|
Donation/Premium |
|
 |
|
|
|
|
|
|
|
Survey |
|
|
|
|
|
|
|
|
|
|
|
| View previous topic :: View next topic |
| Author |
Message |
girl17
Trooper
Joined: Apr 10, 2008
Posts: 34
Location: USA
|
 Posted: Fri Apr 25, 2008 11:49 am Post subject: |
|
|
Hi PCB.. I'm back..
How's everything going on? =)
I has tried to drag CFScript into ComboFix again.
But, it does not work still.
ComboFix loads for awhile,
the pointer changes to hour glass, and blinks for a few times, however it turns back to pointer again..
Here is my new hijackthis log, please assist further.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:51, on 2008-04-25
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgw.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\gan\Desktop\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_02\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = jacktat.corp
O17 - HKLM\Software\..\Telephony: DomainName = jacktat.corp
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe
O23 - Service: COM+ Windows System (WinCOM) - Unknown owner - C:\WINDOWS\system32\wincom.exe (file missing)
--
End of file - 5061 bytes
|
|
| Back to top |
|
 |
PCBruiser
SRT Team Lead
Forums Admin
Joined: May 11, 2005
Posts: 11723
|
| Posted: Fri Apr 25, 2008 9:30 pm Post subject: |
|
|
Hi,
Please download a fresh copy of ComboFix to your desktop. Let it replace the one that is there now. Next, open the copy of CFScript.txt in Notepad and copy and paste it to your next post. I want to see if that is correct, it may have been corrupted when you downloaded, etc., so I want to look at what it looks like on your system.
_________________
Don't read? Can't learn!
|
|
| Back to top |
|
|
girl17
Trooper
Joined: Apr 10, 2008
Posts: 34
Location: USA
|
| Posted: Sat Apr 26, 2008 5:10 am Post subject: |
|
|
Hi PCB..
Ha ha, it works after your recommendation.
I'm so sorry, I should thought of that before. 
Thank you for your patience. 
**However i discovered, CFScript.txt disappeared from my desktop after the scanning process was completed.
Here is the ComboFix log..
ComboFix 08-04-24.1 - gan 2008-04-26 12:51:04.4 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.187 [GMT 8:00]
Running from: C:\Documents and Settings\gan\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\gan\Desktop\CFScript.txt
* Created a new restore point
FILE ::
C:\Program Files\csgan.JPG
C:\Program Files\csgan2.JPG
C:\Program Files\ver.txt
C:\tesvlog.lvr
C:\WINDOWS\ccwl16.ini
C:\WINDOWS\guyi-emply.exe
C:\WINDOWS\iestar.exe
C:\WINDOWS\kk.exe
C:\WINDOWS\kkk.exe
C:\WINDOWS\kkkk.exe
C:\WINDOWS\st30.exe
C:\WINDOWS\system32\1F9554ADE4.dll
C:\WINDOWS\system32\ccwl32.ini
C:\WINDOWS\system32\ccwld16_080331.dll
C:\WINDOWS\system32\dllcache\ieudinit.exe
C:\WINDOWS\system32\enyekhdbko.dll
C:\WINDOWS\system32\feigou.ini
C:\WINDOWS\system32\htpzvtlzif.dll
C:\WINDOWS\system32\hyjsphiuwh.dll
C:\WINDOWS\system32\iexlporer.exe
C:\WINDOWS\system32\qpcvxhkjvbzxe.dll
C:\WINDOWS\system32\resiifers.ini
C:\WINDOWS\system32\svshosts.dll
C:\WINDOWS\system32\unacev2.dll
C:\WINDOWS\system32\unrar3.dll
C:\WINDOWS\system32\wcbnurect.fl
C:\WINDOWS\system32\wincom.exe
C:\WINDOWS\system32\ztvcabinet.dll
C:\WINDOWS\system32\ztvunace26.dll
C:\WINDOWS\system32\ztvunrar36.dll
C:\WINDOWS\Tasks\A8BA34F990F9B205.job
C:\WINDOWS\TEMP\mc21.tmp
C:\winsys.inf
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\docume~1\gan\applic~1\greyde~1
c:\docume~1\gan\applic~1\greyde~1\475EB10E
c:\docume~1\gan\applic~1\greyde~1\kjgqscdy.exe
