system security

View previous topic View next topic Go down

system security

Post by andrewvanderhevel on Wed Jul 29, 2009 6:15 pm

hey my gf got me this virus on my laptop and now i cant even run hijack this. well, i can run it but it never saves the log at the end it just closes. i cant use firefox or anything and antiviruses arent working either.
thanks for your time.

andrewvanderhevel
Intermediate
Intermediate

Posts Posts : 129
Joined Joined : 2008-12-29
Gender Gender : Male
OS OS : windows 7
Points Points : 29810
# Likes # Likes : 0

View user profile

Back to top Go down

Re: system security

Post by Origin on Wed Jul 29, 2009 6:48 pm

Can you rename HijackThis to winlogon.exe and see if you save the log.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31483
# Likes # Likes : 0

View user profile

Back to top Go down

Re: system security

Post by andrewvanderhevel on Wed Jul 29, 2009 7:19 pm

i tried that it didnt work. i was able to run combofix and have a log from that. ill post it incase its any help
ComboFix 09-07-29.01 - Administrator 07/29/2009 14:35.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.383.206 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\13548104
c:\documents and settings\All Users\Application Data\13548104\13548104
c:\documents and settings\All Users\Application Data\13548104\13548104.exe
C:\mnotvaq.exe
C:\qofg.exe
c:\windows\system\svchost.exe
c:\windows\system32\comsa32.sys
c:\windows\system32\drivers\81a39475.sys
c:\windows\system32\drivers\vsfoceacblovky.sys
c:\windows\system32\drivers\vsfocebjqjwipb.sys
c:\windows\system32\drivers\vsfocebnxtawuw.sys
c:\windows\system32\drivers\vsfocedkredxpx.sys
c:\windows\system32\drivers\vsfoceepojbfpx.sys
c:\windows\system32\drivers\vsfoceftewmror.sys
c:\windows\system32\drivers\vsfoceibeecbfo.sys
c:\windows\system32\drivers\vsfoceiposbrqg.sys
c:\windows\system32\drivers\vsfoceitynqwer.sys
c:\windows\system32\drivers\vsfoceivkdlbny.sys
c:\windows\system32\drivers\vsfocekyxeolwh.sys
c:\windows\system32\drivers\vsfocelkibeavp.sys
c:\windows\system32\drivers\vsfocemivkpyln.sys
c:\windows\system32\drivers\vsfoceosrridme.sys
c:\windows\system32\drivers\vsfocepcrnsber.sys
c:\windows\system32\drivers\vsfocetnkppbax.sys
c:\windows\system32\drivers\vsfocevnkvtsta.sys
c:\windows\system32\drivers\vsfocevpetijlh.sys
c:\windows\system32\drivers\vsfocewbfameox.sys
c:\windows\system32\drivers\vsfocewwosdfol.sys
c:\windows\system32\ghaf8jkdfd.dll
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\mobsyn.exe
c:\windows\system32\sdra64.exe
c:\windows\system32\sopidkc.exe
c:\windows\system32\vsfocegvxqgrev.dll
c:\windows\system32\vsfoceloratmsn.dat
c:\windows\system32\vsfocemktqfwbw.dll
c:\windows\system32\wiawow32.sys
c:\windows\Temp\1276687328.exe
c:\windows\Temp\2296494240.exe
c:\windows\Temp\24.exe
c:\windows\Temp\3437284672.exe



.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}


((((((((((((((((((((((((( Files Created from 2009-06-28 to 2009-07-29 )))))))))))))))))))))))))))))))
.

2009-07-29 18:11 . 2009-07-29 18:11 -------- d-----w- c:\program files\Trend Micro
2009-07-29 03:53 . 2009-07-29 03:53 38912 ----a-w- C:\jars.exe
2009-07-27 20:27 . 2008-10-16 18:06 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-07-27 20:04 . 2009-07-27 20:04 -------- d-s---w- c:\windows\system32\config\systemprofile\UserData
2009-07-27 20:04 . 2009-07-29 18:33 -------- d-----w- c:\windows\system32\config\systemprofile\Tracing
2009-07-27 14:31 . 2009-07-27 14:32 4 ----a-w- c:\windows\system32\bincd32.dat
2009-07-27 14:31 . 2009-07-27 14:31 40960 --sh--r- c:\windows\system32\flashad32.dll
2009-07-27 14:31 . 2009-07-27 14:31 212480 ----a-w- c:\windows\system32\dllcache\ndis.sys
2009-07-27 14:30 . 2009-07-27 14:30 36 ----a-w- c:\windows\system32\sysnet.dat
2009-07-27 14:29 . 2009-07-27 14:33 64 ----a-w- c:\windows\ppp4.dat
2009-07-27 14:29 . 2009-07-27 14:33 2 ----a-w- c:\windows\ppp3.dat
2009-07-27 14:29 . 2009-07-27 14:29 176128 ----a-w- c:\windows\svchast.exe
2009-07-27 14:29 . 2009-07-27 14:29 827392 ----a-w- c:\windows\system32\dddesot.dll
2009-07-27 14:29 . 2009-07-27 14:32 65536 ----a-w- c:\windows\system32\desot.exe
2009-07-27 14:28 . 2009-07-27 14:28 33280 ----a-w- C:\ytnkf.exe
2009-07-27 14:28 . 2009-07-27 14:28 205258 ----a-w- C:\bicfei.exe
2009-07-27 14:28 . 2009-07-27 14:29 -------- d-----w- c:\program files\Windows Antivirus Pro
2009-07-27 14:28 . 2009-07-27 14:28 59904 ----a-w- c:\windows\system32\classapi64.dll
2009-07-27 14:28 . 2009-07-27 14:28 134144 ----a-w- c:\windows\system32\mapitools.dll
2009-07-27 14:28 . 2009-07-27 14:28 134144 ----a-w- C:\nklttk.exe
2009-07-27 14:27 . 2009-07-29 17:26 200704 ----a-w- c:\windows\system32\samsvc.exe
2009-07-27 01:46 . 2009-07-27 02:12 -------- d-----w- c:\documents and settings\Administrator\Tracing
2009-07-27 01:42 . 2009-07-27 01:42 -------- d-----w- c:\program files\Microsoft
2009-07-27 01:40 . 2009-07-27 01:40 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-07-27 01:38 . 2009-07-27 01:41 -------- d-----w- c:\program files\Windows Live
2009-07-27 01:28 . 2009-07-27 01:28 -------- d-----w- c:\program files\Common Files\Windows Live
2009-07-26 23:33 . 2009-07-26 23:33 -------- d-----w- c:\documents and settings\Administrator\Application Data\JewelMatch2
2009-07-26 04:04 . 2009-07-26 04:05 2383904 ----a-w- c:\documents and settings\All Users\Application Data\BigFishGamesCache\Upgrade\Unpack\bfgsetup_s1_l1.exe
2009-07-26 04:04 . 2009-07-26 04:04 -------- d-----w- c:\documents and settings\All Users\Application Data\BigFishGamesCache
2009-07-26 03:05 . 2009-07-26 03:05 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2009-07-25 17:58 . 2009-07-25 17:58 -------- d-----w- c:\program files\Bejeweled 2 Deluxe
2009-07-25 17:52 . 2009-07-27 05:23 -------- d-----w- c:\documents and settings\Administrator\Application Data\BitTorrent
2009-07-25 17:51 . 2009-07-25 17:51 -------- d-----w- c:\program files\BitTorrent
2009-07-25 17:51 . 2009-07-25 17:51 -------- d-----w- c:\program files\AskBarDis
2009-07-24 18:44 . 2008-03-05 20:03 479752 ----a-w- c:\windows\system32\XAudio2_0.dll
2009-07-24 18:43 . 2005-05-26 19:34 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll
2009-07-24 18:42 . 2009-07-24 18:42 -------- d-----w- c:\windows\Logs
2009-07-24 17:39 . 2009-07-24 17:39 -------- d-----w- c:\program files\Redbana
2009-07-24 17:39 . 2009-07-24 17:39 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-24 17:38 . 2009-07-24 17:38 -------- d-----w- c:\program files\Common Files\InstallShield

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-27 14:31 . 2004-08-04 12:00 212480 ----a-w- c:\windows\system32\drivers\ndis.sys
2009-07-27 01:45 . 2008-05-24 02:51 12912 -c--a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-27 00:31 . 2008-07-29 02:29 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-27 00:05 . 2008-06-01 03:47 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-07-26 20:51 . 2009-07-26 20:51 0 ----a-w- c:\windows\system32\drivers\SETD.tmp
2009-07-26 05:30 . 2000-12-06 08:52 16 -c--a-w- c:\windows\popcinfo.dat
2009-07-25 15:49 . 2008-06-11 19:47 768 ----a-w- c:\windows\system32\d3d8caps.dat
2009-06-16 14:55 . 2004-08-04 12:00 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:55 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-07 14:10 . 2008-07-13 03:27 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer
2009-06-07 14:02 . 2008-07-13 03:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-06-03 19:27 . 2004-08-04 12:00 1290752 ----a-w- c:\windows\system32\quartz.dll
2009-06-01 06:02 . 2009-06-01 06:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-06-01 06:02 . 2009-06-01 06:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-01 06:01 . 2009-06-01 06:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-01 05:53 . 2007-12-03 00:24 -------- d-----w- c:\program files\Yahoo!
2009-05-26 17:20 . 2009-06-01 06:01 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 17:19 . 2009-06-01 06:01 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-19 22:10 . 2009-05-19 22:10 143864 ----a-w- c:\documents and settings\All Users\Application Data\BigFishGamesCache\Upgrade\stub\flower-paradise_s1_l1_gF5012T1L1_d589772138.exe
2009-05-19 22:10 . 2009-05-19 22:10 2319528 ----a-w- c:\documents and settings\All Users\Application Data\BigFishGamesCache\Upgrade\clientinstaller\bfgsetup_s1_l1.exe
2009-05-07 15:44 . 2004-08-04 12:00 344064 ----a-w- c:\windows\system32\localspl.dll
2009-07-27 01:04 . 2008-08-26 18:44 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{58101905-D80F-4788-96F6-98618186178A}"= "c:\windows\system32\flashad32.dll" [2009-07-27 40960]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\crypt64chain]
2009-07-27 14:28 59904 ----a-w- c:\windows\system32\classapi64.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"avast! Web Scanner"=3 (0x3)
"avast! Mail Scanner"=3 (0x3)
"avast! Antivirus"=2 (0x2)
"Apple Mobile Device"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R3 neo20xx;neo20xx;c:\windows\system32\drivers\neo20xx.sys [11/16/2000 7:02 PM 39264]
R3 wdm_nm6;NeoMagic MagicMedia 256 + AC97 Driver (WDM);c:\windows\system32\drivers\nm6wdm.sys [11/16/2000 7:02 PM 87040]
R3 WPC54Gv3;Linksys Wireless Notebook Adapter WPC54Gv3 Driver;c:\windows\system32\drivers\WPC54Gv3.SYS [12/1/2006 12:54 AM 610816]
S3 atimtai;atimtai;c:\windows\system32\drivers\atimtai.sys [11/24/2007 11:27 AM 281600]
S3 CBEN5;Xircom CardBus Ethernet 10/100 Adapter family Driver;c:\windows\system32\drivers\cben5.sys [11/24/2007 11:27 AM 46108]
S3 maestro;ESS Maestro 3 Audio Driver (WDM);c:\windows\system32\drivers\es198x.sys [11/24/2007 11:26 AM 174464]
S3 XDva275;XDva275;\??\c:\windows\system32\XDva275.sys --> c:\windows\system32\XDva275.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - {79007602-0CDB-4405-9DBF-1257BB3226ED}
*NewlyCreated* - {79007602-0CDB-4405-9DBF-1257BB3226EE}
*Deregistered* - {79007602-0CDB-4405-9DBF-1257BB3226EE}
.
Contents of the 'Scheduled Tasks' folder

2009-07-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 21:57]
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-HookURL - (no file)
URLSearchHooks-Rank - (no file)


.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
IE: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Administrator\Start Menu\Programs\IMVU\Run IMVU.lnk
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ny0z0or0.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]

andrewvanderhevel
Intermediate
Intermediate

Posts Posts : 129
Joined Joined : 2008-12-29
Gender Gender : Male
OS OS : windows 7
Points Points : 29810
# Likes # Likes : 0

