this tool! ***
--------------------------------------------------------------------------
**** LOOKING FOR AVPE32 Haxdoor Reg Keys ****
---------- HKLMSYSKEYS.TXT
*** avpe32 keys NOT Found by this tool! ***
**** LOOKING FOR AVPE64 Haxdoor Reg Keys ****
---------- HKLMSYSKEYS.TXT
*** avpe64 keys NOT Found by this tool! ***
**** LOOKING FOR MEMLOW Haxdoor Reg Keys ****
---------- HKLMSYSKEYS.TXT
*** memlow keys NOT Found by this tool! ***
**** LOOKING FOR VDNT32 Haxdoor Reg Keys ****
---------- HKLMSYSKEYS.TXT
*** vdnt32 keys NOT Found by this tool! ***
**** LOOKING FOR SYSBUS32 Rootkit Driver Reg Keys ****
---------- HKLMSYSKEYS.TXT
*** sysbus32 keys NOT Found by this tool! ***
**** LOOKING FOR I386P Rootkit Driver Reg Keys ****
---------- HKLMSYSKEYS.TXT
*** i386p keys NOT Found by this tool! ***
#####################################################################################################
-- All DONE!
The logs are clean.
One last scan - It's a quick one :)
Download Smitrem
http://noahdfear.geekstogo.com/click%20counter/click.php?id=1
-Extract it to its own personal folder
-Reboot to Safe Mode
-Open the folder and double click Runthis.bat
-Allow it to run all the way thru Disc Cleanup
-Reboot to Normal Mode and attach the log created at C:\smitfiles.txt
after clicking runthis.bat it scanned my system made this log. but disk clean up didnt start. now ive rebooted should i still use the disk cleanup? or reboot into safe mode and try running it ?
heres the log
smitRem © log file
version 2.8
by noahdfear
Microsoft Windows XP [Version 5.1.2600]
The current date is: 28/02/2006
The current time is: 15:28:31.20
Running from
C:\Documents and Settings\Aaron\Desktop\smitRem
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Pre-run SharedTask Export
(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer.com
Registry Pseudo-Format Mode (Not a valid reg file):
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
checking for ShudderLTD key
ShudderLTD key not present!
checking for PSGuard.com key
PSGuard.com key not present!
checking for WinHound.com key
WinHound.com key not present!
spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Existing Pre-run Files
~~~ Program Files ~~~
~~~ Shortcuts ~~~
~~~ Favorites ~~~
~~~ system32 folder ~~~
~~~ Icons in System32 ~~~
~~~ Windows directory ~~~
~~~ Drive root ~~~
~~~ Miscellaneous Files/folders ~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 [email]Craig.Peacock@beyondlogic.org[/email]
Killing PID 684 'explorer.exe'
Killing PID 684 'explorer.exe'
Starting registry repairs
Registry repairs complete
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SharedTask Export after registry fix
(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer.com
Registry Pseudo-Format Mode (Not a valid reg file):
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Deleting files
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Remaining Post-run Files
~~~ Program Files ~~~
~~~ Shortcuts ~~~
~~~ Favorites ~~~
~~~ system32 folder ~~~
~~~ Icons in System32 ~~~
~~~ Windows directory ~~~
~~~ Drive root ~~~
~~~ Miscellaneous Files/folders ~~~
~~~ Wininet.dll ~~~
CLEAN! :)
Did you not run it from Safe Mode? It should be ran from there to begin with. If you didn't please run it from Safe Mode.
Is that temp file located on your PC?
Go to Start>Search
-Enter win12c4.tmp.exe in the Filename box
-Choose More Advanced Options
-Check all three options and click Search
Search system folders
Search hidden files and folders
Search subfolders
I am a little concerned about this one
Check that line in HijackThis and then choose Fix CheckedGo here:
http://virusscan.jotti.org/
-Upload C:\WINDOWS\winexy32.exe and post the results back here.
Also - I told you wrong here, you should try uploadingC:\WINDOWS\winexy32.dll
Give that a shot - my mistake.
i ran it in safe mode. once that runthis.bat file had finished. it said press any key to continue and will open disk clean up. i left the pc for about 20mins in safe mode but disk cleanup didnt even start or appear in the task manager
that file cannot be found. am i cured now?
i ran it in safe mode. once that runthis.bat file had finished. it said press any key to continue and will open disk clean up. i left the pc for about 20mins in safe mode but disk cleanup didnt even start or appear in the task manager
that file cannot be found. am i cured now?
I do see one thing, please look in Add/Remove Programs and uninstallUltimateBuddy
May want to consider uninstalling the Poker games as well...
Other than that, all that was found in any of the scans was the020 line of HijackThis that appeared to be inactive. I can't say for sure if the problem is from your PC - or if something is trying to access your PC, and your Firewall is doing it's job. :)
It really sounded like a problem Smitrem would show and didnt
cool. thanks
I dont seem to have that file on my pc now. but i know i did have the dll file-winexy32.dll
some reason aint on my system now
I editted my post to include uninstalling UltimateBuddy - I overlooked it as it kind of blended in with all the Poker Games :lol:
The process is harmful as it refers to adware and spyware program types. The application collects personal and secret information from your computer (e.g. passwords) and sends it to third parties. Moreover, your Internet experience may be interrupted by a multitude of pop-up windows and banners. The process must be deleted immediately.
Also-may not hurt to remove them Poker games...
Whats wrong with ultimate buddy aswell? I know of this program. Its a program to log and chat to my friends on poker sites. www.ultimatebuddy.com
If its a problem i can easily remove. its not that important to me
Glad I could help :)
Thanks for all the help and time mate. You've been great. Very much appreciated.
Aaron
:mrgreen: :mrgreen:
This question has already been solved
You
© 2012 DaniWeb® LLC