C:\FOUND.000
C:\FOUND.000\FILE0000.CHK
C:\FOUND.000\FILE0001.CHK
C:\FOUND.000\FILE0002.CHK
C:\FOUND.001
C:\FOUND.001\FILE0000.CHK
C:\FOUND.001\FILE0001.CHK
C:\FOUND.001\FILE0002.CHK
C:\FOUND.001\FILE0003.CHK
C:\FOUND.001\FILE0004.CHK
C:\FOUND.001\FILE0005.CHK
C:\FOUND.001\FILE0006.CHK
C:\FOUND.001\FILE0007.CHK
C:\FOUND.001\FILE0008.CHK
C:\FOUND.001\FILE0009.CHK
C:\FOUND.001\FILE0010.CHK
C:\FOUND.001\FILE0011.CHK
C:\FOUND.002
C:\FOUND.002\FILE0000.CHK
C:\FOUND.002\FILE0001.CHK
C:\FOUND.002\FILE0002.CHK
C:\FOUND.002\FILE0003.CHK
C:\FOUND.002\FILE0004.CHK
C:\FOUND.002\FILE0005.CHK
C:\FOUND.002\FILE0006.CHK
C:\FOUND.002\FILE0007.CHK
C:\FOUND.002\FILE0008.CHK
C:\FOUND.002\FILE0009.CHK
C:\FOUND.002\FILE0010.CHK
C:\FOUND.002\FILE0011.CHK
C:\FOUND.002\FILE0012.CHK
C:\FOUND.002\FILE0013.CHK
C:\FOUND.002\FILE0014.CHK
C:\FOUND.002\FILE0015.CHK
C:\FOUND.002\FILE0016.CHK
C:\FOUND.002\FILE0017.CHK
C:\FOUND.002\FILE0018.CHK
C:\FOUND.002\FILE0019.CHK
C:\FOUND.002\FILE0020.CHK
C:\FOUND.002\FILE0021.CHK
C:\FOUND.002\FILE0022.CHK
C:\FOUND.002\FILE0023.CHK
C:\FOUND.002\FILE0024.CHK
C:\FOUND.002\FILE0025.CHK
C:\FOUND.002\FILE0026.CHK
C:\FOUND.002\FILE0027.CHK
C:\FOUND.002\FILE0028.CHK
C:\FOUND.002\FILE0029.CHK
C:\FOUND.002\FILE0030.CHK
C:\FOUND.002\FILE0031.CHK
C:\FOUND.002\FILE0032.CHK
C:\FOUND.002\FILE0033.CHK
C:\FOUND.002\FILE0034.CHK
C:\FOUND.002\FILE0035.CHK
C:\FOUND.002\FILE0036.CHK
C:\FOUND.002\FILE0037.CHK
C:\FOUND.002\FILE0038.CHK
C:\FOUND.002\FILE0039.CHK
C:\FOUND.002\FILE0040.CHK
C:\FOUND.002\FILE0041.CHK
C:\FOUND.002\FILE0042.CHK
C:\FOUND.002\FILE0043.CHK
C:\FOUND.002\FILE0044.CHK
C:\FOUND.002\FILE0045.CHK
C:\FOUND.002\FILE0046.CHK
C:\FOUND.002\FILE0047.CHK
C:\FOUND.002\FILE0048.CHK
C:\FOUND.002\FILE0049.CHK
C:\FOUND.002\FILE0050.CHK
C:\FOUND.002\FILE0051.CHK
C:\FOUND.002\FILE0052.CHK
C:\FOUND.002\FILE0053.CHK
C:\FOUND.002\FILE0054.CHK
C:\FOUND.002\FILE0055.CHK
C:\FOUND.002\FILE0056.CHK
C:\FOUND.002\FILE0057.CHK
C:\FOUND.002\FILE0058.CHK
C:\FOUND.002\FILE0059.CHK
C:\FOUND.002\FILE0060.CHK
C:\FOUND.002\FILE0061.CHK
C:\FOUND.002\FILE0062.CHK
C:\FOUND.002\FILE0063.CHK
C:\FOUND.002\FILE0064.CHK
C:\FOUND.002\FILE0065.CHK
C:\FOUND.002\FILE0066.CHK
C:\FOUND.002\FILE0067.CHK
C:\FOUND.002\FILE0068.CHK
C:\FOUND.002\FILE0069.CHK
C:\FOUND.002\FILE0070.CHK
C:\FOUND.002\FILE0071.CHK
C:\FOUND.002\FILE0072.CHK
C:\FOUND.003
C:\FOUND.003\FILE0000.CHK
C:\FOUND.003\FILE0001.CHK
C:\FOUND.003\FILE0002.CHK
C:\Program Files\Common Files\WPE
C:\Program Files\Common Files\WPE\atl.dll
C:\Program Files\Common Files\WPE\Data\Server\clientlist.xml
C:\Program Files\Common Files\WPE\Data\Server\job0000000000000001.emf
C:\Program Files\Common Files\WPE\Data\Server\job0000000000000002.emf
C:\Program Files\Common Files\WPE\Data\Server\job0000000000000003.emf
C:\Program Files\Common Files\WPE\Data\Server\job0000000000000004.emf
C:\Program Files\Common Files\WPE\Data\Server\job0000000000000005.emf
C:\Program Files\Common Files\WPE\Data\Server\job0000000000000006.emf
C:\Program Files\Common Files\WPE\Data\Server\job0000000000000007.emf
C:\Program Files\Common Files\WPE\Data\Server\job0000000000000008.emf
C:\Program Files\Common Files\WPE\Data\Server\job0000000000000009.emf
C:\Program Files\Common Files\WPE\Data\Server\job000000000000000a.emf
C:\Program Files\Common Files\WPE\Data\Server\job000000000000000b.emf
C:\Program Files\Common Files\WPE\Data\Server\job000000000000000c.emf
C:\Program Files\Common Files\WPE\Data\Server\job000000000000000d.emf