View user profile

Back to top Go down

Re: system security

Post by andrewvanderhevel on Wed Jul 29, 2009 7:20 pm

FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 51436
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ny0z0or0.default\extensions\activegs@freetoolsassociation.com\plugins\npActiveGS.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-07-29 14:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\FontCache3.0.0.0]
"ImagePath"="c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\Fs_Rec]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\Ftdisk]
"ImagePath"="system32\DRIVERS\ftdisk.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\Gpc]
"ImagePath"="system32\DRIVERS\msgpc.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\helpsvc]
"ServiceDll"="%WINDIR%\PCHealth\HelpCtr\Binaries\pchsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\HidServ]
"ServiceDll"="%SystemRoot%\System32\hidserv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\HidUsb]
"ImagePath"="system32\DRIVERS\hidusb.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\hpn]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\HTTP]
"ImagePath"="System32\Drivers\HTTP.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\HTTPFilter]
"ServiceDll"="%SystemRoot%\System32\w3ssl.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\i2omgmt]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\i2omp]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\i8042prt]
"ImagePath"="system32\DRIVERS\i8042prt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\idsvc]
"ImagePath"="\"c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\Imapi]
"ImagePath"="system32\DRIVERS\imapi.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\ImapiService]
"ImagePath"="%systemroot%\system32\imapi.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\inetaccs]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\ini910u]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\Inport]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\IntelIde]
"ImagePath"="system32\DRIVERS\intelide.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\Ip6Fw]
"ImagePath"="system32\DRIVERS\Ip6Fw.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\IpFilterDriver]
"ImagePath"="system32\DRIVERS\ipfltdrv.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\IpInIp]
"ImagePath"="system32\DRIVERS\ipinip.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\IpNat]
"ImagePath"="system32\DRIVERS\ipnat.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\IPSec]
"ImagePath"="system32\DRIVERS\ipsec.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\IRENUM]
"ImagePath"="system32\DRIVERS\irenum.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\ISAPISearch]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\isapnp]
"ImagePath"="system32\DRIVERS\isapnp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\Kbdclass]
"ImagePath"="system32\DRIVERS\kbdclass.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\kmixer]
"ImagePath"="system32\drivers\kmixer.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\KSecDD]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\lanmanserver]
"ServiceDll"="%SystemRoot%\System32\srvsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\lanmanworkstation]
"ServiceDll"="%SystemRoot%\System32\wkssvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\lbrtfdc]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\ldap]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\LicenseService]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\LmHosts]
"ServiceDll"="%SystemRoot%\System32\lmhsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\maestro]
"ImagePath"="system32\drivers\es198x.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\Messenger]
"ServiceDll"="%SystemRoot%\System32\msgsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\mnmdd]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\mnmsrvc]
"ImagePath"="c:\windows\system32\mnmsrvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\Modem]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\Mouclass]
"ImagePath"="system32\DRIVERS\mouclass.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\mouhid]
"ImagePath"="system32\DRIVERS\mouhid.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\MountMgr]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\mraid35x]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\MRxDAV]
"ImagePath"="system32\DRIVERS\mrxdav.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\MRxSmb]
"ImagePath"="system32\DRIVERS\mrxsmb.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\MSDTC]
"ImagePath"="c:\windows\system32\msdtc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\MSDTC Bridge 3.0.0.0]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\Msfs]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\MSIServer]
"ImagePath"="%systemroot%\system32\msiexec.exe /V"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\MSKSSRV]
"ImagePath"="system32\drivers\MSKSSRV.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\MSMQSVC]
"ImagePath"="c:\windows\system32\mqsv32.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\MSPCLOCK]
"ImagePath"="system32\drivers\MSPCLOCK.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\MSPQM]
"ImagePath"="system32\drivers\MSPQM.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\mssmbios]
"ImagePath"="system32\DRIVERS\mssmbios.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\Mup]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\NDIS]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\NdisTapi]
"ImagePath"="system32\DRIVERS\ndistapi.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\Ndisuio]
"ImagePath"="system32\DRIVERS\ndisuio.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\NdisWan]
"ImagePath"="system32\DRIVERS\ndiswan.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\NDProxy]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\neo20xx]
"ImagePath"="system32\DRIVERS\neo20xx.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\NetBIOS]
"ImagePath"="system32\DRIVERS\netbios.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\NetBT]
"ImagePath"="system32\DRIVERS\netbt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\NetDDE]
"ImagePath"="%SystemRoot%\system32\netdde.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\NetDDEdsdm]
"ImagePath"="%SystemRoot%\system32\netdde.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\Netlogon]
"ImagePath"="%SystemRoot%\system32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\Netman]
"ServiceDll"="%SystemRoot%\System32\netman.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\NetTcpPortSharing]
"ImagePath"="\"c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\Nla]
"ServiceDll"="%SystemRoot%\System32\mswsock.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\Npfs]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\Ntfs]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\NtLmSsp]
"ImagePath"="%SystemRoot%\system32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\NtmsSvc]
"ServiceDll"="%SystemRoot%\system32\ntmssvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\Null]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\NwlnkFlt]
"ImagePath"="system32\DRIVERS\nwlnkflt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\NwlnkFwd]
"ImagePath"="system32\DRIVERS\nwlnkfwd.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\P3]
"ImagePath"="system32\DRIVERS\p3.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\Parport]
"ImagePath"="system32\DRIVERS\parport.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\PartMgr]

andrewvanderhevel
Intermediate
Intermediate

Posts Posts : 129
Joined Joined : 2008-12-29
Gender Gender : Male
OS OS : windows 7
Points Points : 29810
# Likes # Likes : 0

View user profile

Back to top Go down

Re: system security

Post by andrewvanderhevel on Wed Jul 29, 2009 7:23 pm

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\ParVdm]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\PCI]
"ImagePath"="system32\DRIVERS\pci.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\PCIDump]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\PCIIde]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\Pcmcia]
"ImagePath"="system32\DRIVERS\pcmcia.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\PDCOMP]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\PDFRAME]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\PDRELI]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\PDRFRAME]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\perc2]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\perc2hib]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\PerfDisk]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\PerfNet]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\PerfOS]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\PerfProc]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\PlugPlay]
"ImagePath"="%SystemRoot%\system32\services.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\PolicyAgent]
"ImagePath"="%SystemRoot%\system32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\PptpMiniport]
"ImagePath"="system32\DRIVERS\raspptp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\ProtectedStorage]
"ImagePath"="%SystemRoot%\system32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\PSched]
"ImagePath"="system32\DRIVERS\psched.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\Ptilink]
"ImagePath"="system32\DRIVERS\ptilink.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\ql1080]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\Ql10wnt]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\ql12160]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\ql1240]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\ql1280]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\RasAcd]
"ImagePath"="system32\DRIVERS\rasacd.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\RasAuto]
"ServiceDll"="%SystemRoot%\System32\rasauto.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\Rasl2tp]
"ImagePath"="system32\DRIVERS\rasl2tp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\RasMan]
"ServiceDll"="%SystemRoot%\System32\rasmans.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\RasPppoe]
"ImagePath"="system32\DRIVERS\raspppoe.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\Raspti]
"ImagePath"="system32\DRIVERS\raspti.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\Rdbss]
"ImagePath"="system32\DRIVERS\rdbss.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\RDPCDD]
"ImagePath"="System32\DRIVERS\RDPCDD.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\RDPDD]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\rdpdr]
"ImagePath"="system32\DRIVERS\rdpdr.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\RDPNP]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\RDPWD]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\RDSessMgr]
"ImagePath"="c:\windows\system32\sessmgr.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\redbook]
"ImagePath"="system32\DRIVERS\redbook.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\RemoteAccess]
"ServiceDll"="%SystemRoot%\System32\mprdim.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\RemoteRegistry]
"ServiceDll"="%SystemRoot%\system32\regsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\RpcLocator]
"ImagePath"="%SystemRoot%\system32\locator.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\RpcSs]
"ServiceDll"="%SystemRoot%\System32\rpcss.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\RSVP]
"ImagePath"="%SystemRoot%\system32\rsvp.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\SamSs]
"ImagePath"="%SystemRoot%\system32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\SCardSvr]
"ImagePath"="%SystemRoot%\System32\SCardSvr.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\Schedule]
"ServiceDll"="%SystemRoot%\system32\schedsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\Secdrv]
"ImagePath"="system32\DRIVERS\secdrv.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\seclogon]
"ServiceDll"="%SystemRoot%\System32\seclogon.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\SENS]
"ServiceDll"="%SystemRoot%\system32\sens.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\serenum]
"ImagePath"="system32\DRIVERS\serenum.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\Serial]
"ImagePath"="system32\DRIVERS\serial.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\ServiceModelEndpoint 3.0.0.0]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\ServiceModelOperation 3.0.0.0]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\ServiceModelService 3.0.0.0]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\Sfloppy]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\SharedAccess]
"ServiceDll"="%SystemRoot%\System32\ipnathlp.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\ShellHWDetection]
"ServiceDll"="%SystemRoot%\System32\shsvcs.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\Simbad]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\SMSvcHost 3.0.0.0]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\Sparrow]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\splitter]
"ImagePath"="system32\drivers\splitter.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\Spooler]
"ImagePath"="%SystemRoot%\system32\spoolsv.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\sr]
"ImagePath"="system32\DRIVERS\sr.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\srservice]
"ServiceDll"="%SystemRoot%\system32\srsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\Srv]
"ImagePath"="system32\DRIVERS\srv.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\SSDPSRV]
"ServiceDll"="%SystemRoot%\System32\ssdpsrv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\stisvc]
"ServiceDll"="%SystemRoot%\system32\wiaservc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\swenum]
"ImagePath"="system32\DRIVERS\swenum.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\swmidi]
"ImagePath"="system32\drivers\swmidi.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\SwPrv]
"ImagePath"="c:\windows\system32\dllhost.exe /Processid:{8F216BE2-D942-417C-898C-422DCA2B8A80}"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\symc810]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\symc8xx]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\sym_hi]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\sym_u3]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\sysaudio]
"ImagePath"="system32\drivers\sysaudio.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\SysmonLog]
"ImagePath"="%SystemRoot%\system32\smlogsvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\TapiSrv]
"ServiceDll"="%SystemRoot%\System32\tapisrv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\Tcpip]
"ImagePath"="system32\DRIVERS\tcpip.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\TDPIPE]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\TDTCP]

andrewvanderhevel
Intermediate
Intermediate

Posts Posts : 129
Joined Joined : 2008-12-29
Gender Gender : Male
OS OS : windows 7
Points Points : 29810
# Likes # Likes : 0

View user profile

Back to top Go down

Re: system security

Post by andrewvanderhevel on Wed Jul 29, 2009 7:24 pm

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\TermDD]
"ImagePath"="system32\DRIVERS\termdd.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\TermService]
"ServiceDll"="%SystemRoot%\System32\termsrv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\Themes]
"ServiceDll"="%SystemRoot%\System32\shsvcs.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\TlntSvr]
"ImagePath"="c:\windows\system32\tlntsvr.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\TosIde]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\TrkWks]
"ServiceDll"="%SystemRoot%\system32\trkwks.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\TSDDD]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\Udfs]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\ultra]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\Update]
"ImagePath"="system32\DRIVERS\update.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\upnphost]
"ServiceDll"="%SystemRoot%\System32\upnphost.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\UPS]
"ImagePath"="%SystemRoot%\System32\ups.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\usbccgp]
"ImagePath"="system32\DRIVERS\usbccgp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\usbhub]
"ImagePath"="system32\DRIVERS\usbhub.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\usbprint]
"ImagePath"="system32\DRIVERS\usbprint.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\USBSTOR]
"ImagePath"="system32\DRIVERS\USBSTOR.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\usbuhci]
"ImagePath"="system32\DRIVERS\usbuhci.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\VgaSave]
"ImagePath"="\SystemRoot\System32\drivers\vga.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\ViaIde]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\Viewpoint Manager Service]
"ImagePath"="\"c:\program files\Viewpoint\Common\ViewpointService.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\VolSnap]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\VSS]
"ImagePath"="%SystemRoot%\System32\vssvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\VxD]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\W32Time]
"ServiceDll"="%systemroot%\system32\w32time.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\W3SVC]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\Wanarp]
"ImagePath"="system32\DRIVERS\wanarp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\wanatw]
"ImagePath"="system32\DRIVERS\wanatw4.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\WDICA]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\wdmaud]
"ImagePath"="system32\drivers\wdmaud.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\wdm_nm6]
"ImagePath"="system32\drivers\nm6wdm.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\WebClient]
"ServiceDll"="%SystemRoot%\System32\webclnt.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\Windows Workflow Foundation 3.0.0.0]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\winmgmt]
"ServiceDll"="%SystemRoot%\system32\wbem\WMIsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\Winsock]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\WinSock2]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\WinTrust]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\WmdmPmSN]
"ServiceDll"="c:\windows\system32\MsPMSNSv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\Wmi]
"ServiceDll"="%SystemRoot%\System32\advapi32.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\WmiApRpl]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\WmiApSrv]
"ImagePath"="c:\windows\system32\wbem\wmiapsrv.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\WMPNetworkSvc]
"ImagePath"="\"c:\program files\Windows Media Player\WMPNetwk.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\WPC54Gv3]
"ImagePath"="system32\DRIVERS\WPC54Gv3.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\WpdUsb]
"ImagePath"="system32\DRIVERS\wpdusb.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\WS2IFSL]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\wscsvc]
"ServiceDll"="%SYSTEMROOT%\system32\wscsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\wuauserv]
"ServiceDll"="c:\windows\system32\wuauserv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\WudfPf]
"ImagePath"="system32\DRIVERS\WudfPf.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\WudfRd]
"ImagePath"="system32\DRIVERS\wudfrd.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\WudfSvc]
"ServiceDll"="%SystemRoot%\System32\WUDFSvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\WZCSVC]
"ServiceDll"="%SystemRoot%\System32\wzcsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\XDva275]
"ImagePath"="\??\c:\windows\system32\XDva275.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\xmlprov]
"ServiceDll"="%SystemRoot%\System32\xmlprov.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\{6DB9D208-7474-433A-8C11-1820C1762E1B}]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\{8ABCE56B-A335-4FEF-A0A9-FAA32C639058}]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\{C854615E-02D9-4DE1-AFE5-A87B06A611AC}]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\{EE455A9B-55F4-433F-8EDA-897D949A5095}]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\{F005C884-A84E-4BDF-BB6D-8AA32E45FD82}]
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(624)
c:\windows\system32\classapi64.dll

- - - - - - - > 'explorer.exe'(5808)
c:\windows\system32\flashad32.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Viewpoint\Common\ViewpointService.exe
c:\program files\Internet Explorer\IEXPLORE.EXE
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-07-29 15:05 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-29 19:05

Pre-Run: 694,960,128 bytes free
Post-Run: 702,763,008 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

Current=5 Default=5 Failed=3 LastKnownGood=1 Sets=1,3,4,5
592 --- E O F --- 2009-07-27 20:17

andrewvanderhevel
Intermediate
Intermediate

Posts Posts : 129
Joined Joined : 2008-12-29
Gender Gender : Male
OS OS : windows 7
Points Points : 29810
# Likes # Likes : 0