C:\Program Files\Common Files\WPE\Data\Server\job000000000000000e.emf
C:\Program Files\Common Files\WPE\Data\Server\job000000000000000f.emf
C:\Program Files\Common Files\WPE\Data\Server\job0000000000000010.emf
C:\Program Files\Common Files\WPE\Data\Server\job0000000000000011.emf
C:\Program Files\Common Files\WPE\Data\Server\job0000000000000012.emf
C:\Program Files\Common Files\WPE\Data\Server\job0000000000000013.emf
C:\Program Files\Common Files\WPE\Data\Server\job0000000000000014.emf
C:\Program Files\Common Files\WPE\Data\Server\job0000000000000015.emf
C:\Program Files\Common Files\WPE\Data\Server\job0000000000000016.emf
C:\Program Files\Common Files\WPE\Data\Server\job0000000000000017.emf
C:\Program Files\Common Files\WPE\Data\Server\job0000000000000018.emf
C:\Program Files\Common Files\WPE\Data\Server\job0000000000000019.emf
C:\Program Files\Common Files\WPE\Data\Server\job000000000000001a.emf
C:\Program Files\Common Files\WPE\Data\Server\job0000000100000001.emf
C:\Program Files\Common Files\WPE\Data\Server\job0000000100000002.emf
C:\Program Files\Common Files\WPE\Data\Server\job0000000200000001.emf
C:\Program Files\Common Files\WPE\Data\Server\job0000000200000002.emf
C:\Program Files\Common Files\WPE\Data\Server\job0000000200000003.emf
C:\Program Files\Common Files\WPE\Data\Server\job0000000300000001.emf
C:\Program Files\Common Files\WPE\Data\Server\job0000000300000002.emf
C:\Program Files\Common Files\WPE\Data\Server\job0000000400000001.emf
C:\Program Files\Common Files\WPE\Data\Server\job0000000400000002.emf
C:\Program Files\Common Files\WPE\Data\Server\job0000000500000001.emf
C:\Program Files\Common Files\WPE\Data\Server\job0000000600000001.emf
C:\Program Files\Common Files\WPE\Data\Server\job0000000600000002.emf
C:\Program Files\Common Files\WPE\Data\Server\job0000000600000003.emf
C:\Program Files\Common Files\WPE\Data\Server\job0000000700000001.emf
C:\Program Files\Common Files\WPE\Data\Server\job0000000700000002.emf
C:\Program Files\Common Files\WPE\Data\Server\job0000000700000003.emf
C:\Program Files\Common Files\WPE\Data\Server\job0000000800000001.emf
C:\Program Files\Common Files\WPE\Data\Server\job0000000800000002.emf
C:\Program Files\Common Files\WPE\Data\Server\joblist.xml
C:\Program Files\Common Files\WPE\wpeinstall.dll
C:\Program Files\Common Files\WPE\wpeserv.exe
C:\Program Files\Common Files\WPE\wpestart.exe
C:\Program Files\Common Files\WPE\xmllibu.dll
C:\Program Files\csgan.JPG
C:\Program Files\csgan2.JPG
C:\SDFix
C:\SDFix\apps\assosfix.reg
C:\SDFix\apps\cliptext.exe
C:\SDFix\apps\download.exe
C:\SDFix\apps\dummy.sys
C:\SDFix\apps\Enable_Command_Prompt.reg
C:\SDFix\apps\ERDNT.E_E
C:\SDFix\apps\ERDNTDOS.LOC
C:\SDFix\apps\ERDNTWIN.LOC
C:\SDFix\apps\ERUNT.EXE
C:\SDFix\apps\ERUNT.LOC
C:\SDFix\apps\fix.reg
C:\SDFix\apps\FixBH.reg
C:\SDFix\apps\FixComponents.reg
C:\SDFix\apps\FIXCU.reg
C:\SDFix\apps\FIXLM.reg
C:\SDFix\apps\FixPath.exe
C:\SDFix\apps\FixRedir.reg
C:\SDFix\apps\FixSchedule.reg
C:\SDFix\apps\FixWebCheck.reg
C:\SDFix\apps\fixXP.reg
C:\SDFix\apps\FixXPsp2.reg
C:\SDFix\apps\grep.exe
C:\SDFix\apps\HPFix.reg
C:\SDFix\apps\HPFix2.reg
C:\SDFix\apps\HPFix3.reg
C:\SDFix\apps\HPFix4.reg
C:\SDFix\apps\HPFix5.reg
C:\SDFix\apps\HPFix6.reg
C:\SDFix\apps\HPFix7.reg
C:\SDFix\apps\isadmin.exe
C:\SDFix\apps\leg2.txt
C:\SDFix\apps\legacy.txt
C:\SDFix\apps\legacybk.txt
C:\SDFix\apps\locate.com
C:\SDFix\apps\LS.exe
C:\SDFix\apps\MD5File.exe
C:\SDFix\apps\MyGcpvFix.reg
C:\SDFix\apps\MyGkFix2.reg
C:\SDFix\apps\Process.exe
C:\SDFix\apps\procs.exe
C:\SDFix\apps\psservice.exe
C:\SDFix\apps\Rem.txt
C:\SDFix\apps\Rem2.txt
C:\SDFix\apps\Replace\regedit.exe
C:\SDFix\apps\Replace\W2K.exe
C:\SDFix\apps\Replace\w2k\beep.sys
C:\SDFix\apps\Replace\w2k\null.sys
C:\SDFix\apps\Replace\XP.exe
C:\SDFix\apps\Replace\xp\beep.sys
C:\SDFix\apps\Replace\xp\null.sys
C:\SDFix\apps\Reset_AppInit_DLLs.reg
C:\SDFix\apps\RestartIt!.exe
C:\SDFix\apps\Restore_SecurityCenter.reg
C:\SDFix\apps\Restore_SharedAccess.reg
C:\SDFix\apps\sc.exe
C:\SDFix\apps\sed.exe
C:\SDFix\apps\SF.exe
C:\SDFix\apps\shutdown.exe
C:\SDFix\apps\srv2.txt
C:\SDFix\apps\srv2bk.txt
C:\SDFix\apps\svc.txt
C:\SDFix\apps\svcbk.txt
C:\SDFix\apps\swreg.exe
C:\SDFix\apps\swsc.exe
C:\SDFix\apps\unzip.exe
C:\SDFix\apps\vfind.exe
C:\SDFix\apps\WINMSG.EXE
C:\SDFix\apps\winsec.reg
C:\SDFix\apps\zip.exe
C:\SDFix\backups\backupreg.zip
C:\SDFix\backups\backups.zip
C:\SDFix\backups\catchme.log
C:\SDFix\backups\HOSTS
C:\SDFix\catchme.exe
C:\SDFix\dummy.sys
C:\SDFix\Report.txt
C:\SDFix\Report_old_1.txt
C:\SDFix\Report_old_2.txt
C:\SDFix\RunThis.bat
C:\SDFix\SDFIX_ReadMe_Online.url
C:\tesvlog.lvr
C:\WINDOWS\ccwl16.ini
C:\WINDOWS\guyi-emply.exe
C:\WINDOWS\ilovegoogle
C:\WINDOWS\ilovegoogle\google.dll
C:\WINDOWS\kkk.exe
C:\WINDOWS\kkkk.exe
C:\WINDOWS\Lhsp
C:\WINDOWS\Lhsp\Dialog\AExLxd60.dll
C:\WINDOWS\Lhsp\Dialog\FRFgnd60.dll
C:\WINDOWS\Lhsp\Dialog\FRFlxd60.dll
C:\WINDOWS\Lhsp\Dialog\Ipa.act
C:\WINDOWS\Lhsp\Dialog\WexLxd60.dll
C:\WINDOWS\Lhsp\G2P\FRFg2p60.dll
C:\WINDOWS\Lhsp\Help\FRFgnd60.hlp
C:\WINDOWS\Lhsp\Help\FRFlxd60.cnt
C:\WINDOWS\Lhsp\Help\FRFLXd60.hlp
C:\WINDOWS\Lhsp\Language\FRFCT160.dll
C:\WINDOWS\Lhsp\System\LHSAPI30.DLL
C:\WINDOWS\Lhsp\System\License.txt
C:\WINDOWS\Lhsp\System\ttsdct32.dll
C:\WINDOWS\Lhsp\System\ttsmgr32.dll
C:\WINDOWS\Lhsp\TPP\FRFeml60.dll
C:\WINDOWS\Lhsp\TPP\FRFtxt60.dll
C:\WINDOWS\Lhsp\ttsFRFwr.dll
C:\WINDOWS\Lhsp\Voice\FRFvf160.dll
C:\WINDOWS\Lhsp\Voice\FRFvm160.dll
C:\WINDOWS\speech
C:\WINDOWS\speech\spchtel.dll
C:\WINDOWS\speech\speech.cnt
C:\WINDOWS\speech\speech.dll
C:\WINDOWS\speech\speech.hlp
C:\WINDOWS\speech\vcauto.tlb
C:\WINDOWS\speech\vcmd.exe
C:\WINDOWS\speech\vcmshl.dll
C:\WINDOWS\speech\Vdict.dll
C:\WINDOWS\speech\VText.dll
C:\WINDOWS\speech\vtxtauto.tlb
C:\WINDOWS\speech\WrapSAPI.dll
C:\WINDOWS\speech\Xcommand.dll
C:\WINDOWS\speech\Xlisten.dll
C:\WINDOWS\speech\XTel.Dll
C:\WINDOWS\speech\Xvoice.dll
C:\WINDOWS\system32\0609
C:\WINDOWS\system32\1F9554ADE4.dll
C:\WINDOWS\system32\ccwl32.ini
C:\WINDOWS\system32\ccwld16_080331.dll
C:\WINDOWS\system32\conime
C:\WINDOWS\system32\conime\conime.ls
C:\WINDOWS\system32\dllcache\ieudinit.exe
C:\WINDOWS\system32\enyekhdbko.dll
C:\WINDOWS\system32\feigou.ini
C:\WINDOWS\system32\htpzvtlzif.dll
C:\WINDOWS\system32\hyjsphiuwh.dll
C:\WINDOWS\system32\iexlporer.exe
C:\WINDOWS\system32\qpcvxhkjvbzxe.dll
C:\WINDOWS\system32\resiifers.ini
C:\WINDOWS\system32\svshosts.dll
C:\WINDOWS\system32\unacev2.dll
C:\WINDOWS\system32\unrar3.dll
C:\WINDOWS\system32\wcbnurect.fl
C:\WINDOWS\system32\ztvcabinet.dll
C:\WINDOWS\system32\ztvunace26.dll
C:\WINDOWS\system32\ztvunrar36.dll
C:\WINDOWS\Tasks\A8BA34F990F9B205.job
C:\winsys.inf
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_CONIME
-------\Legacy_MCHINJDRV
-------\Legacy_WINCOM
-------\Legacy_WPESERV
-------\Service_conime
-------\Service_mchInjDrv
-------\Service_WinCOM
-------\Service_WPEServ
((((((((((((((((((((((((( Files Created from 2008-03-26 to 2008-04-26 )))))))))))))))))))))))))))))))
.