View user profile

Back to top Go down

Re: system security

Post by andrewvanderhevel on Wed Jul 29, 2009 8:02 pm

when i try to open malwaybytes, it says windows cannot access the specific device path or file. i tried reinstalling it and stuff. hijackthis says the same thing, im signed in as an admin.

andrewvanderhevel
Intermediate
Intermediate

Posts Posts : 129
Joined Joined : 2008-12-29
Gender Gender : Male
OS OS : windows 7
Points Points : 29810
# Likes # Likes : 0

View user profile

Back to top Go down

Re: system security

Post by Origin on Thu Jul 30, 2009 5:33 pm

Now open a new notepad file.
Input this into the notepad file:

Folder::
C:\jars.exe
c:\program files\Windows Antivirus Pro
c:\program files\BitTorrent
c:\program files\AskBarDis

File::
c:\windows\ppp4.dat
c:\windows\ppp3.dat
c:\windows\svchast.exe
c:\windows\system32\desot.exe
C:\ytnkf.exe
C:\bicfei.exe

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=-

Driver::
XDva275

Firefox::
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll


Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31483
# Likes # Likes : 0

View user profile

Back to top Go down

Re: system security

Post by andrewvanderhevel on Sun Aug 02, 2009 4:58 pm

ComboFix 09-07-29.04 - Administrator 07/31/2009 5:15.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.383.161 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt

FILE ::
"C:\bicfei.exe"
"c:\windows\ppp3.dat"
"c:\windows\ppp4.dat"
"c:\windows\svchast.exe"
"c:\windows\system32\desot.exe"
"C:\ytnkf.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\bicfei.exe
c:\program files\AskBarDis
c:\program files\AskBarDis\bar\bin\askBar.dll
c:\program files\AskBarDis\bar\bin\askPopStp.dll
c:\program files\AskBarDis\bar\bin\psvince.dll
c:\program files\AskBarDis\bar\Settings\AskLogo.ico
c:\program files\AskBarDis\bar\Settings\config.dat
c:\program files\AskBarDis\bar\Settings\config.dat.bak
c:\program files\AskBarDis\bar\Settings\prevCfg2.htm
c:\program files\AskBarDis\unins000.dat
c:\program files\AskBarDis\unins000.exe
c:\program files\BitTorrent
c:\program files\BitTorrent\bittorrent.exe
c:\program files\BitTorrent\uninst.exe
c:\program files\Windows Antivirus Pro
c:\program files\Windows Antivirus Pro\msvcm80.dll
c:\program files\Windows Antivirus Pro\msvcp80.dll
c:\program files\Windows Antivirus Pro\msvcr80.dll
c:\program files\Windows Antivirus Pro\Windows Antivirus Pro.exe
c:\windows\ppp3.dat
c:\windows\ppp4.dat
c:\windows\svchast.exe
c:\windows\system32\desot.exe
c:\windows\system32\drivers\ntndis.sys
C:\ytnkf.exe



.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_XDVA275
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
-------\Service_XDva275


((((((((((((((((((((((((( Files Created from 2009-06-28 to 2009-07-31 )))))))))))))))))))))))))))))))
.

2009-07-30 03:28 . 2009-07-30 03:32 -------- d-----w- c:\program files\Bejeweled Twist
2009-07-29 03:53 . 2009-07-29 03:53 38912 ----a-w- C:\jars.exe
2009-07-27 20:27 . 2008-10-16 18:06 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-07-27 20:04 . 2009-07-27 20:04 -------- d-s---w- c:\windows\system32\config\systemprofile\UserData
2009-07-27 20:04 . 2009-07-30 21:03 -------- d-----w- c:\windows\system32\config\systemprofile\Tracing
2009-07-27 14:31 . 2009-07-27 14:32 4 ----a-w- c:\windows\system32\bincd32.dat
2009-07-27 14:31 . 2009-07-27 14:31 40960 --sh--r- c:\windows\system32\flashad32.dll
2009-07-27 14:31 . 2009-07-27 14:31 212480 ----a-w- c:\windows\system32\dllcache\ndis.sys
2009-07-27 14:30 . 2009-07-27 14:30 36 ----a-w- c:\windows\system32\sysnet.dat
2009-07-27 14:29 . 2009-07-27 14:29 827392 ----a-w- c:\windows\system32\dddesot.dll
2009-07-27 14:28 . 2009-07-27 14:28 59904 ----a-w- c:\windows\system32\classapi64.dll
2009-07-27 14:28 . 2009-07-27 14:28 134144 ----a-w- c:\windows\system32\mapitools.dll
2009-07-27 14:28 . 2009-07-27 14:28 134144 ----a-w- C:\nklttk.exe
2009-07-27 14:27 . 2009-07-29 17:26 200704 ----a-w- c:\windows\system32\samsvc.exe
2009-07-27 01:46 . 2009-07-27 02:12 -------- d-----w- c:\documents and settings\Administrator\Tracing
2009-07-27 01:42 . 2009-07-27 01:42 -------- d-----w- c:\program files\Microsoft
2009-07-27 01:40 . 2009-07-27 01:40 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-07-27 01:38 . 2009-07-27 01:41 -------- d-----w- c:\program files\Windows Live
2009-07-27 01:28 . 2009-07-27 01:28 -------- d-----w- c:\program files\Common Files\Windows Live
2009-07-26 23:33 . 2009-07-26 23:33 -------- d-----w- c:\documents and settings\Administrator\Application Data\JewelMatch2
2009-07-26 04:04 . 2009-07-26 04:05 2383904 ----a-w- c:\documents and settings\All Users\Application Data\BigFishGamesCache\Upgrade\Unpack\bfgsetup_s1_l1.exe
2009-07-26 04:04 . 2009-07-26 04:04 -------- d-----w- c:\documents and settings\All Users\Application Data\BigFishGamesCache
2009-07-26 03:05 . 2009-07-26 03:05 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2009-07-25 17:58 . 2009-07-25 17:58 -------- d-----w- c:\program files\Bejeweled 2 Deluxe
2009-07-25 17:52 . 2009-07-27 05:23 -------- d-----w- c:\documents and settings\Administrator\Application Data\BitTorrent
2009-07-24 18:44 . 2008-03-05 20:03 479752 ----a-w- c:\windows\system32\XAudio2_0.dll
2009-07-24 18:43 . 2005-05-26 19:34 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll
2009-07-24 18:42 . 2009-07-24 18:42 -------- d-----w- c:\windows\Logs
2009-07-24 17:39 . 2009-07-24 17:39 -------- d-----w- c:\program files\Redbana
2009-07-24 17:39 . 2009-07-24 17:39 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-24 17:38 . 2009-07-24 17:38 -------- d-----w- c:\program files\Common Files\InstallShield

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-30 21:18 . 2008-07-29 02:29 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-30 21:18 . 2008-06-11 19:47 768 ----a-w- c:\windows\system32\d3d8caps.dat
2009-07-30 07:46 . 2008-06-01 03:47 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-07-30 03:21 . 2000-12-06 08:52 16 -c--a-w- c:\windows\popcinfo.dat
2009-07-29 19:52 . 2009-06-01 06:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-29 19:09 . 2000-11-17 21:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-07-27 14:31 . 2004-08-04 12:00 212480 ----a-w- c:\windows\system32\drivers\ndis.sys
2009-07-27 01:45 . 2008-05-24 02:51 12912 -c--a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-26 20:51 . 2009-07-26 20:51 0 ----a-w- c:\windows\system32\drivers\SETD.tmp
2009-07-13 17:36 . 2009-06-01 06:01 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-13 17:36 . 2009-06-01 06:01 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-16 14:55 . 2004-08-04 12:00 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:55 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-07 14:10 . 2008-07-13 03:27 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer
2009-06-07 14:02 . 2008-07-13 03:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-06-03 19:27 . 2004-08-04 12:00 1290752 ----a-w- c:\windows\system32\quartz.dll
2009-05-19 22:10 . 2009-05-19 22:10 143864 ----a-w- c:\documents and settings\All Users\Application Data\BigFishGamesCache\Upgrade\stub\flower-paradise_s1_l1_gF5012T1L1_d589772138.exe
2009-05-19 22:10 . 2009-05-19 22:10 2319528 ----a-w- c:\documents and settings\All Users\Application Data\BigFishGamesCache\Upgrade\clientinstaller\bfgsetup_s1_l1.exe
2009-05-07 15:44 . 2004-08-04 12:00 344064 ----a-w- c:\windows\system32\localspl.dll
2009-07-27 01:04 . 2008-08-26 18:44 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
- 2009-07-27 20:04 . 2009-07-29 18:56 32768 c:\windows\system32\config\systemprofile\UserData\index.dat
+ 2009-07-27 20:04 . 2009-07-31 09:47 32768 c:\windows\system32\config\systemprofile\UserData\index.dat
+ 2009-07-31 09:47 . 2009-07-31 09:48 65536 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-31 04:03 . 2009-07-31 10:07 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009073120090801\index.dat
+ 2009-07-30 04:53 . 2009-07-31 03:18 49152 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009073020090731\index.dat
+ 2009-07-29 17:40 . 2009-07-30 03:36 49152 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009072920090730\index.dat
+ 2009-07-27 14:27 . 2009-07-31 09:50 98304 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-07-27 14:27 . 2009-07-29 18:56 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-07-27 14:27 . 2009-07-31 09:47 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{58101905-D80F-4788-96F6-98618186178A}"= "c:\windows\system32\flashad32.dll" [2009-07-27 40960]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\crypt64chain]
2009-07-27 14:28 59904 ----a-w- c:\windows\system32\classapi64.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"avast! Web Scanner"=3 (0x3)
"avast! Mail Scanner"=3 (0x3)
"avast! Antivirus"=2 (0x2)
"Apple Mobile Device"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R3 neo20xx;neo20xx;c:\windows\system32\drivers\neo20xx.sys [11/16/2000 7:02 PM 39264]
R3 wdm_nm6;NeoMagic MagicMedia 256 + AC97 Driver (WDM);c:\windows\system32\drivers\nm6wdm.sys [11/16/2000 7:02 PM 87040]
R3 WPC54Gv3;Linksys Wireless Notebook Adapter WPC54Gv3 Driver;c:\windows\system32\drivers\WPC54Gv3.SYS [12/1/2006 12:54 AM 610816]
S2 MSMQSVC;Message Queuing Service;c:\windows\system32\mqsv32.exe --> c:\windows\system32\mqsv32.exe [?]
S3 atimtai;atimtai;c:\windows\system32\drivers\atimtai.sys [11/24/2007 11:27 AM 281600]
S3 CBEN5;Xircom CardBus Ethernet 10/100 Adapter family Driver;c:\windows\system32\drivers\cben5.sys [11/24/2007 11:27 AM 46108]
S3 maestro;ESS Maestro 3 Audio Driver (WDM);c:\windows\system32\drivers\es198x.sys [11/24/2007 11:26 AM 174464]
S3 XDva280;XDva280;\??\c:\windows\system32\XDva280.sys --> c:\windows\system32\XDva280.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - {79007602-0CDB-4405-9DBF-1257BB3226ED}
*NewlyCreated* - {79007602-0CDB-4405-9DBF-1257BB3226EE}
*Deregistered* - {79007602-0CDB-4405-9DBF-1257BB3226ED}
.
Contents of the 'Scheduled Tasks' folder

2009-07-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 21:57]
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-HookURL - (no file)
URLSearchHooks-Rank - (no file)
HKCU-Run-Aim6 - (no file)


.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
IE: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Administrator\Start Menu\Programs\IMVU\Run IMVU.lnk
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ny0z0or0.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 51436
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ny0z0or0.default\extensions\activegs@freetoolsassociation.com\plugins\npActiveGS.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-07-31 06:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\FontCache3.0.0.0]
"ImagePath"="c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\Fs_Rec]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\Ftdisk]
"ImagePath"="system32\DRIVERS\ftdisk.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\Gpc]
"ImagePath"="system32\DRIVERS\msgpc.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\helpsvc]
"ServiceDll"="%WINDIR%\PCHealth\HelpCtr\Binaries\pchsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\HidServ]
"ServiceDll"="%SystemRoot%\System32\hidserv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\HidUsb]
"ImagePath"="system32\DRIVERS\hidusb.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\hpn]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\HTTP]
"ImagePath"="System32\Drivers\HTTP.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\HTTPFilter]
"ServiceDll"="%SystemRoot%\System32\w3ssl.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\i2omgmt]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\i2omp]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\i8042prt]
"ImagePath"="system32\DRIVERS\i8042prt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\idsvc]
"ImagePath"="\"c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\Imapi]
"ImagePath"="system32\DRIVERS\imapi.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\ImapiService]
"ImagePath"="%systemroot%\system32\imapi.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\inetaccs]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\ini910u]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\Inport]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\IntelIde]
"ImagePath"="system32\DRIVERS\intelide.sys"

andrewvanderhevel
Intermediate
Intermediate

Posts Posts : 129
Joined Joined : 2008-12-29
Gender Gender : Male
OS OS : windows 7
Points Points : 29810
# Likes # Likes : 0