2008-04-25 00:11 . 2008-04-25 00:11 472 --a------ C:\WINDOWS\system32\VUECDHHRWQG.reg
2008-04-18 21:31 . 2008-04-18 21:31 <DIR> d-------- C:\Documents and Settings\Administrator.GAN.000\Application Data\OnlineArmor
2008-04-18 21:31 . 2008-04-18 21:31 <DIR> d-------- C:\Documents and Settings\Administrator.GAN.000\Application Data\AVG7
2008-04-14 21:53 . 2003-08-20 14:45 <DIR> d-------- C:\Documents and Settings\Administrator.GAN.000\WINDOWS
2008-04-14 21:53 . 2003-08-20 15:32 <DIR> d---s---- C:\Documents and Settings\Administrator.GAN.000\UserData
2008-04-14 21:53 . 2008-04-14 21:54 <DIR> d-------- C:\Documents and Settings\Administrator.GAN.000
2008-04-14 21:53 . 2008-04-26 12:50 1,024 --ah----- C:\Documents and Settings\Administrator.GAN.000\ntuser.dat.LOG
2008-04-14 21:27 . 2003-08-20 14:45 <DIR> d-------- C:\Documents and Settings\Administrator.GAN\WINDOWS
2008-04-14 21:27 . 2003-08-20 15:32 <DIR> d---s---- C:\Documents and Settings\Administrator.GAN\UserData
2008-04-14 21:27 . 2008-04-14 21:27 <DIR> d-------- C:\Documents and Settings\Administrator.GAN
2008-04-14 21:27 . 2008-04-26 12:50 1,024 --ah----- C:\Documents and Settings\Administrator.GAN\ntuser.dat.LOG
2008-04-14 20:24 . 2008-04-14 20:24 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-14 20:22 . 2003-08-20 14:45 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-04-14 20:22 . 2003-08-20 15:32 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData
2008-04-14 20:22 . 2008-04-14 20:22 <DIR> d-------- C:\Documents and Settings\Administrator
2008-04-14 20:22 . 2008-04-26 12:50 1,024 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-04-14 19:26 . 2008-04-14 19:26 <DIR> d-------- C:\Program Files\Tall Emu
2008-04-14 19:26 . 2008-04-14 19:26 <DIR> d-------- C:\OnlineArmor
2008-04-14 19:26 . 2008-04-14 19:27 <DIR> d-------- C:\Documents and Settings\gan\Application Data\OnlineArmor
2008-04-14 19:26 . 2008-04-14 19:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\OnlineArmor
2008-04-14 19:26 . 2008-03-23 10:21 80,072 --a------ C:\WINDOWS\system32\drivers\OADriver.sys
2008-04-14 19:26 . 2008-03-23 10:21 32,456 --a------ C:\WINDOWS\system32\drivers\OAmon.sys
2008-04-14 19:26 . 2008-03-23 10:21 28,872 --a------ C:\WINDOWS\system32\drivers\oanet.sys
2008-04-13 18:50 . 2008-04-13 18:50 <DIR> d-------- C:\Program Files\Thunder Network
2008-04-10 19:51 . 2008-04-10 19:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-09 22:23 . 2008-04-09 22:23 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-09 22:23 . 2008-04-09 22:23 <DIR> d-------- C:\Documents and Settings\gan\Application Data\Malwarebytes
2008-04-09 22:23 . 2008-04-09 22:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-09 21:54 . 2008-04-09 21:54 <DIR> d-------- C:\Program Files\CCleaner
2008-04-06 01:04 . <DIR> C:\WINDOWS\¨’A™ú"O‹EO3œOAO‹
2008-04-06 01:04 . <DIR> C:\Program Files\¨’A™ú"O‹EO3œOAO‹
2008-04-06 00:32 . 2006-02-23 05:30 258,048 --a------ C:\WINDOWS\ctpu.exe
2008-04-06 00:32 . 2006-02-23 05:30 196,608 --a------ C:\WINDOWS\ResENU.PPC.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-05 17:04 --------- d-----w C:\Program Files\¿ÆÁÖ·¨ÓïÈÕ³£ÓÃÓï
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-01 10:36 3,591,680 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-02-29 08:55 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-02-29 08:55 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-02-27 16:29 --------- d-----w C:\Program Files\GRETECH
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-15 05:44 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
.