View user profile

Back to top Go down

Re: system security

Post by andrewvanderhevel on Sun Aug 02, 2009 4:59 pm

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\Ip6Fw]
"ImagePath"="system32\DRIVERS\Ip6Fw.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\IpFilterDriver]
"ImagePath"="system32\DRIVERS\ipfltdrv.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\IpInIp]
"ImagePath"="system32\DRIVERS\ipinip.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\IpNat]
"ImagePath"="system32\DRIVERS\ipnat.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\IPSec]
"ImagePath"="system32\DRIVERS\ipsec.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\IRENUM]
"ImagePath"="system32\DRIVERS\irenum.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\ISAPISearch]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\isapnp]
"ImagePath"="system32\DRIVERS\isapnp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\Kbdclass]
"ImagePath"="system32\DRIVERS\kbdclass.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\kmixer]
"ImagePath"="system32\drivers\kmixer.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\KSecDD]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\lanmanserver]
"ServiceDll"="%SystemRoot%\System32\srvsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\lanmanworkstation]
"ServiceDll"="%SystemRoot%\System32\wkssvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\lbrtfdc]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\ldap]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\LicenseService]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\LmHosts]
"ServiceDll"="%SystemRoot%\System32\lmhsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\maestro]
"ImagePath"="system32\drivers\es198x.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\Messenger]
"ServiceDll"="%SystemRoot%\System32\msgsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\mnmdd]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\mnmsrvc]
"ImagePath"="c:\windows\system32\mnmsrvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\Modem]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\Mouclass]
"ImagePath"="system32\DRIVERS\mouclass.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\mouhid]
"ImagePath"="system32\DRIVERS\mouhid.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\MountMgr]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\mraid35x]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\MRxDAV]
"ImagePath"="system32\DRIVERS\mrxdav.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\MRxSmb]
"ImagePath"="system32\DRIVERS\mrxsmb.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\MSDTC]
"ImagePath"="c:\windows\system32\msdtc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\MSDTC Bridge 3.0.0.0]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\Msfs]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\MSIServer]
"ImagePath"="%systemroot%\system32\msiexec.exe /V"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\MSKSSRV]
"ImagePath"="system32\drivers\MSKSSRV.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\MSMQSVC]
"ImagePath"="c:\windows\system32\mqsv32.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\MSPCLOCK]
"ImagePath"="system32\drivers\MSPCLOCK.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\MSPQM]
"ImagePath"="system32\drivers\MSPQM.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\mssmbios]
"ImagePath"="system32\DRIVERS\mssmbios.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\Mup]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\NDIS]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\NdisTapi]
"ImagePath"="system32\DRIVERS\ndistapi.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\Ndisuio]
"ImagePath"="system32\DRIVERS\ndisuio.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\NdisWan]
"ImagePath"="system32\DRIVERS\ndiswan.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\NDProxy]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\neo20xx]
"ImagePath"="system32\DRIVERS\neo20xx.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\NetBIOS]
"ImagePath"="system32\DRIVERS\netbios.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\NetBT]
"ImagePath"="system32\DRIVERS\netbt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\NetDDE]
"ImagePath"="%SystemRoot%\system32\netdde.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\NetDDEdsdm]
"ImagePath"="%SystemRoot%\system32\netdde.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\Netlogon]
"ImagePath"="%SystemRoot%\system32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\Netman]
"ServiceDll"="%SystemRoot%\System32\netman.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\NetTcpPortSharing]
"ImagePath"="\"c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\Nla]
"ServiceDll"="%SystemRoot%\System32\mswsock.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\Npfs]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\Ntfs]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\NtLmSsp]
"ImagePath"="%SystemRoot%\system32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\NtmsSvc]
"ServiceDll"="%SystemRoot%\system32\ntmssvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\Null]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\NwlnkFlt]
"ImagePath"="system32\DRIVERS\nwlnkflt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\NwlnkFwd]
"ImagePath"="system32\DRIVERS\nwlnkfwd.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\P3]
"ImagePath"="system32\DRIVERS\p3.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\Parport]
"ImagePath"="system32\DRIVERS\parport.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\PartMgr]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\ParVdm]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\PCI]
"ImagePath"="system32\DRIVERS\pci.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\PCIDump]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\PCIIde]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\Pcmcia]
"ImagePath"="system32\DRIVERS\pcmcia.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\PDCOMP]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\PDFRAME]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\PDRELI]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\PDRFRAME]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\perc2]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\perc2hib]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\PerfDisk]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\PerfNet]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\PerfOS]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\PerfProc]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\PlugPlay]
"ImagePath"="%SystemRoot%\system32\services.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\PolicyAgent]
"ImagePath"="%SystemRoot%\system32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\PptpMiniport]
"ImagePath"="system32\DRIVERS\raspptp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\ProtectedStorage]
"ImagePath"="%SystemRoot%\system32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\PSched]
"ImagePath"="system32\DRIVERS\psched.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\Ptilink]
"ImagePath"="system32\DRIVERS\ptilink.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\ql1080]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\Ql10wnt]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\ql12160]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\ql1240]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\ql1280]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\RasAcd]
"ImagePath"="system32\DRIVERS\rasacd.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\RasAuto]
"ServiceDll"="%SystemRoot%\System32\rasauto.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\Rasl2tp]
"ImagePath"="system32\DRIVERS\rasl2tp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\RasMan]
"ServiceDll"="%SystemRoot%\System32\rasmans.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\RasPppoe]
"ImagePath"="system32\DRIVERS\raspppoe.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\Raspti]
"ImagePath"="system32\DRIVERS\raspti.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\Rdbss]
"ImagePath"="system32\DRIVERS\rdbss.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\RDPCDD]
"ImagePath"="System32\DRIVERS\RDPCDD.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\RDPDD]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\rdpdr]
"ImagePath"="system32\DRIVERS\rdpdr.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\RDPNP]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\RDPWD]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\RDSessMgr]
"ImagePath"="c:\windows\system32\sessmgr.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\redbook]
"ImagePath"="system32\DRIVERS\redbook.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\RemoteAccess]
"ServiceDll"="%SystemRoot%\System32\mprdim.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\RemoteRegistry]
"ServiceDll"="%SystemRoot%\system32\regsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\RpcLocator]
"ImagePath"="%SystemRoot%\system32\locator.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\RpcSs]
"ServiceDll"="%SystemRoot%\System32\rpcss.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\RSVP]
"ImagePath"="%SystemRoot%\system32\rsvp.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\SamSs]
"ImagePath"="%SystemRoot%\system32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\SCardSvr]
"ImagePath"="%SystemRoot%\System32\SCardSvr.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\Schedule]
"ServiceDll"="%SystemRoot%\system32\schedsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\Secdrv]
"ImagePath"="system32\DRIVERS\secdrv.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\seclogon]
"ServiceDll"="%SystemRoot%\System32\seclogon.dll"

andrewvanderhevel
Intermediate
Intermediate

Posts Posts : 129
Joined Joined : 2008-12-29
Gender Gender : Male
OS OS : windows 7
Points Points : 29810
# Likes # Likes : 0

View user profile

Back to top Go down

Re: system security

Post by andrewvanderhevel on Sun Aug 02, 2009 4:59 pm

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\SENS]
"ServiceDll"="%SystemRoot%\system32\sens.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\serenum]
"ImagePath"="system32\DRIVERS\serenum.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\Serial]
"ImagePath"="system32\DRIVERS\serial.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\ServiceModelEndpoint 3.0.0.0]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\ServiceModelOperation 3.0.0.0]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\ServiceModelService 3.0.0.0]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\Sfloppy]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\SharedAccess]
"ServiceDll"="%SystemRoot%\System32\ipnathlp.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\ShellHWDetection]
"ServiceDll"="%SystemRoot%\System32\shsvcs.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\Simbad]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\SMSvcHost 3.0.0.0]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\Sparrow]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\splitter]
"ImagePath"="system32\drivers\splitter.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\Spooler]
"ImagePath"="%SystemRoot%\system32\spoolsv.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\sr]
"ImagePath"="system32\DRIVERS\sr.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\srservice]
"ServiceDll"="%SystemRoot%\system32\srsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\Srv]
"ImagePath"="system32\DRIVERS\srv.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\SSDPSRV]
"ServiceDll"="%SystemRoot%\System32\ssdpsrv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\stisvc]
"ServiceDll"="%SystemRoot%\system32\wiaservc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\swenum]
"ImagePath"="system32\DRIVERS\swenum.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\swmidi]
"ImagePath"="system32\drivers\swmidi.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\SwPrv]
"ImagePath"="c:\windows\system32\dllhost.exe /Processid:{8F216BE2-D942-417C-898C-422DCA2B8A80}"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\symc810]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\symc8xx]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\sym_hi]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\sym_u3]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\sysaudio]
"ImagePath"="system32\drivers\sysaudio.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\SysmonLog]
"ImagePath"="%SystemRoot%\system32\smlogsvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\TapiSrv]
"ServiceDll"="%SystemRoot%\System32\tapisrv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\Tcpip]
"ImagePath"="system32\DRIVERS\tcpip.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\TDPIPE]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\TDTCP]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\TermDD]
"ImagePath"="system32\DRIVERS\termdd.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\TermService]
"ServiceDll"="%SystemRoot%\System32\termsrv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\Themes]
"ServiceDll"="%SystemRoot%\System32\shsvcs.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\TlntSvr]
"ImagePath"="c:\windows\system32\tlntsvr.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\TosIde]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\TrkWks]
"ServiceDll"="%SystemRoot%\system32\trkwks.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\TSDDD]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\Udfs]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\ultra]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\Update]
"ImagePath"="system32\DRIVERS\update.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\upnphost]
"ServiceDll"="%SystemRoot%\System32\upnphost.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\UPS]
"ImagePath"="%SystemRoot%\System32\ups.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\usbccgp]
"ImagePath"="system32\DRIVERS\usbccgp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\usbhub]
"ImagePath"="system32\DRIVERS\usbhub.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\usbprint]
"ImagePath"="system32\DRIVERS\usbprint.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\USBSTOR]
"ImagePath"="system32\DRIVERS\USBSTOR.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\usbuhci]
"ImagePath"="system32\DRIVERS\usbuhci.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\VgaSave]
"ImagePath"="\SystemRoot\System32\drivers\vga.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\ViaIde]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\VolSnap]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\VSS]
"ImagePath"="%SystemRoot%\System32\vssvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\VxD]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\W32Time]
"ServiceDll"="%systemroot%\system32\w32time.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\W3SVC]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\Wanarp]
"ImagePath"="system32\DRIVERS\wanarp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\wanatw]
"ImagePath"="system32\DRIVERS\wanatw4.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\WDICA]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\wdmaud]
"ImagePath"="system32\drivers\wdmaud.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\wdm_nm6]
"ImagePath"="system32\drivers\nm6wdm.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\WebClient]
"ServiceDll"="%SystemRoot%\System32\webclnt.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\Windows Workflow Foundation 3.0.0.0]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\winmgmt]
"ServiceDll"="%SystemRoot%\system32\wbem\WMIsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\Winsock]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\WinSock2]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\WinTrust]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\WmdmPmSN]
"ServiceDll"="c:\windows\system32\MsPMSNSv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\Wmi]
"ServiceDll"="%SystemRoot%\System32\advapi32.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\WmiApRpl]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\WmiApSrv]
"ImagePath"="c:\windows\system32\wbem\wmiapsrv.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\WMPNetworkSvc]
"ImagePath"="\"c:\program files\Windows Media Player\WMPNetwk.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\WPC54Gv3]
"ImagePath"="system32\DRIVERS\WPC54Gv3.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\WpdUsb]
"ImagePath"="system32\DRIVERS\wpdusb.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\WS2IFSL]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\wscsvc]
"ServiceDll"="%SYSTEMROOT%\system32\wscsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\wuauserv]
"ServiceDll"="c:\windows\system32\wuauserv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\WudfPf]
"ImagePath"="system32\DRIVERS\WudfPf.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\WudfRd]
"ImagePath"="system32\DRIVERS\wudfrd.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\WudfSvc]
"ServiceDll"="%SystemRoot%\System32\WUDFSvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\WZCSVC]
"ServiceDll"="%SystemRoot%\System32\wzcsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\XDva280]
"ImagePath"="\??\c:\windows\system32\XDva280.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\xmlprov]
"ServiceDll"="%SystemRoot%\System32\xmlprov.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\{6DB9D208-7474-433A-8C11-1820C1762E1B}]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\{8ABCE56B-A335-4FEF-A0A9-FAA32C639058}]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\{C854615E-02D9-4DE1-AFE5-A87B06A611AC}]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\{EE455A9B-55F4-433F-8EDA-897D949A5095}]

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\{F005C884-A84E-4BDF-BB6D-8AA32E45FD82}]
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(628)
c:\windows\system32\classapi64.dll

- - - - - - - > 'explorer.exe'(4228)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Internet Explorer\IEXPLORE.EXE
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-07-31 6:21 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-31 10:21
ComboFix2.txt 2009-07-29 19:05

Pre-Run: 507,899,904 bytes free
Post-Run: 518,324,224 bytes free

Current=5 Default=5 Failed=3 LastKnownGood=1 Sets=1,3,4,5
570 --- E O F --- 2009-07-30 07:05

andrewvanderhevel
Intermediate
Intermediate

Posts Posts : 129
Joined Joined : 2008-12-29
Gender Gender : Male
OS OS : windows 7
Points Points : 29810
# Likes # Likes : 0