((((((((((((((((((((((((((((( snapshot@2008-04-14_22.19.47.59 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-14 14:15:14 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-26 04:56:50 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-04-23 18:51 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-04-23 18:44 610304]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 20:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 20:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 20:00 455168]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_02\bin\jusched.exe" [2003-09-16 19:01 32881]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-15 20:25 579584]
"OnlineArmor GUI"="C:\Program Files\Tall Emu\Online Armor\oaui.exe" [2008-03-23 10:21 5519424]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-02 23:30 219136]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\MSMSGS.EXE"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\Explorer.exe"=
R1 OADevice;OADriver;C:\WINDOWS\system32\drivers\OADriver.sys [2008-03-23 10:21]
R1 OAmon;OAmon;C:\WINDOWS\system32\drivers\OAmon.sys [2008-03-23 10:21]
R1 OAnet;OAnet;C:\WINDOWS\system32\drivers\OAnet.sys [2008-03-23 10:21]
R1 RCFOX;SonicWALL IPsec Driver;C:\WINDOWS\system32\Drivers\RCFOX.sys [2004-10-15 10:46]
R3 rcvpn;SonicWALL VPN Adapter;C:\WINDOWS\system32\DRIVERS\rcvpn.sys [2003-08-20 14:01]
S2 SvcOnlineArmor;Online Armor;"C:\Program Files\Tall Emu\Online Armor\oasrv.exe" [2008-03-23 10:21]
S3 CBTNDIS5;CBTNDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\CBTNDIS5.SYS [2003-07-16 22:28]
S3 TNET1130x;Wireless-G Notebook Adapter v.2.0;C:\WINDOWS\system32\DRIVERS\tnet1130x.sys []
S3 ZDCndis5;ZDCndis5 Protocol Driver;C:\WINDOWS\system32\ZDCndis5.SYS [2006-06-05 11:32]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
conime
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{81010eb7-0b5d-11dc-b4fd-101111111111}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
*Newly Created Service* - MCHINJDRV
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-26 12:58:37
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRAM FILES\GRISOFT\AVG7\AVGAMSVR.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGUPSVC.EXE
.
**************************************************************************
.
Completion time: 2008-04-26 13:00:41 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-26 05:00:34
ComboFix3.txt 2008-04-14 14:21:46
ComboFix2.txt 2008-04-16 12:31:54
Pre-Run: 16,377,643,008 bytes free
Post-Run: 16,431,251,456 bytes free
478 --- E O F --- 2008-04-12 14:47:56
And hijakthis log..
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:06, on 2008-04-26
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\gan\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_02\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = jacktat.corp
O17 - HKLM\Software\..\Telephony: DomainName = jacktat.corp
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe
--
End of file - 4660 bytes
|
|
| Back to top |
|
|
PCBruiser
SRT Team Lead
Forums Admin
Joined: May 11, 2005
Posts: 11723
|
| Posted: Mon Apr 28, 2008 5:45 pm Post subject: |
|
|
Hi,
Sorry for the delay in getting back to you. This weekend was totally taken up by family activities.
I want to rerun ComboFix with a new CFScript file. First, since ComboFix is updated again, download a fresh copy and let it overwrite your current copy on your desktop.
Here is the new CFScript.txt code. Use this one exactly like what you did with the prior one.
1. Open notepad, go to the format menu, uncheck Word Wrap, and then copy/paste the text in the code box below into it:
| Code: |
KILLALL::
File::
C:\WINDOWS\system32\VUECDHHRWQG.reg
Folder::
C:\Program Files\¿ÆÁÖ·¨ÓïÈÕ³£ÓÃÓï
C:\Program Files\¨’A™ú"O‹EO3œOAO‹
C:\WINDOWS\¨’A™ú"O‹EO3œOAO‹ l
|
2. Please post the following:
a. combofix.txt
b. a fresh HJT log
_________________
Don't read? Can't learn!
|
|
| Back to top |
|
|
girl17
Trooper
Joined: Apr 10, 2008
Posts: 34
Location: USA
|
| Posted: Tue Apr 29, 2008 2:30 pm Post subject: |
|
|
Hi PCB..
I really appreciate that you take the trouble to reply me despite your busy schedule..
Here is the ComboFix log..
ComboFix 08-04-24.1 - gan 2008-04-29 22:02:52.5 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.151 [GMT 8:00]
Running from: C:\Documents and Settings\gan\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\gan\Desktop\CFScript.txt
* Created a new restore point
FILE ::
C:\WINDOWS\system32\VUECDHHRWQG.reg
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\VUECDHHRWQG.reg
.
((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-29 )))))))))))))))))))))))))))))))
.