View user profile

Back to top Go down

Re: system security

Post by Origin on Sun Aug 02, 2009 8:02 pm

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31483
# Likes # Likes : 0

View user profile

Back to top Go down

Re: system security

Post by andrewvanderhevel on Wed Aug 26, 2009 9:36 am

hello, my computer has been running really poorly and some programs havent been opening and things like that, i ran mbam and i came back negative. here is the hijackthis log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:31:18 AM, on 8/26/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Linksys\WMP110\gtwpssrv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys\WMP110\WLSngS.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\FRAPS\FRAPS.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\MsiExec.exe
C:\DOCUME~1\ili\LOCALS~1\Temp\IXP110.TMP\SetupAdmin.exe
C:\WINDOWS\system32\MsiExec.exe
C:\WINDOWS\system32\MsiExec.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: RefresherBand Class - {B24BA06E-FB7B-4757-95C2-DC01125F750E} - C:\PROGRA~1\YREFRE~1\YREFRE~1.DLL
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [00PCTFW] "C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [Fraps] C:\FRAPS\FRAPS.EXE
O4 - HKUS\S-1-5-21-299502267-1580436667-1343024091-501\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot (User 'Guest')
O4 - HKUS\S-1-5-21-299502267-1580436667-1343024091-501\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe (User 'Guest')
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe (User 'Default user')

andrewvanderhevel
Intermediate
Intermediate

Posts Posts : 129
Joined Joined : 2008-12-29
Gender Gender : Male
OS OS : windows 7
Points Points : 29810
# Likes # Likes : 0

View user profile

Back to top Go down

Re: system security

Post by andrewvanderhevel on Wed Aug 26, 2009 9:36 am

O4 - S-1-5-21-299502267-1580436667-1343024091-501 Startup: IMVU.lnk = C:\Program Files\IMVU\IMVUClient.exe (User 'Guest')
O4 - S-1-5-21-299502267-1580436667-1343024091-501 User Startup: IMVU.lnk = C:\Program Files\IMVU\IMVUClient.exe (User 'Guest')
O4 - S-1-5-18 Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'SYSTEM')
O4 - S-1-5-18 Startup: Sid Registration.lnk = D:\ATR1.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'Default user')
O4 - .DEFAULT Startup: Sid Registration.lnk = D:\ATR1.exe (User 'Default user')
O4 - .DEFAULT Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: Sid Registration.lnk = D:\ATR1.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Yahoo! Search - [You must be registered and logged in to see this link.] Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: Yahoo! &Dictionary - [You must be registered and logged in to see this link.] Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - [You must be registered and logged in to see this link.] Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - [You must be registered and logged in to see this link.] Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\ili\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02A2D714-433E-46E4-B217-7C3B3FAF8EAE} (ScrabbleCubes Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {1D082E71-DF20-4AAF-863B-596428C49874} (TPIR Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {2C153C75-8476-434B-B3C3-57B63A3D1939} (Brickout Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {377FF862-62E0-4F33-B6E5-F58E0BC0F209} (NlsComm Component Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - [You must be registered and logged in to see this link.]
O16 - DPF: {42FDC231-A411-45F8-B8B6-3B5026111DA8} (SolitaireRush Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {58FC4C77-71C2-4972-A8CD-78691AD85158} (BJA Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {62969CF2-0F7A-433B-A221-FD8818C06C2F} (Blockwerx Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {97438FE9-D361-4279-BA82-98CC0877A717} (Cubis Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {A4508A45-F1C4-40F3-99B4-0CA08AC77E3B} (Kdfense8 Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} (WoF Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {BA35B9B8-DE9E-47C9-AFA7-3C77E3DDFD39} (Monopoly Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {BA94245D-2AA0-4953-9D9F-B0EE4CC02C43} (Tilecity Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {C5326A4D-E9AA-40AD-A09A-E74304D86B47} (DinerDash Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {C82BB209-F528-46F9-96D5-69DEF7260916} (MysteryPI Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {C93C1C34-CEA9-49B1-9046-040F59E0E0D8} (Paint Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {CEE326E8-7571-4086-B347-3C0ACA9A9DE8} (PcubeSet Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {D6440B15-8FD8-455C-AE55-8D3198F49638} (ExcuteHbsAudition Class) - [You must be registered and logged in to see this link.]
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: GTWPSSRV (GTWPSService) - Unknown owner - C:\Program Files\Linksys\WMP110\gtwpssrv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Jumpstart Wifi Protected Setup (jswpsapi) - Atheros Communications, Inc. - C:\Program Files\Linksys\WMP110\jswpsapi.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe (file missing)
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - C:\Program Files\PC Tools Firewall Plus\FWService.exe
O23 - Service: Pml Driver HPZ12 - Unknown owner - C:\WINDOWS\System32\HPZipm12.exe (file missing)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - Unknown owner - C:\Program Files\Spyware Doctor\sdhelp.exe (file missing)
O23 - Service: WLSng Service - TODO: - C:\Program Files\Linksys\WMP110\WLSngS.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 16032 bytes
thanks for your time

andrewvanderhevel
Intermediate
Intermediate

Posts Posts : 129
Joined Joined : 2008-12-29
Gender Gender : Male
OS OS : windows 7
Points Points : 29810
# Likes # Likes : 0

View user profile

Back to top Go down

Re: system security

Post by Origin on Sat Aug 29, 2009 11:06 pm


  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run.
  • When complete, two logs will open. Save both of the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt just yet.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31483
# Likes # Likes : 0

View user profile

Back to top Go down

Re: system security

Post by Belahzur on Sat Aug 29, 2009 11:22 pm

Hello.

Your system is severly infected. Problem with these infections nowadays is, it causes a lot of damage. Even if we clean the malware off your system, I can't guarantee that your system will be clean afterwards, because these infections/bundles leave a lot of leftovers behind that most scanners won't even recognise and logs won't show.
Also, I can't promise you we can repair all the damage it caused... Even after cleaning the malware, you can still get errors afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution.
So, we can try to clean this up and do what we can, but keep in mind that we can't solve ALL problems this malware already caused.

In light of this it would be wise for you to back up any files and folders that you don't want to lose before we start. Reason I am telling this is because when a system is so terribly infected and we try to clean this up manually, the damage that is already present may interfere with our removal attempts.

Actually, this doesn't suprise me at all...
I notice that you never scanned with an Antivirus previously before starting this thread - because you don't even have an Antivirus installed!
This is somewhat suicidal in today's digital world.
That's why I want you to install one first!!

* Please install Avira Antivirus: [You must be registered and logged in to see this link.]
This is a free Antivirus.

Perform a full scan with Avira and let it delete everything it is finding.
Then reboot.
After reboot, open your Avira and select "reports".
There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply.
Then we'll start from there, because it really makes no sense otherwise that we clean this up manually if an Antivirusscan is not present which should be able to deal with most and prevent further reinfection.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: system security

Post by andrewvanderhevel on Tue Sep 01, 2009 7:09 am

Avira AntiVir Personal
Report file date: Tuesday, September 01, 2009 00:50

Scanning for 1675275 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : ILI-RCNXYVOT0SI

Version information:
BUILD.DAT : 9.0.0.407 17961 Bytes 7/29/2009 10:34:00
AVSCAN.EXE : 9.0.3.7 466689 Bytes 7/21/2009 18:36:14
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 15:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 16:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 15:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 17:30:36
ANTIVIR1.VDF : 7.1.4.132 5707264 Bytes 6/24/2009 14:21:42
ANTIVIR2.VDF : 7.1.5.146 3087360 Bytes 8/21/2009 04:47:36
ANTIVIR3.VDF : 7.1.5.188 393728 Bytes 8/31/2009 04:47:37
Engineversion : 8.2.1.7
AEVDF.DLL : 8.1.1.1 106868 Bytes 7/28/2009 18:31:50
AESCRIPT.DLL : 8.1.2.26 463227 Bytes 9/1/2009 04:47:39
AESCN.DLL : 8.1.2.4 127348 Bytes 7/23/2009 14:59:39
AERDL.DLL : 8.1.2.4 430452 Bytes 7/23/2009 14:59:39
AEPACK.DLL : 8.1.3.18 401783 Bytes 7/28/2009 18:31:50
AEOFFICE.DLL : 8.1.0.38 196987 Bytes 7/23/2009 14:59:39
AEHEUR.DLL : 8.1.0.155 1921400 Bytes 9/1/2009 04:47:38
AEHELP.DLL : 8.1.6.0 233846 Bytes 9/1/2009 04:47:37
AEGEN.DLL : 8.1.1.59 356725 Bytes 9/1/2009 04:47:37
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/9/2008 19:32:40
AECORE.DLL : 8.1.7.6 184694 Bytes 7/23/2009 14:59:39
AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/2008 19:32:40
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 13:47:59
AVPREF.DLL : 9.0.0.1 43777 Bytes 12/5/2008 15:32:15
AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 19:34:28
AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 15:32:09
AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 20:05:41
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 15:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 20:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 13:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 15:32:10
RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/15/2009 20:39:58
RCTEXT.DLL : 9.0.37.0 86785 Bytes 4/17/2009 15:19:48

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: C:\Program Files\Avira\AntiVir Desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium
Deviating risk categories...........: +APPL,+GAME,

Start of the scan: Tuesday, September 01, 2009 00:50

Starting search for hidden objects.
'84868' objects were checked, '0' hidden objects were found.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'msiexec.exe' - '1' Module(s) have been scanned
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'wscntfy.exe' - '1' Module(s) have been scanned
Scan process 'aim6.exe' - '1' Module(s) have been scanned
Scan process 'aolsoftware.exe' - '1' Module(s) have been scanned
Scan process 'SearchProtection.exe' - '1' Module(s) have been scanned
Scan process 'tfswctrl.exe' - '1' Module(s) have been scanned
Scan process 'UnlockerAssistant.exe' - '1' Module(s) have been scanned
Scan process 'GrooveMonitor.exe' - '1' Module(s) have been scanned
Scan process 'ashDisp.exe' - '1' Module(s) have been scanned
Scan process 'YahooAUService.exe' - '1' Module(s) have been scanned
Scan process 'WLSngS.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'snmp.exe' - '1' Module(s) have been scanned
Scan process 'LVPrcSrv.exe' - '1' Module(s) have been scanned
Scan process 'gtwpssrv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
36 processes with 36 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '73' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\Audition\audition3.zip
[0] Archive type: ZIP
--> audition3.2000/3/MessengerDBAgent.exe
[DETECTION] Is the TR/Unpacked.Gen Trojan
--> audition3.2000/4/ItemDBServer.exe
[DETECTION] Is the TR/Unpacked.Gen Trojan
--> audition3.2000/5/MessengerServer.exe
[DETECTION] Is the TR/Unpacked.Gen Trojan
--> audition3.2000/6/AuditionLoginServerD.exe
[DETECTION] Is the TR/Unpacked.Gen Trojan
--> audition3.2000/7/AuditionGameServerD.exe
[DETECTION] Is the TR/Unpacked.Gen Trojan
C:\Audition\Database\AU3.25.rar
[0] Archive type: RAR
--> AuditionGameServer\AuditionGameServerD.exe
[DETECTION] Is the TR/Unpacked.Gen Trojan
--> itemdbserver\ItemDBServer.exe
[DETECTION] Is the TR/Unpacked.Gen Trojan
--> LoginServer\AuditionLoginServerD.exe
[DETECTION] Is the TR/Unpacked.Gen Trojan
C:\Audition\Server files\AU3.25.rar
[0] Archive type: RAR
--> AuditionGameServer\AuditionGameServerD.exe
[DETECTION] Is the TR/Unpacked.Gen Trojan
--> itemdbserver\ItemDBServer.exe
[DETECTION] Is the TR/Unpacked.Gen Trojan
--> LoginServer\AuditionLoginServerD.exe
[DETECTION] Is the TR/Unpacked.Gen Trojan
C:\Documents and Settings\ili\Application Data\BIT2C.tmp
[DETECTION] Is the TR/FakeRean.A.9 Trojan
C:\Documents and Settings\ili\Application Data\Sun\Java\Deployment\cache\6.0\21\5b7fd6d5-3c2b3c20
[DETECTION] Contains recognition pattern of the JAVA/BlackBox.AA.2 Java virus
C:\Documents and Settings\ili\Application Data\Sun\Java\Deployment\cache\6.0\21\5b7fd6d5-44514a58
[DETECTION] Contains recognition pattern of the JAVA/BlackBox.AA.2 Java virus
C:\Documents and Settings\ili\Application Data\Sun\Java\Deployment\cache\6.0\23\6622be57-2a951797
[DETECTION] Contains recognition pattern of the JAVA/BlackBox.AA.2 Java virus
C:\Documents and Settings\ili\Application Data\Sun\Java\Deployment\cache\6.0\23\6622be57-7dcf70a4
[DETECTION] Contains recognition pattern of the JAVA/BlackBox.AA.2 Java virus
C:\Documents and Settings\ili\Application Data\Sun\Java\Deployment\cache\6.0\30\518dc01e-26f24935
[DETECTION] Contains recognition pattern of the JAVA/BlackBox.AA.2 Java virus
C:\Documents and Settings\ili\Application Data\Sun\Java\Deployment\cache\6.0\30\518dc01e-4b7198b4
[DETECTION] Contains recognition pattern of the JAVA/BlackBox.AA.2 Java virus
C:\Documents and Settings\ili\Application Data\Sun\Java\Deployment\cache\6.0\52\6b28d634-126ebd55
[DETECTION] Contains recognition pattern of the JAVA/BlackBox.AA.2 Java virus
C:\Documents and Settings\ili\Application Data\Sun\Java\Deployment\cache\6.0\52\6b28d634-5d220769
[DETECTION] Contains recognition pattern of the JAVA/BlackBox.AA.2 Java virus
C:\Documents and Settings\ili\Application Data\Sun\Java\Deployment\cache\6.0\56\3105b5b8-22660ae2
[DETECTION] Contains recognition pattern of the JAVA/Dldr.Agent.B Java virus
C:\Documents and Settings\ili\Application Data\Sun\Java\Deployment\cache\6.0\56\3105b5b8-482f464c
[DETECTION] Contains recognition pattern of the JAVA/Dldr.Agent.B Java virus
C:\Documents and Settings\ili\Desktop\Shit\Reflexive\FFF-ReflexV3.exe
[DETECTION] Is the TR/Hijacker.Gen Trojan
C:\Documents and Settings\ili\Desktop\tools\Flash_Disinfector.exe

[0] Archive type: RAR SFX (self extracting)
--> nircmd.exe
[DETECTION] Contains recognition pattern of the APPL/NirCmd.2 application
C:\Documents and Settings\ili\Desktop\tools\SDFix.exe
[DETECTION] Contains recognition pattern of the APPL/PrcView.E application
C:\Program Files\Common Files\Enterbrain\RGSS\Standard\Graphics.exe
[0] Archive type: CAB SFX (self extracting)
--> Graphics\Animations\002-Action02.png
[WARNING] No further files can be extracted from this archive. The archive will be closed
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Qoobox\Quarantine\C\Documents and Settings\ili\Application Data\pcdefender.exe.vir
[DETECTION] Is the TR/FakeRean.A.9 Trojan
C:\Qoobox\Quarantine\C\WINDOWS\win3202132922767-12006.exe.vir
[DETECTION] Is the TR/Dldr.VB.aga Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\adrotate.dll.vir
[DETECTION] Contains recognition pattern of the ADSPY/TrafficSol.A adware or spyware
C:\Qoobox\Quarantine\C\WINDOWS\system32\baloon.exe.vir
[DETECTION] Is the TR/Dropper.Gen Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\cfrog.exe.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\gxvxcjaoyrdqcmoptxelphcxeyordxlatackt.dll.vir
[DETECTION] Is the TR/TDss.acdc Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\klomp.exe.vir
[DETECTION] Is the TR/Dldr.Agent.OLK Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\LinkSave.Droper.exe.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\mqapi.exe.vir
[0] Archive type: NSIS
--> ProgramFilesDir/jah34717.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\rasha.exe.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\gxvxctakdvpwxstotdygaybarsmdoujyoynkc.sys.vir
[DETECTION] Contains recognition pattern of the RKIT/Agent.kqe root kit
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\msqpdxmaxtoeqh.sys.vir
[DETECTION] Is the TR/Rootkit.Gen Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\msqpdxosvdnrsr.sys.vir
[DETECTION] Is the TR/Rootkit.Gen Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\msqpdxserv.sys.vir
[DETECTION] Is the TR/Rootkit.Gen Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_msqpdxmxfeoitu_.sys.zip
[0] Archive type: ZIP
--> msqpdxmxfeoitu.sys
[DETECTION] Is the TR/Rootkit.Gen Trojan
C:\System Volume Information\_restore{A8CA578B-CB5B-4D0B-91F5-17A24253077B}\RP170\A0084789.exe
[DETECTION] Is the TR/Agent.417280.B Trojan
C:\System Volume Information\_restore{A8CA578B-CB5B-4D0B-91F5-17A24253077B}\RP170\A0084793.exe
[DETECTION] Contains recognition pattern of the DR/Delphi.Gen dropper
C:\System Volume Information\_restore{A8CA578B-CB5B-4D0B-91F5-17A24253077B}\RP170\A0084794.exe
[DETECTION] Contains recognition pattern of the DR/Delphi.Gen dropper
C:\System Volume Information\_restore{A8CA578B-CB5B-4D0B-91F5-17A24253077B}\RP170\A0084795.exe
[DETECTION] Contains recognition pattern of the DR/Delphi.Gen dropper
C:\System Volume Information\_restore{A8CA578B-CB5B-4D0B-91F5-17A24253077B}\RP181\A0088217.exe
[DETECTION] Is the TR/Trash.Gen Trojan
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ZOEHOFHC\pass3471[1].exe
[0] Archive type: NSIS
--> ProgramFilesDir/jah34717.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
C:\WINDOWS\system32\drivers\sptd.sys
[WARNING] The file could not be opened!

andrewvanderhevel
Intermediate
Intermediate

Posts Posts : 129
Joined Joined : 2008-12-29
Gender Gender : Male
OS OS : windows 7
Points Points : 29810
# Likes # Likes : 0

View user profile

Back to top Go down

Re: system security

Post by andrewvanderhevel on Tue Sep 01, 2009 7:10 am

Beginning disinfection:
C:\Audition\audition3.zip
[NOTE] The file was moved to '4b00c6e2.qua'!
C:\Audition\Database\AU3.25.rar
[NOTE] The file was moved to '4acfc6c3.qua'!
C:\Audition\Server files\AU3.25.rar
[NOTE] The file was moved to '4acfc6c4.qua'!
C:\Documents and Settings\ili\Application Data\BIT2C.tmp
[DETECTION] Is the TR/FakeRean.A.9 Trojan
[NOTE] The file was moved to '4af0c6c0.qua'!
C:\Documents and Settings\ili\Application Data\Sun\Java\Deployment\cache\6.0\21\5b7fd6d5-3c2b3c20
[DETECTION] Contains recognition pattern of the JAVA/BlackBox.AA.2 Java virus
[NOTE] The file was moved to '4ad3c6d9.qua'!
C:\Documents and Settings\ili\Application Data\Sun\Java\Deployment\cache\6.0\21\5b7fd6d5-44514a58
[DETECTION] Contains recognition pattern of the JAVA/BlackBox.AA.2 Java virus
[NOTE] The file was moved to '4994b9ba.qua'!
C:\Documents and Settings\ili\Application Data\Sun\Java\Deployment\cache\6.0\23\6622be57-2a951797
[DETECTION] Contains recognition pattern of the JAVA/BlackBox.AA.2 Java virus
[NOTE] The file was moved to '4acec6ad.qua'!
C:\Documents and Settings\ili\Application Data\Sun\Java\Deployment\cache\6.0\23\6622be57-7dcf70a4
[DETECTION] Contains recognition pattern of the JAVA/BlackBox.AA.2 Java virus
[NOTE] The file was moved to '49845016.qua'!
C:\Documents and Settings\ili\Application Data\Sun\Java\Deployment\cache\6.0\30\518dc01e-26f24935
[DETECTION] Contains recognition pattern of the JAVA/BlackBox.AA.2 Java virus
[NOTE] The file was moved to '4ad4c6a8.qua'!
C:\Documents and Settings\ili\Application Data\Sun\Java\Deployment\cache\6.0\30\518dc01e-4b7198b4
[DETECTION] Contains recognition pattern of the JAVA/BlackBox.AA.2 Java virus
[NOTE] The file was moved to '4ad4c6a9.qua'!
C:\Documents and Settings\ili\Application Data\Sun\Java\Deployment\cache\6.0\52\6b28d634-126ebd55
[DETECTION] Contains recognition pattern of the JAVA/BlackBox.AA.2 Java virus
[NOTE] The file was moved to '4acec6da.qua'!
C:\Documents and Settings\ili\Application Data\Sun\Java\Deployment\cache\6.0\52\6b28d634-5d220769
[DETECTION] Contains recognition pattern of the JAVA/BlackBox.AA.2 Java virus
[NOTE] The file was moved to '499d1023.qua'!
C:\Documents and Settings\ili\Application Data\Sun\Java\Deployment\cache\6.0\56\3105b5b8-22660ae2
[DETECTION] Contains recognition pattern of the JAVA/Dldr.Agent.B Java virus
[NOTE] The file was moved to '4accc6a9.qua'!
C:\Documents and Settings\ili\Application Data\Sun\Java\Deployment\cache\6.0\56\3105b5b8-482f464c
[DETECTION] Contains recognition pattern of the JAVA/Dldr.Agent.B Java virus
[NOTE] The file was moved to '498060e2.qua'!
C:\Documents and Settings\ili\Desktop\Shit\Reflexive\FFF-ReflexV3.exe
[DETECTION] Is the TR/Hijacker.Gen Trojan
[NOTE] The file was moved to '4ae2c6be.qua'!
C:\Documents and Settings\ili\Desktop\tools\Flash_Disinfector.exe
[NOTE] The file was moved to '4afdc6e5.qua'!
C:\Documents and Settings\ili\Desktop\tools\SDFix.exe
[DETECTION] Contains recognition pattern of the APPL/PrcView.E application
[NOTE] The file was moved to '4ae2c6bd.qua'!
C:\Qoobox\Quarantine\C\Documents and Settings\ili\Application Data\pcdefender.exe.vir
[DETECTION] Is the TR/FakeRean.A.9 Trojan
[NOTE] The file was moved to '4b00c6dd.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\win3202132922767-12006.exe.vir
[DETECTION] Is the TR/Dldr.VB.aga Trojan
[NOTE] The file was moved to '4b0ac6e4.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\adrotate.dll.vir
[DETECTION] Contains recognition pattern of the ADSPY/TrafficSol.A adware or spyware
[NOTE] The file was moved to '4b0ec6e0.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\baloon.exe.vir
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to '4b08c6dd.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\cfrog.exe.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The file was moved to '4b0ec6e2.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\gxvxcjaoyrdqcmoptxelphcxeyordxlatackt.dll.vir
[DETECTION] Is the TR/TDss.acdc Trojan
[NOTE] The file was moved to '4b12c6f4.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\klomp.exe.vir
[DETECTION] Is the TR/Dldr.Agent.OLK Trojan
[NOTE] The file was moved to '4b0bc6e8.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\LinkSave.Droper.exe.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The file was moved to '4b0ac6e5.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\mqapi.exe.vir
[NOTE] The file was moved to '4afdc6ed.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\rasha.exe.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '4b0fc6de.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\gxvxctakdvpwxstotdygaybarsmdoujyoynkc.sys.vir
[DETECTION] Contains recognition pattern of the RKIT/Agent.kqe root kit
[NOTE] The file was moved to '4b12c6f5.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\msqpdxmaxtoeqh.sys.vir
[DETECTION] Is the TR/Rootkit.Gen Trojan
[NOTE] The file was moved to '4b0dc6f0.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\msqpdxosvdnrsr.sys.vir
[DETECTION] Is the TR/Rootkit.Gen Trojan
[NOTE] The file was moved to '486c8351.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\msqpdxserv.sys.vir
[DETECTION] Is the TR/Rootkit.Gen Trojan
[NOTE] The file was moved to '4b0dc6f1.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_msqpdxmxfeoitu_.sys.zip
[NOTE] The file was moved to '4b0fc6eb.qua'!
C:\System Volume Information\_restore{A8CA578B-CB5B-4D0B-91F5-17A24253077B}\RP170\A0084789.exe
[DETECTION] Is the TR/Agent.417280.B Trojan
[NOTE] The file was moved to '4accc6ae.qua'!
C:\System Volume Information\_restore{A8CA578B-CB5B-4D0B-91F5-17A24253077B}\RP170\A0084793.exe
[DETECTION] Contains recognition pattern of the DR/Delphi.Gen dropper
[NOTE] The file was moved to '4accc6af.qua'!
C:\System Volume Information\_restore{A8CA578B-CB5B-4D0B-91F5-17A24253077B}\RP170\A0084794.exe
[DETECTION] Contains recognition pattern of the DR/Delphi.Gen dropper
[NOTE] The file was moved to '4accc6b8.qua'!
C:\System Volume Information\_restore{A8CA578B-CB5B-4D0B-91F5-17A24253077B}\RP170\A0084795.exe
[DETECTION] Contains recognition pattern of the DR/Delphi.Gen dropper
[NOTE] The file was moved to '4accc6c6.qua'!
C:\System Volume Information\_restore{A8CA578B-CB5B-4D0B-91F5-17A24253077B}\RP181\A0088217.exe
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '4accc6c8.qua'!
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ZOEHOFHC\pass3471[1].exe
[NOTE] The file was moved to '4b0fc6f9.qua'!


End of the scan: Tuesday, September 01, 2009 03:00
Used time: 1:58:11 Hour(s)

The scan has been done completely.

13807 Scanned directories
470662 Files were scanned
46 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
38 Files were moved to quarantine
0 Files were renamed
3 Files cannot be scanned
470613 Files not concerned
2700 Archives were scanned
5 Warnings
40 Notes
84868 Objects were scanned with rootkit scan
0 Hidden objects were found

andrewvanderhevel
Intermediate
Intermediate

Posts Posts : 129
Joined Joined : 2008-12-29
Gender Gender : Male
OS OS : windows 7
Points Points : 29810
# Likes # Likes : 0

View user profile

Back to top Go down

Re: system security

Post by Belahzur on Tue Sep 01, 2009 5:13 pm

Hello.
Now that we have an AV on your system, please run Combofix again. Before doing that though, we'll need to disable Avira.

We need to disable your local AV (Anti-virus) before running Combofix.
See [You must be registered and logged in to see this link.] for how to disable your AV.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: system security

Post by andrewvanderhevel on Tue Sep 01, 2009 8:18 pm

ComboFix 09-08-31.04 - ili 09/01/2009 15:38.5.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.616 [GMT -4:00]
Running from: c:\documents and settings\ili\Desktop\Combo-Fix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: PC Tools Firewall Plus *disabled* {ABBD5028-5A95-4B6D-996E-98D64AE88D52}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\ili\Local Settings\Temporary Internet Files\ijjistarter_verinfo.dat
c:\documents and settings\ili\Local Settings\Temporary Internet Files\p3xfer.cfg
c:\windows\Fonts\Britannian Runes.TTF
c:\windows\Installer\10a982.msi
c:\windows\Installer\2475b6d.msi
c:\windows\Installer\53e1ce9.msi
c:\windows\Installer\d672b1.msi
c:\windows\system32\kdfinj.dll
c:\windows\system32\threat448y.bin
c:\windows\Temp\scsE.tmp
c:\windows\Temp\scsF.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_GXVXCSERV.SYS
-------\Service_gaopdxserv.sys


((((((((((((((((((((((((( Files Created from 2009-08-01 to 2009-09-01 )))))))))))))))))))))))))))))))
.