2008-04-29 21:07 . 2008-04-29 21:07 244 --ah----- C:\sqmnoopt17.sqm
2008-04-29 21:07 . 2008-04-29 21:07 232 --ah----- C:\sqmdata17.sqm
2008-04-29 20:49 . 2008-04-29 20:49 <DIR> d--hs---- C:\FOUND.000
2008-04-26 22:30 . 2008-04-26 22:30 <DIR> d-------- C:\Documents and Settings\gan\Application Data\funkitron
2008-04-26 15:40 . 2008-04-29 22:05 192 --a------ C:\tesvlog.lvr
2008-04-18 21:31 . 2008-04-18 21:31 <DIR> d-------- C:\Documents and Settings\Administrator.GAN.000\Application Data\OnlineArmor
2008-04-18 21:31 . 2008-04-18 21:31 <DIR> d-------- C:\Documents and Settings\Administrator.GAN.000\Application Data\AVG7
2008-04-14 21:53 . 2003-08-20 14:45 <DIR> d-------- C:\Documents and Settings\Administrator.GAN.000\WINDOWS
2008-04-14 21:53 . 2003-08-20 15:32 <DIR> d---s---- C:\Documents and Settings\Administrator.GAN.000\UserData
2008-04-14 21:53 . 2008-04-14 21:54 <DIR> d-------- C:\Documents and Settings\Administrator.GAN.000
2008-04-14 21:53 . 2008-04-27 14:33 1,024 --ah----- C:\Documents and Settings\Administrator.GAN.000\ntuser.dat.LOG
2008-04-14 21:27 . 2003-08-20 14:45 <DIR> d-------- C:\Documents and Settings\Administrator.GAN\WINDOWS
2008-04-14 21:27 . 2003-08-20 15:32 <DIR> d---s---- C:\Documents and Settings\Administrator.GAN\UserData
2008-04-14 21:27 . 2008-04-14 21:27 <DIR> d-------- C:\Documents and Settings\Administrator.GAN
2008-04-14 21:27 . 2008-04-26 12:50 1,024 --ah----- C:\Documents and Settings\Administrator.GAN\ntuser.dat.LOG
2008-04-14 20:24 . 2008-04-14 20:24 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-14 20:22 . 2003-08-20 14:45 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-04-14 20:22 . 2003-08-20 15:32 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData
2008-04-14 20:22 . 2008-04-14 20:22 <DIR> d-------- C:\Documents and Settings\Administrator
2008-04-14 20:22 . 2008-04-27 14:33 1,024 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-04-14 19:26 . 2008-04-14 19:26 <DIR> d-------- C:\Program Files\Tall Emu
2008-04-14 19:26 . 2008-04-14 19:26 <DIR> d-------- C:\OnlineArmor
2008-04-14 19:26 . 2008-04-14 19:27 <DIR> d-------- C:\Documents and Settings\gan\Application Data\OnlineArmor
2008-04-14 19:26 . 2008-04-14 19:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\OnlineArmor
2008-04-14 19:26 . 2008-03-23 10:21 80,072 --a------ C:\WINDOWS\system32\drivers\OADriver.sys
2008-04-14 19:26 . 2008-03-23 10:21 32,456 --a------ C:\WINDOWS\system32\drivers\OAmon.sys
2008-04-14 19:26 . 2008-03-23 10:21 28,872 --a------ C:\WINDOWS\system32\drivers\oanet.sys
2008-04-13 18:50 . 2008-04-13 18:50 <DIR> d-------- C:\Program Files\Thunder Network
2008-04-10 19:51 . 2008-04-10 19:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-09 22:23 . 2008-04-09 22:23 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-09 22:23 . 2008-04-09 22:23 <DIR> d-------- C:\Documents and Settings\gan\Application Data\Malwarebytes
2008-04-09 22:23 . 2008-04-09 22:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-09 21:54 . 2008-04-09 21:54 <DIR> d-------- C:\Program Files\CCleaner
2008-04-06 01:04 . <DIR> C:\WINDOWS\¨’A™ú"O‹EO3œOAO‹
2008-04-06 01:04 . <DIR> C:\Program Files\¨’A™ú"O‹EO3œOAO‹
2008-04-06 00:32 . 2006-02-23 05:30 258,048 --a------ C:\WINDOWS\ctpu.exe
2008-04-06 00:32 . 2006-02-23 05:30 196,608 --a------ C:\WINDOWS\ResENU.PPC.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-05 17:04 --------- d-----w C:\Program Files\¿ÆÁÖ·¨ÓïÈÕ³£ÓÃÓï
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-01 10:36 3,591,680 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-02-29 08:55 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-02-29 08:55 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-15 05:44 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
.
((((((((((((((((((((((((((((( snapshot@2008-04-14_22.19.47.59 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-14 14:15:14 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-29 14:09:18 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-04-23 18:51 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-04-23 18:44 610304]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 20:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 20:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 20:00 455168]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_02\bin\jusched.exe" [2003-09-16 19:01 32881]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-15 20:25 579584]
"OnlineArmor GUI"="C:\Program Files\Tall Emu\Online Armor\oaui.exe" [2008-03-23 10:21 5519424]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-01-09 21:59 185896]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-02 23:30 219136]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= C:\PROGRA~1\TALLEM~1\ONLINE~1\oaevent.dll [2008-03-23 10:21 671432]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\MSMSGS.EXE"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\Explorer.exe"=
R1 OADevice;OADriver;C:\WINDOWS\system32\drivers\OADriver.sys [2008-03-23 10:21]
R1 OAmon;OAmon;C:\WINDOWS\system32\drivers\OAmon.sys [2008-03-23 10:21]
R1 OAnet;OAnet;C:\WINDOWS\system32\drivers\OAnet.sys [2008-03-23 10:21]
R1 RCFOX;SonicWALL IPsec Driver;C:\WINDOWS\system32\Drivers\RCFOX.sys [2004-10-15 10:46]
R2 SvcOnlineArmor;Online Armor;"C:\Program Files\Tall Emu\Online Armor\oasrv.exe" [2008-03-23 10:21]
R3 rcvpn;SonicWALL VPN Adapter;C:\WINDOWS\system32\DRIVERS\rcvpn.sys [2003-08-20 14:01]
S3 CBTNDIS5;CBTNDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\CBTNDIS5.SYS [2003-07-16 22:28]
S3 TNET1130x;Wireless-G Notebook Adapter v.2.0;C:\WINDOWS\system32\DRIVERS\tnet1130x.sys []
S3 ZDCndis5;ZDCndis5 Protocol Driver;C:\WINDOWS\system32\ZDCndis5.SYS [2006-06-05 11:32]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
conime
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{81010eb7-0b5d-11dc-b4fd-101111111111}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-29 22:11:12
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\mchInjDrv]
"ImagePath"="\??\C:\WINDOWS\TEMP\mc21.tmp"
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
.
**************************************************************************
.
Completion time: 2008-04-29 22:14:51 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-29 14:14:38
ComboFix4.txt 2008-04-14 14:21:46
ComboFix3.txt 2008-04-16 12:31:54
ComboFix2.txt 2008-04-26 05:00:44
Pre-Run: 16,316,989,440 bytes free
Post-Run: 16,303,357,952 bytes free
148 --- E O F --- 2008-04-12 14:47:56
And new hijackthis log..
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:16, on 2008-04-29
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\CF19936.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\gan\Desktop\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\ComboFix\handle.cfexe
C:\ComboFix\sed.cfexe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_02\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = jacktat.corp
O17 - HKLM\Software\..\Telephony: DomainName = jacktat.corp
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe
--
End of file - 5168 bytes
How's the outcome? Is it positive?
Have a great day to you and take care..
Cheers,
Veronica
|
|
| Back to top |
|
|
grsamf
1st Responder
Site Moderator
Joined: Oct 08, 2006
Posts: 1275
|
| Posted: Wed Apr 30, 2008 4:55 pm Post subject: |
|
|
PCBuiser has experienced some hardware problems and is offline for a short time. Please be patient. He will return very soon to continue his assistance.
_________________
How to be wise in two easy steps: 1) Think of something really stupid to say. 2) Don't say it.
The better I get to know my fellow lawyers, the more I love my dog.
|
|
| Back to top |
|
|
girl17
Trooper
Joined: Apr 10, 2008
Posts: 34
Location: USA
|
|
| Back to top |
|
|
girl17
Trooper
Joined: Apr 10, 2008
Posts: 34
Location: USA
|
|
| Back to top |
|
|
PCBruiser
SRT Team Lead
Forums Admin
Joined: May 11, 2005
Posts: 11723
|
| Posted: Sun May 04, 2008 3:21 pm Post subject: |
|
|
Hi,
I apologize for the delay, but I had a major hardware failure. It was one real royal PITA. Bottom line, a USB port on the front panel of my case shorted out, and took the MB with it. When the MB shorted out, it killed one stick of RAM. And, when the system crashed, it killed most of my running software including all my security software, so all that had to be completely cleaned out (including the registry, much of which required manual editing) and freshly reinstalled. Three full days of diagnosis, a new case, RAM and motherboard, two builds, and a ton of software to reinstall.
Bah, I hate computers!
I'm going to lock this topic so that no one posts into it with a "me too ..." post. Send me a PM when you are ready to resume working on it. In addition to posting a fresh HJT log, also download a fresh copy of ComboFix and let it replace the one on your desktop, and then run a fresh CF log for me as well.
_________________
Don't read? Can't learn!
|
|
| Back to top |
|
|
girl17
Trooper
Joined: Apr 10, 2008
Posts: 34
Location: USA
|
| Posted: Mon May 26, 2008 2:16 pm Post subject: |
|
|
Hi PCB..
Hope everything is fine there..
My PC keep receiving Trojan horse alert from AVG.
(ie. Trojan horse PSW.Generic6.LHF,
Trojan horse PSW.Generic10.ACLW,
Trojan horse downloader.agent.AFBR etc)
I tried to scan my PC a few times, but i cant remove them still.
I have no idea where actually goes wrong, could you please help me?
Thanks and regards,
girl17
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:56, on 2008-05-26
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgw.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Documents and Settings\gan\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = jacktat.corp
O17 - HKLM\Software\..\Telephony: DomainName = jacktat.corp
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe
--
End of file - 5460 bytes
|
|
| Back to top |
|
|
|
Forum FAQ
Search
Usergroups
Profile
Login to check your private messages
Login