2009-09-01 04:43 . 2009-07-28 20:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-09-01 04:43 . 2009-03-30 14:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-09-01 04:43 . 2009-02-13 16:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-09-01 04:43 . 2009-02-13 16:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-09-01 04:43 . 2009-09-01 04:43 -------- d-----w- c:\program files\Avira
2009-09-01 04:43 . 2009-09-01 04:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-08-30 21:25 . 2009-08-30 21:25 0 ----a-w- c:\windows\popcreg.dat
2009-08-30 21:25 . 2009-08-30 21:25 0 ----a-w- c:\windows\popcinfot.dat
2009-08-30 03:46 . 2009-08-30 03:46 -------- d-----w- c:\documents and settings\All Users\Application Data\PopCap Games
2009-08-30 03:45 . 2009-08-30 03:46 -------- d-----w- c:\program files\PopCap Games
2009-08-29 18:32 . 2009-08-29 19:16 -------- d-----w- c:\documents and settings\ili\Application Data\.minecraft
2009-08-24 08:38 . 2009-08-29 16:27 -------- d-----w- c:\program files\Windows Live Safety Center
2009-08-22 13:28 . 2009-09-01 06:59 -------- d-----w- C:\Audition
2009-08-21 22:01 . 2009-07-10 16:33 1589248 ----a-w- c:\windows\system32\libmysql_d.dll
2009-08-21 22:00 . 2009-08-21 22:00 -------- d-----w- c:\program files\PremiumSoft
2009-08-21 21:49 . 2009-08-21 21:49 -------- d-----w- c:\program files\MySQL
2009-08-21 21:49 . 2009-08-21 21:49 -------- d-----w- c:\documents and settings\All Users\Application Data\MySQL
2009-08-17 11:21 . 2009-08-30 03:25 -------- d-----w- C:\RomAudition
2009-08-16 17:09 . 2009-08-16 17:09 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-16 17:09 . 2009-08-16 17:09 -------- d-----w- c:\program files\Reference Assemblies
2009-08-16 17:08 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-16 17:08 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-08-16 17:08 . 2009-08-16 17:08 -------- d-----w- C:\a81733658c0826f80b
2009-08-16 17:08 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-16 17:08 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-08-16 17:08 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-16 17:08 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-08-16 17:08 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-16 17:08 . 2009-08-16 17:21 -------- d-----w- c:\windows\SxsCaPendDel
2009-08-14 07:26 . 2009-08-14 07:26 -------- d-----w- c:\program files\Games
2009-08-13 20:06 . 2009-08-13 20:06 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-08-13 20:06 . 2009-08-13 20:06 -------- d-----w- c:\documents and settings\ili\Application Data\skypePM
2009-08-13 20:04 . 2009-08-16 19:22 -------- d-----w- c:\documents and settings\ili\Application Data\Skype
2009-08-13 20:02 . 2009-08-13 20:02 -------- d-----w- c:\program files\Common Files\Skype
2009-08-13 20:02 . 2009-08-13 20:03 -------- d-----r- c:\program files\Skype
2009-08-13 20:02 . 2009-08-13 20:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-08-13 19:53 . 2009-08-13 19:53 41872 ----a-w- c:\windows\system32\xfcodec.dll
2009-08-13 17:10 . 2009-08-13 17:10 -------- d-sh--w- c:\documents and settings\Default User\IETldCache
2009-08-12 21:46 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-08-08 15:27 . 2009-08-08 15:27 -------- d-----w- c:\program files\Common Files\Oberon Media
2009-08-08 15:27 . 2009-08-08 15:27 -------- d-----w- c:\program files\Britannica Games
2009-08-08 15:17 . 2009-08-08 15:30 -------- d-----w- c:\program files\Magic Farm
2009-08-08 15:14 . 2009-08-08 15:14 -------- d-----w- c:\program files\ReflexiveArcade
2009-08-08 08:00 . 2009-08-13 09:58 -------- d-----w- c:\documents and settings\ili\Application Data\IMVU
2009-08-08 08:00 . 2009-08-08 08:00 82041 ----a-w- c:\documents and settings\ili\Application Data\IMVUClient\Uninstall.exe
2009-08-08 07:59 . 2009-08-08 08:00 -------- d-----w- c:\documents and settings\ili\Application Data\IMVUClient
2009-08-08 07:10 . 2009-08-08 07:10 -------- d-----w- c:\documents and settings\ili\Application Data\EleFun Games
2009-08-08 06:09 . 2009-08-08 15:29 -------- d-----w- c:\documents and settings\ili\Application Data\Meridian93
2009-08-08 05:04 . 2009-08-08 15:27 -------- d-----w- c:\program files\Oberon Media
2009-08-06 17:05 . 2009-08-06 17:05 92192 ----a-w- c:\documents and settings\ili\Application Data\IMVUClient\IMVUupdater.exe
2009-08-06 17:05 . 2009-08-06 17:05 18688 ----a-w- c:\documents and settings\ili\Application Data\IMVUClient\imvuqualityagent.exe
2009-08-06 17:05 . 2009-08-06 17:05 52992 ----a-w- c:\documents and settings\ili\Application Data\IMVUClient\IMVUClient.exe
2009-08-06 16:59 . 2009-08-06 16:59 1252864 ----a-w- c:\documents and settings\ili\Application Data\IMVUClient\SceneWindow.dll
2009-08-06 16:59 . 2009-08-06 16:59 15872 ----a-w- c:\documents and settings\ili\Application Data\IMVUClient\MemoryHook.dll
2009-08-06 16:57 . 2009-08-06 16:57 296960 ----a-w- c:\documents and settings\ili\Application Data\IMVUClient\cal3d.dll
2009-08-06 16:57 . 2009-08-06 16:57 190976 ----a-w- c:\documents and settings\ili\Application Data\IMVUClient\boost_python.dll
2009-08-06 16:57 . 2009-08-06 16:57 30720 ----a-w- c:\documents and settings\ili\Application Data\IMVUClient\CallStack.dll
2009-08-06 16:57 . 2009-08-06 16:57 257536 ----a-w- c:\documents and settings\ili\Application Data\IMVUClient\audiere.dll
2009-08-05 09:01 . 2009-08-05 09:01 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-04 21:58 . 2009-08-04 21:58 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-08-04 18:35 . 2009-08-04 18:35 -------- d-----w- C:\gPotato
2009-08-04 18:03 . 2009-08-04 18:03 49664 ----a-w- c:\documents and settings\ili\Application Data\IMVUClient\w9xpopen.exe
2009-08-04 18:03 . 2009-08-04 18:03 110080 ----a-w- c:\documents and settings\ili\Application Data\IMVUClient\pywintypes26.dll
2009-08-04 18:03 . 2009-08-04 18:03 353280 ----a-w- c:\documents and settings\ili\Application Data\IMVUClient\pythoncom26.dll
2009-08-04 18:03 . 2009-08-04 18:03 2251264 ----a-w- c:\documents and settings\ili\Application Data\IMVUClient\python26.dll
2009-08-03 06:05 . 2009-08-03 06:05 15240 ----a-w- c:\documents and settings\ili\Application Data\Microsoft\IdentityCRL\PROD\ppcrlconfig.dll
2009-08-03 04:14 . 2008-09-27 04:00 230752 ----a-w- c:\windows\patchw32.dll
2009-08-03 04:14 . 2008-09-27 04:00 118176 ----a-w- c:\windows\patchw.dll
2009-08-03 04:10 . 2009-08-03 04:14 -------- d-----w- c:\program files\Outspark

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-01 19:34 . 2006-12-10 19:04 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-01 19:27 . 2009-07-26 02:02 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2009-09-01 19:27 . 2009-07-26 02:00 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2009-08-31 04:22 . 2007-01-22 00:24 29 ----a-w- c:\windows\popcinfo.dat
2009-08-30 21:31 . 2006-08-26 21:55 -------- d-----w- c:\documents and settings\ili\Application Data\BitTorrent
2009-08-26 04:27 . 2006-06-03 03:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-26 04:26 . 2006-06-03 03:09 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-25 02:33 . 2003-03-11 06:57 -------- d-----w- c:\documents and settings\ili\Application Data\Xfire
2009-08-19 06:21 . 2003-03-11 06:57 -------- d-s---w- c:\program files\Xfire
2009-08-18 22:46 . 2008-12-29 20:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-17 19:48 . 2009-08-17 19:48 687104 ----a-w- c:\windows\isRS-000.tmp
2009-08-17 19:47 . 2009-01-15 05:44 3942047 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-08-16 19:30 . 2006-05-15 01:01 113688 ----a-w- c:\documents and settings\ili\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-16 17:29 . 2009-01-15 07:14 -------- d-----w- c:\program files\PC Tools Firewall Plus
2009-08-13 17:11 . 2009-02-22 01:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-08-08 15:25 . 2006-11-25 21:39 -------- d-----w- c:\program files\MSN Games
2009-08-08 05:15 . 2006-05-13 17:09 -------- d-----w- c:\documents and settings\All Users\Application Data\PlayFirst
2009-08-08 05:15 . 2006-05-13 17:09 -------- d-----w- c:\documents and settings\ili\Application Data\PlayFirst
2009-08-06 21:33 . 2009-06-04 17:14 83288 ----a-w- c:\windows\system32\kdfapi.dll
2009-08-06 21:33 . 2009-06-04 17:14 674384 ----a-w- c:\windows\system32\GZGHAAYR.exe
2009-08-06 21:33 . 2009-06-04 17:14 61440 ----a-w- c:\windows\system32\proDefense.dll
2009-08-06 21:33 . 2009-06-04 17:14 59976 ----a-w- c:\windows\system32\Kdfhok.dll
2009-08-06 21:33 . 2009-06-04 17:14 192512 ----a-w- c:\windows\system32\kdfvmgr.exe
2009-08-05 09:01 . 2006-05-15 00:55 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 17:36 . 2008-12-29 20:39 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 17:36 . 2008-12-29 20:39 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-03 04:10 . 2006-05-21 22:02 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-01 18:01 . 2008-09-24 17:06 34 ----a-w- c:\documents and settings\ili\jagex_runescape_preferences.dat
2009-08-01 17:48 . 2009-08-01 17:49 91656 ----a-w- c:\program files\RuneScape.exe
2009-08-01 02:41 . 2009-04-04 01:29 -------- d-----w- c:\program files\Messenger Plus! Live
2009-08-01 02:41 . 2003-03-12 03:16 -------- d-----w- c:\program files\MSN Messenger
2009-07-31 00:19 . 2006-05-13 00:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-07-30 03:54 . 2008-10-18 04:27 -------- d-----w- c:\program files\Cute Knight
2009-07-26 02:02 . 2009-07-26 01:58 -------- d-----w- c:\program files\Common Files\LogiShrd
2009-07-26 01:58 . 2009-07-26 01:40 -------- d-----w- c:\documents and settings\All Users\Application Data\LogiShrd
2009-07-26 01:58 . 2006-09-09 21:37 -------- d-----w- c:\program files\Logitech
2009-07-24 01:45 . 2009-07-24 01:45 21035 ----a-w- c:\windows\system32\drivers\AegisP.sys
2009-07-24 01:44 . 2009-07-24 01:44 -------- d-----w- c:\program files\Linksys
2009-07-24 01:44 . 2009-07-24 01:44 -------- d-----w- c:\documents and settings\ili\Application Data\InstallShield
2009-07-18 04:20 . 2006-05-13 14:58 -------- d-----w- c:\program files\Yahoo! Games
2009-07-18 04:17 . 2006-06-22 22:54 -------- d-----w- c:\program files\Maxis
2009-07-17 23:55 . 2009-05-26 00:16 -------- d-----w- c:\documents and settings\ili\Application Data\Sonic
2009-07-17 19:01 . 2003-03-31 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-16 22:30 . 2009-06-21 00:58 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2009-07-14 03:43 . 2005-01-28 20:44 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2006-02-24 21:26 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-16 14:36 . 2003-03-31 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2003-03-31 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-15 03:08 . 2009-06-15 03:08 262144 ----a-w- C:\ntuser.dat
2009-06-12 12:31 . 2003-03-31 12:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-11 19:36 . 2009-06-11 19:36 3771296 ----a-w- c:\documents and settings\ili\Application Data\IMVUClient\ui\plugins\npswf32.dll
2009-06-10 14:13 . 2003-03-31 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 13:19 . 2006-05-13 01:53 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2003-03-31 12:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-08 23:45 . 2009-06-08 23:45 271929 ----a-w- c:\documents and settings\ili\Application Data\IMVUClient\pixomatic.dll
2009-06-04 17:14 . 2009-06-04 17:13 270445 ----a-w- c:\windows\system32\kdfmod.dll
2009-06-04 17:12 . 2009-06-04 17:12 261384 ----a-w- c:\windows\system32\p3xsvr.exe
2009-06-04 17:12 . 2009-06-04 17:12 146696 ----a-w- c:\windows\system32\p3xfer.dll
2009-06-04 17:12 . 2009-06-04 17:12 1201624 ----a-w- c:\windows\system32\p3xAudition.exe
2008-10-23 03:38 . 2008-10-23 03:37 89811 ----a-w- c:\program files\Uninstal.exe
2006-12-10 23:42 . 2008-01-27 19:15 774144 ----a-w- c:\program files\RngInterstitial.dll
2008-12-20 11:04 . 2006-12-18 19:44 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-12-20 11:04 . 2006-12-18 19:44 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll

andrewvanderhevel
Intermediate
Intermediate

Posts Posts : 129
Joined Joined : 2008-12-29
Gender Gender : Male
OS OS : windows 7
Points Points : 29810
# Likes # Likes : 0

View user profile

Back to top Go down

Re: system security

Post by andrewvanderhevel on Tue Sep 01, 2009 8:18 pm

2008-12-20 11:04 . 2006-12-18 19:44 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-12-20 11:04 . 2006-12-18 19:44 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-12-20 11:04 . 2006-12-18 19:44 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2008-11-20 08:36 . 2008-11-20 08:36 56 --sh--r- c:\windows\system32\17A98B4007.sys
2009-02-01 18:05 . 2008-11-20 08:36 1682 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Aim6"="" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008]
"00PCTFW"="c:\program files\PC Tools Firewall Plus\FirewallGUI.exe" [2009-03-15 2652056]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-02 15872]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-03-25 122939]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2008-04-14 169984]

c:\documents and settings\ili\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Winter Fun Wallpaper Changer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Winter Fun Wallpaper Changer.lnk
backup=c:\windows\pss\Winter Fun Wallpaper Changer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^ili^Start Menu^Programs^Startup^IMVU.lnk]
path=c:\documents and settings\ili\Start Menu\Programs\Startup\IMVU.lnk
backup=c:\windows\pss\IMVU.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^ili^Start Menu^Programs^Startup^Xfire.lnk]
path=c:\documents and settings\ili\Start Menu\Programs\Startup\Xfire.lnk
backup=c:\windows\pss\Xfire.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Ati HotKey Poller"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"Bonjour Service"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" /background
"LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" boot
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"Aim6"="c:\program files\AIM6\aim6.exe" /d locale=en-US [You must be registered and logged in to see this link.]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"LogitechVideoRepair"=c:\program files\Logitech\Video\ISStart.exe
"LVCOMSX"=c:\windows\system32\LVCOMSX.EXE

R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [1/15/2009 3:16 AM 159600]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [9/1/2009 12:43 AM 108289]
R2 GTWPSService;GTWPSSRV;c:\program files\Linksys\WMP110\gtwpssrv.exe [7/23/2009 9:44 PM 34816]
R2 PCTAppEvent;PCTAppEvent Driver;c:\windows\system32\drivers\PCTAppEvent.sys [1/15/2009 3:16 AM 73840]
R2 WLSng Service;WLSng Service;c:\program files\Linksys\WMP110\WLSngS.exe [7/23/2009 9:44 PM 233472]
R3 JSWSCIMD;jswscimd Service;c:\windows\system32\drivers\jswscimd.sys [7/23/2009 9:44 PM 57344]
R3 LNE100;Linksys LNE100TX(v5) Fast Ethernet Adapter;c:\windows\system32\drivers\lne100v5.sys [5/12/2006 10:49 PM 36224]
S1 ShldDrv;Panda File Shield Driver;c:\windows\system32\DRIVERS\ShlDrv51.sys --> c:\windows\system32\DRIVERS\ShlDrv51.sys [?]
S2 PavProc;Panda Process Protection Driver;\??\c:\windows\system32\DRIVERS\PavProc.sys --> c:\windows\system32\DRIVERS\PavProc.sys [?]
S3 cpuz131;cpuz131;\??\c:\docume~1\ili\LOCALS~1\Temp\cpuz131\cpuz_x32.sys --> c:\docume~1\ili\LOCALS~1\Temp\cpuz131\cpuz_x32.sys [?]
S3 dump_wmimmc;dump_wmimmc;\??\c:\gpotato\Luna Online\GameGuard\dump_wmimmc.sys --> c:\gpotato\Luna Online\GameGuard\dump_wmimmc.sys [?]
S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\Linksys\WMP110\jswpsapi.exe [7/23/2009 9:44 PM 352338]
S3 Mkd2kfNt;Mkd2kfNt;c:\windows\system32\drivers\Mkd2kfNT.sys [4/26/2009 6:14 AM 131072]
S3 Mkd2Nadr;Mkd2Nadr;c:\windows\system32\drivers\Mkd2Nadr.sys [4/26/2009 6:14 AM 79104]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 pctplfw;pctplfw;c:\windows\system32\drivers\pctplfw.sys [1/15/2009 3:15 AM 95640]
S3 ProDefense;ProDefense;\??\c:\windows\system32\drivers\ProDefense.sys --> c:\windows\system32\drivers\ProDefense.sys [?]
S3 WMP110;Linksys WMP110 RangePlus Wireless PCI Adapter Service;c:\windows\system32\drivers\WMP110.sys [7/23/2009 9:44 PM 1299520]
S3 XDva202;XDva202;\??\c:\windows\system32\XDva202.sys --> c:\windows\system32\XDva202.sys [?]
S3 XDva262;XDva262;\??\c:\windows\system32\XDva262.sys --> c:\windows\system32\XDva262.sys [?]
S3 XDva269;XDva269;\??\c:\windows\system32\XDva269.sys --> c:\windows\system32\XDva269.sys [?]
S3 XDva275;XDva275;\??\c:\windows\system32\XDva275.sys --> c:\windows\system32\XDva275.sys [?]
S3 XDva277;XDva277;\??\c:\windows\system32\XDva277.sys --> c:\windows\system32\XDva277.sys [?]
S3 XDva280;XDva280;\??\c:\windows\system32\XDva280.sys --> c:\windows\system32\XDva280.sys [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
AppMgmt
AudioSrv
Browser
CryptSvc
DMServer
DHCP
ERSvc
FastUserSwitchingCompatibility
HidServ
LanmanServer
LanmanWorkstation
Messenger
Nla
Schedule
Seclogon
SRService
Themes
TrkWks
W32Time
Wmi
WmdmPmSp
winmgmt
TermService
wuauserv
BITS
ShellHWDetection
helpsvc
xmlprov
wscsvc
napagent
hkmsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-08-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-swg - c:\program files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe


.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = localhost;*.local
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: &AIM Search
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
IE: &Google Search
IE: &Translate English Word
IE: &Windows Live Search
IE: &Yahoo! Search - [You must be registered and logged in to see this link.] files\Yahoo!\Common/ycsrch.htm
IE: Backward Links
IE: Cached Snapshot of Page
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Similar Pages
IE: Translate Page into English
IE: Yahoo! &Dictionary - [You must be registered and logged in to see this link.] files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - [You must be registered and logged in to see this link.] files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - [You must be registered and logged in to see this link.] files\Yahoo!\Common/ycsms.htm
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\ili\Start Menu\Programs\IMVU\Run IMVU.lnk
DPF: {377FF862-62E0-4F33-B6E5-F58E0BC0F209} - [You must be registered and logged in to see this link.]
DPF: {A4508A45-F1C4-40F3-99B4-0CA08AC77E3B} - [You must be registered and logged in to see this link.]
DPF: {CEE326E8-7571-4086-B347-3C0ACA9A9DE8} - [You must be registered and logged in to see this link.]
DPF: {D6440B15-8FD8-455C-AE55-8D3198F49638} - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\ili\Application Data\Mozilla\Firefox\Profiles\63q60lpc.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - component: c:\documents and settings\ili\Application Data\Mozilla\Firefox\Profiles\63q60lpc.default\extensions\{7affbfae-c4e2-4915-8c0f-00fa3ec610a1}\components\WinampPlayer.dll
FF - component: c:\program files\DAEMON Tools Toolbar\FirefoxDTT\components\DTToolbarFF.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-09-01 16:05
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MySQL]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.1\bin\mysqld\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.1\my.ini\" MySQL"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(916)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-09-01 16:14
ComboFix-quarantined-files.txt 2009-09-01 20:14
ComboFix2.txt 2008-12-30 00:20
ComboFix3.txt 2008-12-29 23:51
ComboFix4.txt 2008-12-29 22:06

Pre-Run: 22,038,900,736 bytes free
Post-Run: 22,249,758,720 bytes free

Current=2 Default=2 Failed=4 LastKnownGood=5 Sets=1,2,3,4,5
347 --- E O F --- 2009-08-26 17:00

andrewvanderhevel
Intermediate
Intermediate

Posts Posts : 129
Joined Joined : 2008-12-29
Gender Gender : Male
OS OS : windows 7
Points Points : 29810
# Likes # Likes : 0

View user profile

Back to top Go down

Re: system security

Post by Belahzur on Wed Sep 02, 2009 12:32 am

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: system security

Post by andrewvanderhevel on Tue Sep 08, 2009 6:27 pm

i ran it, it uninstalled combo fix. but the computer is still running real bad. it's hard for me to play games on it it takes a long time to open, or just doesnt open at all <_<

andrewvanderhevel
Intermediate
Intermediate

Posts Posts : 129
Joined Joined : 2008-12-29
Gender Gender : Male
OS OS : windows 7
Points Points : 29810
# Likes # Likes : 0

View user profile

Back to top Go down

Re: system security

Post by Belahzur on Tue Sep 08, 2009 7:50 pm

Please post a new Hijack This log, we'll see what we can do about performance.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: system security

Post by andrewvanderhevel on Thu Sep 10, 2009 4:12 am

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:13:00 AM, on 9/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Linksys\WMP110\gtwpssrv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\MySQL\MySQL Server 5.1\bin\mysqld.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys\WMP110\WLSngS.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: RefresherBand Class - {B24BA06E-FB7B-4757-95C2-DC01125F750E} - C:\PROGRA~1\YREFRE~1\YREFRE~1.DLL
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [00PCTFW] "C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - S-1-5-18 Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'SYSTEM')
O4 - S-1-5-18 Startup: Sid Registration.lnk = D:\ATR1.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'Default user')
O4 - .DEFAULT Startup: Sid Registration.lnk = D:\ATR1.exe (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: Sid Registration.lnk = D:\ATR1.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Yahoo! Search - [You must be registered and logged in to see this link.] Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: Yahoo! &Dictionary - [You must be registered and logged in to see this link.] Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - [You must be registered and logged in to see this link.] Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - [You must be registered and logged in to see this link.] Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\ili\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02A2D714-433E-46E4-B217-7C3B3FAF8EAE} (ScrabbleCubes Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {1D082E71-DF20-4AAF-863B-596428C49874} (TPIR Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {2C153C75-8476-434B-B3C3-57B63A3D1939} (Brickout Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {377FF862-62E0-4F33-B6E5-F58E0BC0F209} (NlsComm Component Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - [You must be registered and logged in to see this link.]
O16 - DPF: {42FDC231-A411-45F8-B8B6-3B5026111DA8} (SolitaireRush Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {58FC4C77-71C2-4972-A8CD-78691AD85158} (BJA Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {62969CF2-0F7A-433B-A221-FD8818C06C2F} (Blockwerx Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {97438FE9-D361-4279-BA82-98CC0877A717} (Cubis Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {A4508A45-F1C4-40F3-99B4-0CA08AC77E3B} (Kdfense8 Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} (WoF Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {BA35B9B8-DE9E-47C9-AFA7-3C77E3DDFD39} (Monopoly Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {BA94245D-2AA0-4953-9D9F-B0EE4CC02C43} (Tilecity Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {C5326A4D-E9AA-40AD-A09A-E74304D86B47} (DinerDash Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {C82BB209-F528-46F9-96D5-69DEF7260916} (MysteryPI Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {C93C1C34-CEA9-49B1-9046-040F59E0E0D8} (Paint Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {CEE326E8-7571-4086-B347-3C0ACA9A9DE8} (PcubeSet Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {D6440B15-8FD8-455C-AE55-8D3198F49638} (ExcuteHbsAudition Class) - [You must be registered and logged in to see this link.]
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: GTWPSSRV (GTWPSService) - Unknown owner - C:\Program Files\Linksys\WMP110\gtwpssrv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Jumpstart Wifi Protected Setup (jswpsapi) - Atheros Communications, Inc. - C:\Program Files\Linksys\WMP110\jswpsapi.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe (file missing)
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - C:\Program Files\PC Tools Firewall Plus\FWService.exe
O23 - Service: Pml Driver HPZ12 - Unknown owner - C:\WINDOWS\System32\HPZipm12.exe (file missing)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - Unknown owner - C:\Program Files\Spyware Doctor\sdhelp.exe (file missing)
O23 - Service: WLSng Service - TODO: - C:\Program Files\Linksys\WMP110\WLSngS.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 14208 bytes

andrewvanderhevel
Intermediate
Intermediate

Posts Posts : 129
Joined Joined : 2008-12-29
Gender Gender : Male
OS OS : windows 7
Points Points : 29810
# Likes # Likes : 0

View user profile

Back to top Go down

Re: system security

Post by Belahzur on Thu Sep 10, 2009 7:25 pm

Hello.

I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with HijackThis fixes. So please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
You can reenable TeaTimer once your system is clean.

Please make sure Teatimer is disable before we do this, otherwise this fix will fail.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O2 - BHO: (no name) - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - (no file)
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
    O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
    O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
    O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - S-1-5-18 Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'SYSTEM')
    O4 - S-1-5-18 Startup: Sid Registration.lnk = D:\ATR1.exe (User 'SYSTEM')
    O4 - .DEFAULT Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'Default user')
    O4 - .DEFAULT Startup: Sid Registration.lnk = D:\ATR1.exe (User 'Default user')
    O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
    O4 - Startup: Sid Registration.lnk = D:\ATR1.exe


  • Press "Fix Checked"
  • Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: system security

Post by andrewvanderhevel on Thu Sep 10, 2009 9:49 pm

Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 5.1.2600 Service Pack 3

9/10/2009 5:48:23 PM
mbam-log-2009-09-10 (17-48-23).txt

Scan type: Quick Scan
Objects scanned: 119153
Time elapsed: 12 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

andrewvanderhevel
Intermediate
Intermediate

Posts Posts : 129
Joined Joined : 2008-12-29
Gender Gender : Male
OS OS : windows 7
Points Points : 29810
# Likes # Likes : 0

View user profile

Back to top Go down

Re: system security

Post by Belahzur on Fri Sep 11, 2009 1:36 am

Hello.
How is the machine running now?
I'd say this is ok now.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum