GeekPolice
Welcome to GeekPolice.net!

From "wow" to "whoa" - we're teaching practical technology and helping others with tech support. Join our family here!

You are viewing the forum as a "Guest" which doesn't give you member privileges to ask questions or post comments.

Take 30 seconds to register or log in below and unlock the limitations of this website to discover new computer knowledge!

Please Help (Trojan Problem)

Page 1 of 2 1, 2  Next

View previous topic View next topic Go down

Solved Re: Please Help (Trojan Problem)

Post by Belahzur on Wed Nov 19, 2008 2:46 am

Do this in safe mode, then when it reboots, allow it to reboot into normal mode. The avenger WILL load before everything else.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Solved Re: Please Help (Trojan Problem)

Post by outlawz28 on Wed Nov 19, 2008 2:48 am

alright i will do this and get back to in a couple hrs. Thanks alot for your time really appriceate it.

outlawz28
Intermediate
Intermediate

Status :
Online
Offline

Posts : 84
Joined : 2008-11-19
OS : Windows Vista Home Premium
Points : 29649
# Likes : 0

View user profile

Back to top Go down

Solved Re: Please Help (Trojan Problem)

Post by Belahzur on Wed Nov 19, 2008 2:48 am

Okay. I'm going offline now anyway, so no rush.
Just keep this machine off the internet until we sort this out.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Solved Re: Please Help (Trojan Problem)

Post by outlawz28 on Wed Nov 19, 2008 2:49 am

keep the laptop with a trojan off the internet? why

outlawz28
Intermediate
Intermediate

Status :
Online
Offline

Posts : 84
Joined : 2008-11-19
OS : Windows Vista Home Premium
Points : 29649
# Likes : 0

View user profile

Back to top Go down

Solved Re: Please Help (Trojan Problem)

Post by Belahzur on Wed Nov 19, 2008 2:51 am

Because with combofix's run being stopped, there's no telling what the malware will download while we aren't killing it. If the machine is off, it won't download more junk.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Solved Re: Please Help (Trojan Problem)

Post by outlawz28 on Wed Nov 19, 2008 6:03 am

Here is the avenger text

Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "TDSSserv.sys" found!
ImagePath: \systemroot\system32\drivers\TDSSnrde.sys
Start Type: 1 (System)

Rootkit scan completed.

File "C:\Users\Sunny\AppData\Local\Temp\Low\1983343844.exe" deleted successfully.
File "C:\Users\Sunny\AppData\Local\Temp\Low\csrssc.exe" deleted successfully.
File "C:\Windows\system32\jsne87fidgf.dll" deleted successfully.
File "C:\Windows\temp\FF1.tmp" deleted successfully.
File "C:\Windows\system32\opnkkIAQ.dll" deleted successfully.
File "C:\Users\Sunny\AppData\Local\Temp\winlogin.exe" deleted successfully.
File "C:\Windows\System32\rs32net.exe" deleted successfully.
File "C:\Users\Sunny\AppData\Roaming\gadcom\gadcom.exe" deleted successfully.
File "C:\RECYCLER\S-1-5-21-7375703473-8080656887-479141202-3278\winigon.exe" deleted successfully.
File "C:\Users\Sunny\AppData\Local\Temp\a.exe" deleted successfully.
File "C:\Users\Sunny\AppData\Local\Temp\urqRHxyw.dll" deleted successfully.

Error: file "C:\Windows\system32\jsne87fidgf.dll" not found!
Deletion of file "C:\Windows\system32\jsne87fidgf.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "C:\Windows\system32\kdgcw.exe" deleted successfully.
Folder "C:\Users\Sunny\AppData\Local\Temp\Low" deleted successfully.
Folder "C:\Users\Sunny\AppData\Roaming\gadcom" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

outlawz28
Intermediate
Intermediate

Status :
Online
Offline

Posts : 84
Joined : 2008-11-19
OS : Windows Vista Home Premium
Points : 29649
# Likes : 0

View user profile

Back to top Go down

Solved Re: Please Help (Trojan Problem)

Post by outlawz28 on Wed Nov 19, 2008 6:04 am

Here is the new hijack one

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:59, on 2008-11-18
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16757)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSLoader.exe
C:\Program Files\Launch Manager\LManager.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Users\Sunny\AppData\Roaming\Twain\Twain.exe
C:\Windows\ehome\ehmsas.exe
C:\Users\Sunny\AppData\Local\Temp\RtkBtMnt.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Acer\Empowering Technology\ENET\ENMTRAY.EXE
C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE
C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE
C:\Users\Sunny\Downloads\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: ::1 localhost
O2 - BHO: C:\Windows\system32\jsne87fidgf.dll - {C5BF49A2-94F3-42BD-F434-3604812C897D} - C:\Windows\system32\jsne87fidgf.dll (file missing)
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IS CfgWiz] "c:\Program Files\Common Files\Symantec Shared\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\cltUIStb.exe" /MODULE CfgWiz /GUID {BC8D3EAF-F864-4d4b-AB4D-B3D0C32E2840} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [osCheck] "c:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [PLFSet] rundll32.exe C:\Windows\PLFSet.dll,PLFDefSetting
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "c:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [Acer Assist Launcher] C:\Program Files\Acer Assist\launcher.exe
O4 - HKLM\..\Run: [Acer Product Registration] "C:\Program Files\Acer Registration\ACE1.exe" /startup
O4 - HKLM\..\Run: [Acer Tour Reminder] C:\Acer\AcerTour\Reminder.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [Acer Tour Reminder] C:\Acer\AcerTour\Reminder.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [UIWatcher] C:\Program Files\Ashampoo\Ashampoo UnInstaller 3\UIWatcher.exe
O4 - HKCU\..\Run: [Twain] C:\Users\Sunny\AppData\Roaming\Twain\Twain.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Acer Product Registration.lnk = C:\Program Files\Acer Registration\ACE1.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Empowering Technology Launcher.lnk = ?
O8 - Extra context menu item: &D&ownload &with BitComet - [You must be registered and logged in to see this link.] Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - [You must be registered and logged in to see this link.] Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - [You must be registered and logged in to see this link.] Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - [You must be registered and logged in to see this link.] Files\BitComet\tools\BitCometBHO_1.2.1.2.dll/206 (file missing)
O13 - Gopher Prefix:
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - [You must be registered and logged in to see this link.]
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - [You must be registered and logged in to see this link.]
O17 - HKLM\System\CCS\Services\Tcpip\..\{85AA8BC9-CFE5-4A76-885E-5DB8B8B821CF}: NameServer = 85.255.112.125;85.255.112.5
O22 - SharedTaskScheduler: mcb7uehuj3n8weuhejsw - {C5BF49A2-94F3-42BD-F434-3604812C897D} - C:\Windows\system32\jsne87fidgf.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: eDataSecurity Service - HiTRSUT - C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: O2Micro Flash Memory Card Service (o2flash) - O2Micro International - C:\Program Files\O2Micro Oz128 Driver\o2flash.exe
O23 - Service: QuickBooks Database Manager Service (QBCFMonitorService) - - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 11629 bytes

outlawz28
Intermediate
Intermediate

Status :
Online
Offline

Posts : 84
Joined : 2008-11-19
OS : Windows Vista Home Premium
Points : 29649
# Likes : 0

View user profile

Back to top Go down

Solved Re: Please Help (Trojan Problem)

Post by Belahzur on Wed Nov 19, 2008 12:17 pm

Looks so much better.


  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O2 - BHO: C:\Windows\system32\jsne87fidgf.dll - {C5BF49A2-94F3-42BD-F434-3604812C897D} - C:\Windows\system32\jsne87fidgf.dll (file missing)
    O4 - HKCU\..\Run: [Twain] C:\Users\Sunny\AppData\Roaming\Twain\Twain.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{85AA8BC9-CFE5-4A76-885E-5DB8B8B821CF}: NameServer = 85.255.112.125;85.255.112.5
    O22 - SharedTaskScheduler: mcb7uehuj3n8weuhejsw - {C5BF49A2-94F3-42BD-F434-3604812C897D} - C:\Windows\system32\jsne87fidgf.dll (file missing)



  • Press "Fix Checked"
  • Close Hijack This.

=====

Now lets use the avenger again.

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):


Drivers to disable:
TDSSserv.sys

Drivers to delete:
TDSSserv.sys

Files to delete:
C:\Windows\system32\drivers\TDSSnrde.sys
C:\Users\Sunny\AppData\Roaming\Twain\Twain.exe

Folders to delete:
C:\Users\Sunny\AppData\Roaming\Twain

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Don't tick the box below.
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • Because of a certain command we are using, the avenger will restart your machine twice.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log.

After you've done that.

Download [You must be registered and logged in to see this link.] to your desktop.

  • Close all windows and open it
  • Click Run Scan and let the program run uninterrupted
  • It will produce two logs for you, one will pop up called OTViewIt.txt, the other will be saved on your desktop and called Extras. Post both those logs here.
  • You may need to use two posts to get it all on the forum


The logs I need to see:

  • new avenger.txt
  • OTViewIt.txt.
  • new Hijack This log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Solved Re: Please Help (Trojan Problem)

Post by outlawz28 on Thu Nov 20, 2008 12:23 am

I cant get OTViewit to Work it says Not responding when it gets to Scanning Service: Audioendpointbuilder

outlawz28
Intermediate
Intermediate

Status :
Online
Offline

Posts : 84
Joined : 2008-11-19
OS : Windows Vista Home Premium
Points : 29649
# Likes : 0

View user profile

Back to top Go down

Solved Re: Please Help (Trojan Problem)

Post by outlawz28 on Thu Nov 20, 2008 12:23 am

here is the avenger txt

Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "TDSSserv.sys" found!
ImagePath: \systemroot\system32\drivers\TDSSnrde.sys
Start Type: 4 (Disabled)

Rootkit scan completed.

Driver "TDSSserv.sys" disabled successfully.
Driver "TDSSserv.sys" deleted successfully.
File "C:\Windows\system32\drivers\TDSSnrde.sys" deleted successfully.
File "C:\Users\Sunny\AppData\Roaming\Twain\Twain.exe" deleted successfully.
Folder "C:\Users\Sunny\AppData\Roaming\Twain" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

outlawz28
Intermediate
Intermediate

Status :
Online
Offline

Posts : 84
Joined : 2008-11-19
OS : Windows Vista Home Premium
Points : 29649
# Likes : 0

View user profile

Back to top Go down

Solved Re: Please Help (Trojan Problem)

Post by outlawz28 on Thu Nov 20, 2008 12:24 am

here is the hijack this txt

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:17, on 2008-11-19
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16757)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Common Files\Symantec Shared\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\CfgWiz.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSLoader.exe
C:\Program Files\Launch Manager\LManager.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\ehome\ehtray.exe
C:\Users\Sunny\AppData\Local\Temp\RtkBtMnt.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Acer\Empowering Technology\ENET\ENMTRAY.EXE
C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE
C:\Windows\System32\mobsync.exe
C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Sunny\Downloads\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: ::1 localhost
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IS CfgWiz] "c:\Program Files\Common Files\Symantec Shared\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\cltUIStb.exe" /MODULE CfgWiz /GUID {BC8D3EAF-F864-4d4b-AB4D-B3D0C32E2840} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [osCheck] "c:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [PLFSet] rundll32.exe C:\Windows\PLFSet.dll,PLFDefSetting
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "c:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [Acer Assist Launcher] C:\Program Files\Acer Assist\launcher.exe
O4 - HKLM\..\Run: [Acer Product Registration] "C:\Program Files\Acer Registration\ACE1.exe" /startup
O4 - HKLM\..\Run: [Acer Tour Reminder] C:\Acer\AcerTour\Reminder.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [Acer Tour Reminder] C:\Acer\AcerTour\Reminder.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [UIWatcher] C:\Program Files\Ashampoo\Ashampoo UnInstaller 3\UIWatcher.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Acer Product Registration.lnk = C:\Program Files\Acer Registration\ACE1.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Empowering Technology Launcher.lnk = ?
O8 - Extra context menu item: &D&ownload &with BitComet - [You must be registered and logged in to see this link.] Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - [You must be registered and logged in to see this link.] Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - [You must be registered and logged in to see this link.] Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - [You must be registered and logged in to see this link.] Files\BitComet\tools\BitCometBHO_1.2.1.2.dll/206 (file missing)
O13 - Gopher Prefix:
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - [You must be registered and logged in to see this link.]
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - [You must be registered and logged in to see this link.]
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: eDataSecurity Service - HiTRSUT - C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: O2Micro Flash Memory Card Service (o2flash) - O2Micro International - C:\Program Files\O2Micro Oz128 Driver\o2flash.exe
O23 - Service: QuickBooks Database Manager Service (QBCFMonitorService) - - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 11235 bytes

outlawz28
Intermediate
Intermediate

Status :
Online
Offline

Posts : 84
Joined : 2008-11-19
OS : Windows Vista Home Premium
Points : 29649
# Likes : 0

View user profile

Back to top Go down

Solved Re: Please Help (Trojan Problem)

Post by Belahzur on Thu Nov 20, 2008 12:27 am

My bad.
Right click OTViewIt > Run as administrator.
Does it run now?
If so, run and post the log.

The rootkit is gone.
Lets get this machine fixed up now.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:

  • Download the latest version of [You must be registered and logged in to see this link.].
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 10".
  • Click the "Download" button to the right.
  • In the Window that opens, select your platform and language, check the "agree" box, and click Continue.
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add or Remove Programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    - Java 2 Runtime Environment, SE v1.4.2
    - J2SE Runtime Environment 5.0
    - J2SE Runtime Environment 5.0 Update 2
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u10-windows-i586-p.exe that you downloaded to install the newest version.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Solved Re: Please Help (Trojan Problem)

Post by outlawz28 on Thu Nov 20, 2008 12:29 am

here is the OTView txt really long gunna take a couple times to get all on

OTViewIt logfile created on: 2008-11-19 16:21:06 - Run 3
OTViewIt by OldTimer - Version 1.0.20.0 Folder = C:\Users\Sunny\Downloads
Windows Vista Home Premium Edition (Version = 6.0.6000) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6000.16757)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: yyyy-MM-dd

2.00 Gb Total Physical Memory | 1.09 Gb Available Physical Memory | 54.61% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 74.88% Paging File free
Paging file location(s): ?:\pagefile.sys;

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 111.57 Gb Total Space | 37.66 Gb Free Space | 33.76% Space Free | Partition Type: NTFS
Drive D: | 111.55 Gb Total Space | 81.78 Gb Free Space | 73.31% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: SUNNY-PC
Current User Name: Sunny
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Whitelist: On
File Age = 30 Days

========== Processes ==========

[2006-11-02 01:45:57 | 00,095,744 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wininit.exe
[2006-11-02 01:45:21 | 00,210,944 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\lsm.exe
[2008-09-29 19:49:08 | 00,704,512 | ---- | M] (ATI Technologies Inc.) -- C:\Windows\System32\Ati2evxx.exe
[2008-02-07 09:14:48 | 02,605,568 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\SLsvc.exe
[2008-09-29 19:49:08 | 00,704,512 | ---- | M] (ATI Technologies Inc.) -- C:\Windows\System32\Ati2evxx.exe
[2006-11-21 12:44:32 | 00,107,624 | ---- | M] (Symantec Corporation) -- c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
[2006-11-21 12:43:42 | 00,046,736 | ---- | M] (Symantec Corporation) -- c:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
[2006-11-02 01:45:04 | 00,083,456 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\dwm.exe
[2006-11-02 01:45:48 | 00,166,400 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskeng.exe
[2008-02-18 10:16:30 | 00,110,592 | ---- | M] (Apple, Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
[2006-11-21 12:45:00 | 00,194,240 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
[2008-01-11 17:50:16 | 00,030,312 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
[2007-07-24 14:17:08 | 00,229,376 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
[2007-04-12 17:43:16 | 00,457,512 | ---- | M] (HiTRSUT) -- C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
[2007-03-14 10:52:30 | 00,024,576 | ---- | M] (Acer Inc.) -- C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
[2007-04-17 19:36:34 | 00,131,072 | ---- | M] (Acer Inc.) -- C:\Acer\Empowering Technology\eNet\eNet Service.exe
[2007-01-17 10:20:10 | 00,061,440 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files\Common Files\LightScribe\LSSrvc.exe
[2006-11-24 12:57:54 | 00,107,008 | ---- | M] () -- C:\Acer\Mobility Center\MobilityService.exe
[2007-02-12 15:43:44 | 00,065,536 | ---- | M] (O2Micro International) -- C:\Program Files\O2Micro Oz128 Driver\o2flash.exe
[2006-11-28 14:28:12 | 00,020,480 | ---- | M] ( ) -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
[2007-04-02 22:07:38 | 00,272,024 | ---- | M] () -- C:\Program Files\CyberLink\Shared Files\RichVideo.exe
[2007-02-10 05:29:48 | 00,242,544 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
[2007-02-10 05:29:56 | 00,089,968 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
[2006-11-02 04:34:46 | 00,287,744 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\SearchIndexer.exe
[2006-08-05 08:39:20 | 00,386,560 | ---- | M] (Conexant Systems, Inc.) -- C:\Windows\System32\drivers\XAudio.exe
[2007-07-03 10:40:10 | 00,053,248 | ---- | M] (Acer Inc.) -- C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
[2007-06-28 18:50:52 | 00,024,576 | ---- | M] () -- C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
[2007-06-13 11:23:54 | 00,167,936 | ---- | M] (acer) -- C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
[2006-11-02 01:46:00 | 00,245,248 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wbem\WmiPrvSE.exe
[2006-11-02 01:46:00 | 00,245,248 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wbem\WmiPrvSE.exe
[2006-11-02 01:45:50 | 00,037,376 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wbem\unsecapp.exe
[2006-11-02 01:45:48 | 00,166,400 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskeng.exe
[2008-02-07 09:11:21 | 01,006,264 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MSASCui.exe
[2007-04-23 15:51:42 | 04,435,968 | ---- | M] (Realtek Semiconductor) -- C:\Windows\RtHDVCpl.exe
[2006-10-23 11:00:36 | 00,815,104 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
[2006-11-21 12:44:28 | 00,107,112 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
[2007-03-14 21:01:30 | 00,071,216 | ---- | M] (Cyberlink Corp.) -- C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
[2007-04-12 17:42:26 | 00,457,728 | ---- | M] (HiTRUST) -- C:\Acer\Empowering Technology\eDataSecurity\eDSLoader.exe
[2007-04-04 00:04:44 | 00,813,840 | ---- | M] (Dritek System Inc.) -- C:\Program Files\Launch Manager\LManager.exe
[2007-12-14 03:42:38 | 00,144,784 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
[2007-05-31 08:21:28 | 00,648,072 | ---- | M] (Microsoft Corporation) -- C:\Windows\WindowsMobile\wmdc.exe
[2008-08-03 15:02:20 | 00,036,352 | ---- | M] () -- C:\Program Files\Winamp\winampa.exe
[2008-07-06 23:34:59 | 00,167,936 | ---- | M] (PowerISO Computing, Inc.) -- C:\Program Files\PowerISO\PWRISOVM.EXE
[2008-02-06 18:23:13 | 01,232,896 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Sidebar\sidebar.exe
[2007-10-18 11:34:02 | 05,724,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\msnmsgr.exe
[2006-11-02 04:35:32 | 00,125,440 | ---- | M] (Microsoft Corporation) -- C:\Windows\ehome\ehtray.exe
[2008-02-06 17:29:26 | 00,208,896 | ---- | M] (Realtek Semiconductor Corp.) -- C:\Users\Sunny\AppData\Local\Temp\RtkBtMnt.exe
[2006-11-02 04:36:04 | 00,201,728 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnscfg.exe
[2006-11-02 04:35:32 | 00,037,376 | ---- | M] (Microsoft Corporation) -- C:\Windows\ehome\ehmsas.exe
[2006-11-02 04:36:04 | 00,895,488 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnetwk.exe
[2007-04-17 19:36:36 | 00,749,568 | ---- | M] (Acer Inc.) -- C:\Acer\Empowering Technology\eNet\eNMTray.exe
[2007-07-06 11:07:52 | 00,450,560 | ---- | M] (Acer Inc.) -- C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
[2006-11-02 04:34:48 | 00,095,232 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\mobsync.exe
[2007-04-25 10:35:56 | 00,323,584 | ---- | M] (Acer Inc.) -- C:\Acer\Empowering Technology\Acer.Empowering.Framework.Supervisor.exe
[2007-02-09 06:35:54 | 00,397,312 | ---- | M] (Acer Inc.) -- C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
[2006-11-02 01:45:50 | 00,037,376 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wbem\unsecapp.exe
[2008-02-13 03:09:26 | 00,027,136 | ---- | M] (Microsoft Corporation) -- C:\Windows\servicing\TrustedInstaller.exe
[2008-07-18 21:10:40 | 00,053,448 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wuauclt.exe
[2006-11-02 04:34:43 | 00,204,288 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\SearchProtocolHost.exe
[2006-11-02 04:34:44 | 00,076,288 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\SearchFilterHost.exe
[2008-11-19 16:18:43 | 00,422,400 | ---- | M] (OldTimer Tools) -- C:\Users\Sunny\Downloads\Ot-viewIt.exe

========== (O23) Win32 Services ==========

outlawz28
Intermediate
Intermediate

Status :
Online
Offline

Posts : 84
Joined : 2008-11-19
OS : Windows Vista Home Premium
Points : 29649
# Likes : 0

View user profile

Back to top Go down

Solved Re: Please Help (Trojan Problem)

Post by outlawz28 on Thu Nov 20, 2008 12:30 am

[2008-02-18 10:16:30 | 00,110,592 | ---- | M] (Apple, Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device [Auto | Running])
[2008-09-29 19:49:08 | 00,704,512 | ---- | M] (ATI Technologies Inc.) -- C:\Windows\System32\Ati2evxx.exe -- (Ati External Event Utility [Auto | Running])
[2006-11-21 12:45:00 | 00,194,240 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe -- (Automatic LiveUpdate Scheduler [Auto | Running])
[2008-01-11 17:50:16 | 00,030,312 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe -- (BcmSqlStartupSvc [Auto | Running])
[2007-07-24 14:17:08 | 00,229,376 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service [Auto | Running])
[2006-11-21 12:44:32 | 00,107,624 | ---- | M] (Symantec Corporation) -- c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccEvtMgr [Auto | Running])
[2006-11-21 12:44:32 | 00,107,624 | ---- | M] (Symantec Corporation) -- c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccSetMgr [Auto | Running])
File not found -- -- (CertPropSvc [Unknown | Running])
[2006-11-01 22:34:11 | 00,059,392 | ---- | M] (Microsoft Corporation) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
[2006-11-21 12:44:32 | 00,107,624 | ---- | M] (Symantec Corporation) -- c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (CLTNetCnService [Auto | Running])
[2006-11-21 12:42:52 | 00,049,296 | ---- | M] (Symantec Corporation) -- c:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe -- (comHost [On_Demand | Stopped])
File not found -- -- (DcomLaunch [Unknown | Running])
[2006-11-02 04:36:25 | 02,089,984 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\dfsr.exe -- (DFSR [On_Demand | Stopped])
[2008-02-07 03:09:05 | 00,134,656 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\dps.dll -- (DPS [Unknown | Running])
[2007-04-12 17:43:16 | 00,457,512 | ---- | M] (HiTRSUT) -- C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe -- (eDataSecurity Service [Auto | Running])
[2006-11-02 04:35:28 | 00,291,840 | ---- | M] (Microsoft Corporation) -- C:\Windows\ehome\ehrecvr.exe -- (ehRecvr [On_Demand | Stopped])
[2006-11-02 04:35:29 | 00,131,072 | ---- | M] (Microsoft Corporation) -- C:\Windows\ehome\ehsched.exe -- (ehSched [On_Demand | Stopped])
[2007-03-14 10:52:30 | 00,024,576 | ---- | M] (Acer Inc.) -- C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe -- (eLockService [Auto | Running])
[2007-04-17 19:36:34 | 00,131,072 | ---- | M] (Acer Inc.) -- C:\Acer\Empowering Technology\eNet\eNet Service.exe -- (eNet Service [Auto | Running])
[2007-07-03 10:40:10 | 00,053,248 | ---- | M] (Acer Inc.) -- C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe -- (eRecoveryService [Auto | Running])
[2007-06-28 18:50:52 | 00,024,576 | ---- | M] () -- C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe -- (eSettingsService [Auto | Running])
[2006-11-02 04:36:00 | 00,036,864 | ---- | M] (Microsoft Corporation) -- C:\Windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
[2006-11-02 01:46:05 | 00,569,344 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\gpsvc.dll -- (gpsvc [Unknown | Running])
[2008-03-30 09:36:30 | 00,504,104 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service [On_Demand | Stopped])
[2006-11-21 12:42:12 | 00,080,552 | ---- | M] (Symantec Corporation) -- c:\Program Files\Norton Internet Security\isPwdSvc.exe -- (ISPwdSvc [On_Demand | Stopped])
[2007-01-17 10:20:10 | 00,061,440 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files\Common Files\LightScribe\LSSrvc.exe -- (LightScribeService [Auto | Running])
[2006-11-21 12:45:00 | 02,541,248 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_2.EXE -- (LiveUpdate [On_Demand | Stopped])
[2006-11-24 12:57:54 | 00,107,008 | ---- | M] () -- C:\Acer\Mobility Center\MobilityService.exe -- (MobilityService [Auto | Running])
[2006-11-02 05:04:14 | 00,000,000 | ---D | M] -- C:\Windows\System32\Msdtc -- (MSDTC [Unknown | Stopped])
[2008-02-26 21:08:50 | 29,183,504 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe -- (MSSQL$MSSMLBIZ [On_Demand | Stopped])
[2005-10-14 02:50:20 | 00,045,272 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe -- (MSSQLServerADHelper [Disabled | Stopped])
[2006-11-02 04:36:02 | 00,122,880 | ---- | M] (Microsoft Corporation) -- C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
[2007-02-12 15:43:44 | 00,065,536 | ---- | M] (O2Micro International) -- C:\Program Files\O2Micro Oz128 Driver\o2flash.exe -- (o2flash [Auto | Running])
[2007-08-24 03:19:12 | 00,443,776 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\microsoft shared\OFFICE12\ODSERV.EXE -- (odserv [On_Demand | Stopped])
[2006-10-26 13:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
[2006-11-28 14:28:12 | 00,020,480 | ---- | M] ( ) -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe -- (QBCFMonitorService [Auto | Running])
[2006-11-09 14:30:14 | 00,065,536 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe -- (QBFCService [On_Demand | Stopped])
[2007-04-02 22:07:38 | 00,272,024 | ---- | M] () -- C:\Program Files\CyberLink\Shared Files\RichVideo.exe -- (RichVideo [Auto | Running])
[2006-11-02 01:46:12 | 00,545,792 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\rpcss.dll -- (RpcSs [Unknown | Running])
[2006-11-02 01:46:12 | 00,095,232 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\SCardSvr.dll -- (SCardSvr [Unknown | Stopped])
File not found -- -- (Schedule [Unknown | Running])
File not found -- -- (SCPolicySvc [Unknown | Stopped])
[2008-02-07 09:14:48 | 02,605,568 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\SLsvc.exe -- (slsvc [Auto | Running])
[2006-11-02 01:45:46 | 00,012,800 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\snmptrap.exe -- (SNMPTRAP [On_Demand | Stopped])
[2007-02-10 05:29:48 | 00,242,544 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe -- (SQLBrowser [Auto | Running])
[2007-02-10 05:29:56 | 00,089,968 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe -- (SQLWriter [Auto | Running])
[2007-05-04 14:08:40 | 01,174,152 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe -- (Symantec Core LC [On_Demand | Stopped])
[2006-11-21 12:43:42 | 00,046,736 | ---- | M] (Symantec Corporation) -- c:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe -- (SymAppCore [Auto | Running])
[2006-11-02 01:45:50 | 00,035,840 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\UI0Detect.exe -- (UI0Detect [On_Demand | Stopped])
[2007-10-18 11:31:54 | 00,098,328 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\usnsvc.exe -- (usnjsvc [On_Demand | Stopped])
[2006-11-02 01:45:50 | 00,392,704 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\vds.exe -- (vds [On_Demand | Stopped])
File not found -- -- (WdiServiceHost [Unknown | Stopped])
File not found -- -- (WdiSystemHost [Unknown | Running])
File not found -- -- (Windows Tribute Service [Disabled | Stopped])
[2007-10-25 15:27:54 | 00,266,240 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe -- (WLSetupSvc [On_Demand | Stopped])
[2007-06-13 11:23:54 | 00,167,936 | ---- | M] (acer) -- C:\Acer\Empowering Technology\ePower\ePowerSvc.exe -- (WMIService [Auto | Running])
[2006-11-02 04:36:04 | 00,895,488 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc [On_Demand | Running])
[2006-11-02 04:34:46 | 00,287,744 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\SearchIndexer.exe -- (WSearch [Auto | Running])
[2006-08-05 08:39:20 | 00,386,560 | ---- | M] (Conexant Systems, Inc.) -- C:\Windows\System32\drivers\XAudio.exe -- (XAudioService [Auto | Running])

========== Driver Services ==========

outlawz28
Intermediate
Intermediate

Status :
Online
Offline

Posts : 84
Joined : 2008-11-19
OS : Windows Vista Home Premium
Points : 29649
# Likes : 0

View user profile

Back to top Go down

Solved Re: Please Help (Trojan Problem)

Post by outlawz28 on Thu Nov 20, 2008 12:31 am

[2006-11-02 01:51:38 | 00,420,968 | ---- | M] (Adaptec, Inc.) -- C:\Windows\System32\drivers\adp94xx.sys -- (adp94xx [Disabled | Stopped])
[2006-11-02 01:51:32 | 00,297,576 | ---- | M] (Adaptec, Inc.) -- C:\Windows\System32\drivers\adpahci.sys -- (adpahci [Disabled | Stopped])
[2006-11-02 01:50:35 | 00,098,408 | ---- | M] (Adaptec, Inc.) -- C:\Windows\System32\drivers\adpu160m.sys -- (adpu160m [Disabled | Stopped])
[2006-11-02 01:51:00 | 00,147,048 | ---- | M] (Adaptec, Inc.) -- C:\Windows\System32\drivers\adpu320.sys -- (adpu320 [Disabled | Stopped])
[2006-11-02 01:50:11 | 00,071,272 | ---- | M] (Adaptec, Inc.) -- C:\Windows\System32\drivers\djsvs.sys -- (aic78xx [Disabled | Stopped])
[2006-11-02 01:49:20 | 00,014,952 | ---- | M] (Acer Laboratories Inc.) -- C:\Windows\System32\drivers\aliide.sys -- (aliide [Disabled | Stopped])
[2006-11-02 01:49:59 | 00,054,888 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\AMDAGP.SYS -- (amdagp [On_Demand | Stopped])
[2006-11-02 01:49:26 | 00,015,464 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\amdide.sys -- (amdide [Disabled | Stopped])
[2006-11-02 00:30:18 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\amdk7.sys -- (AmdK7 [Disabled | Stopped])
[2006-11-02 00:30:18 | 00,040,960 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\amdk8.sys -- (AmdK8 [On_Demand | Running])
[2006-11-02 01:50:09 | 00,067,688 | ---- | M] (Adaptec, Inc.) -- C:\Windows\System32\drivers\arc.sys -- (arc [Disabled | Stopped])
[2006-11-02 01:50:10 | 00,067,688 | ---- | M] (Adaptec, Inc.) -- C:\Windows\System32\drivers\arcsas.sys -- (arcsas [Disabled | Stopped])
[2006-11-01 23:30:52 | 00,467,456 | ---- | M] (Atheros Communications, Inc.) -- C:\Windows\System32\drivers\athr.sys -- (athr [On_Demand | Stopped])
[2008-09-29 20:27:58 | 03,930,112 | ---- | M] (ATI Technologies Inc.) -- C:\Windows\System32\drivers\atikmdag.sys -- (atikmdag [On_Demand | Running])
[2006-12-19 12:18:28 | 00,534,016 | ---- | M] (Broadcom Corporation) -- C:\Windows\System32\drivers\BCMWL6.SYS -- (BCM43XV [On_Demand | Stopped])
[2006-12-19 12:18:28 | 00,534,016 | ---- | M] (Broadcom Corporation) -- C:\Windows\System32\drivers\BCMWL6.SYS -- (BCM43XX [On_Demand | Running])
[2006-11-02 00:31:12 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\bowser.sys -- (bowser [On_Demand | Running])
[2006-11-02 00:24:45 | 00,013,568 | ---- | M] (Brother Industries, Ltd.) -- C:\Windows\System32\drivers\BrFiltLo.sys -- (BrFiltLo [On_Demand | Stopped])
[2006-11-02 00:24:46 | 00,005,248 | ---- | M] (Brother Industries, Ltd.) -- C:\Windows\System32\drivers\BrFiltUp.sys -- (BrFiltUp [On_Demand | Stopped])
[2006-11-02 00:25:24 | 00,071,808 | ---- | M] (Brother Industries Ltd.) -- C:\Windows\System32\drivers\BrSerId.sys -- (Brserid [Disabled | Stopped])
[2006-11-02 00:24:44 | 00,062,336 | ---- | M] (Brother Industries Ltd.) -- C:\Windows\System32\drivers\BrSerWdm.sys -- (BrSerWdm [Disabled | Stopped])
[2006-11-02 00:24:44 | 00,012,160 | ---- | M] (Brother Industries Ltd.) -- C:\Windows\System32\drivers\BrUsbMdm.sys -- (BrUsbMdm [Disabled | Stopped])
[2006-11-02 00:24:47 | 00,011,904 | ---- | M] (Brother Industries Ltd.) -- C:\Windows\System32\drivers\BrUsbSer.sys -- (BrUsbSer [On_Demand | Stopped])
[2006-11-02 00:55:23 | 00,039,936 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\bthmodem.sys -- (BTHMODEM [Disabled | Stopped])
[2006-11-02 00:55:08 | 00,035,328 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\circlass.sys -- (circlass [Disabled | Stopped])
[2008-02-13 03:09:29 | 00,224,824 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\clfs.sys -- (CLFS [Unknown | Running])
[2006-11-02 01:49:28 | 00,016,488 | ---- | M] (CMD Technology, Inc.) -- C:\Windows\System32\drivers\cmdide.sys -- (cmdide [Disabled | Stopped])
[2006-11-02 01:49:43 | 00,022,632 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\crcdisk.sys -- (crcdisk [Boot | Running])
[2006-11-02 00:30:18 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\crusoe.sys -- (Crusoe [Disabled | Stopped])
[2006-11-02 00:31:04 | 00,074,752 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\dfsc.sys -- (DfsC [System | Running])
[2006-11-02 21:29:38 | 00,021,264 | ---- | M] (Dritek System Inc.) -- C:\Windows\System32\drivers\DKbFltr.sys -- (DKbFltr [On_Demand | Running])
[2008-02-07 03:09:05 | 00,619,008 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\dxgkrnl.sys -- (DXGKrnl [On_Demand | Running])
[2006-11-01 23:30:54 | 00,117,760 | ---- | M] (Intel Corporation) -- C:\Windows\System32\drivers\E1G60I32.sys -- (E1G60 [On_Demand | Stopped])
[2006-11-02 04:34:35 | 00,132,200 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\ecache.sys -- (Ecache [Boot | Running])
[2006-11-21 12:44:10 | 00,387,432 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl [System | Running])
[2006-11-02 01:51:34 | 00,316,520 | ---- | M] (Emulex) -- C:\Windows\System32\drivers\elxstor.sys -- (elxstor [Disabled | Stopped])
[2006-11-21 12:44:10 | 00,102,760 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv [On_Demand | Running])
[2006-11-02 01:49:58 | 00,056,424 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\fileinfo.sys -- (FileInfo [Boot | Running])
[2006-11-02 00:32:55 | 00,027,648 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\filetrace.sys -- (Filetrace [On_Demand | Stopped])
[2006-11-02 01:50:04 | 00,058,984 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\GAGP30KX.SYS -- (gagp30kx [On_Demand | Stopped])
[2008-01-29 11:01:28 | 00,016,168 | ---- | M] (GEAR Software Inc.) -- C:\Windows\System32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM [On_Demand | Running])
[2006-11-01 23:36:49 | 00,235,520 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\HdAudio.sys -- (HdAudAddService [On_Demand | Stopped])
[2008-02-07 09:16:43 | 00,053,760 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\hdaudbus.sys -- (HDAudBus [On_Demand | Running])
[2006-11-02 00:55:22 | 00,029,184 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\hidbth.sys -- (HidBth [Disabled | Stopped])
[2006-11-02 00:55:01 | 00,021,504 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\hidir.sys -- (HidIr [Disabled | Stopped])
[2006-11-02 01:50:10 | 00,037,480 | ---- | M] (Hewlett-Packard Company) -- C:\Windows\System32\drivers\HpCISSs.sys -- (HpCISSs [Disabled | Stopped])
[2006-11-01 23:41:49 | 00,200,704 | ---- | M] (Conexant Systems, Inc.) -- C:\Windows\System32\drivers\VSTAZL3.SYS -- (HSFHWAZL [On_Demand | Stopped])
[2006-11-09 07:55:10 | 00,986,624 | ---- | M] (Conexant Systems, Inc.) -- C:\Windows\System32\drivers\HSX_DPV.sys -- (HSF_DPV [On_Demand | Running])
[2006-11-09 07:53:58 | 00,206,848 | ---- | M] (Conexant Systems, Inc.) -- C:\Windows\System32\drivers\HSXHWAZL.sys -- (HSXHWAZL [On_Demand | Running])
[2006-10-18 18:10:57 | 01,380,864 | ---- | M] (Intel Corporation) -- C:\Windows\System32\drivers\igdkmd32.sys -- (ialm [On_Demand | Stopped])
[2006-11-02 01:51:25 | 00,232,040 | ---- | M] (Intel Corporation) -- C:\Windows\System32\drivers\iaStorV.sys -- (iaStorV [Disabled | Stopped])
[2006-11-21 12:42:22 | 00,202,872 | ---- | M] (Symantec Corporation) -- C:\ProgramData\Symantec\Definitions\SymcData\idsdefs\20061025.029\IDSvix86.sys -- (IDSvix86 [On_Demand | Stopped])
[2006-11-02 01:50:17 | 00,041,576 | ---- | M] (Intel Corp./ICP vortex GmbH) -- C:\Windows\System32\drivers\iirsp.sys -- (iirsp [Disabled | Stopped])
[2006-12-07 18:12:02 | 00,076,584 | ---- | M] () -- C:\Acer\Empowering Technology\eRecovery\int15.sys -- (int15 [Auto | Running])
[2007-04-23 18:13:22 | 01,769,952 | ---- | M] (Realtek Semiconductor Corp.) -- C:\Windows\System32\drivers\RTKVHDA.sys -- (IntcAzAudAddService [On_Demand | Running])
[2006-11-02 00:42:03 | 00,065,536 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\IPMIDrv.sys -- (IPMIDRV [Disabled | Stopped])
[2006-11-02 01:51:12 | 00,168,552 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\msiscsi.sys -- (iScsiPrt [On_Demand | Running])

outlawz28
Intermediate
Intermediate

Status :
Online
Offline

Posts : 84
Joined : 2008-11-19
OS : Windows Vista Home Premium
Points : 29649
# Likes : 0

View user profile

Back to top Go down

Solved Re: Please Help (Trojan Problem)

Post by outlawz28 on Thu Nov 20, 2008 12:32 am

[2006-11-02 01:50:07 | 00,035,944 | ---- | M] (Integrated Technology Express, Inc.) -- C:\Windows\System32\drivers\iteatapi.sys -- (iteatapi [Disabled | Stopped])
[2006-11-02 01:50:09 | 00,035,944 | ---- | M] (Integrated Technology Express, Inc.) -- C:\Windows\System32\drivers\iteraid.sys -- (iteraid [Disabled | Stopped])
[2006-11-02 00:51:12 | 00,015,872 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\kbdhid.sys -- (kbdhid [Disabled | Stopped])
[2006-11-02 00:56:49 | 00,047,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\lltdio.sys -- (lltdio [Auto | Running])
[2006-11-02 01:50:04 | 00,065,640 | ---- | M] (LSI Logic) -- C:\Windows\System32\drivers\lsi_fc.sys -- (LSI_FC [Disabled | Stopped])
[2006-11-02 01:50:05 | 00,065,640 | ---- | M] (LSI Logic) -- C:\Windows\System32\drivers\lsi_sas.sys -- (LSI_SAS [Disabled | Stopped])
[2006-11-02 01:50:10 | 00,065,640 | ---- | M] (LSI Logic) -- C:\Windows\System32\drivers\lsi_scsi.sys -- (LSI_SCSI [Disabled | Stopped])
[2006-11-02 00:33:07 | 00,083,456 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\luafv.sys -- (luafv [Auto | Running])
[2006-06-20 05:26:58 | 00,012,672 | ---- | M] (Conexant) -- C:\Windows\System32\drivers\mdmxsdk.sys -- (mdmxsdk [Auto | Running])
[2006-11-02 01:49:53 | 00,028,776 | ---- | M] (LSI Logic Corporation) -- C:\Windows\System32\drivers\megasas.sys -- (megasas [Disabled | Stopped])
[2007-12-16 01:56:45 | 00,041,984 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\monitor.sys -- (monitor [On_Demand | Running])
[2006-11-02 01:50:16 | 00,078,952 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\mpio.sys -- (mpio [Disabled | Stopped])
[2008-02-07 09:15:53 | 00,063,488 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\mpsdrv.sys -- (mpsdrv [On_Demand | Running])
[2006-11-02 01:49:59 | 00,033,384 | ---- | M] (LSI Logic Corporation) -- C:\Windows\System32\drivers\Mraid35x.sys -- (Mraid35x [Disabled | Stopped])
[2008-08-25 17:11:59 | 00,211,456 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\mrxsmb10.sys -- (mrxsmb10 [On_Demand | Running])
[2008-02-06 18:21:32 | 00,058,368 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\mrxsmb20.sys -- (mrxsmb20 [On_Demand | Running])
[2006-11-02 01:49:44 | 00,023,144 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\msahci.sys -- (msahci [Disabled | Stopped])
[2006-11-02 01:50:17 | 00,080,488 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\msdsm.sys -- (msdsm [Disabled | Stopped])
[2007-05-02 19:54:26 | 00,013,928 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\msisadrv.sys -- (msisadrv [Boot | Running])
[2006-11-02 01:51:09 | 00,160,872 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\msrpc.sys -- (MsRPC [On_Demand | Stopped])
[2008-02-13 03:05:40 | 00,154,624 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\nwifi.sys -- (NativeWifiP [On_Demand | Running])
[2006-11-21 12:44:12 | 00,079,240 | ---- | M] (Symantec Corporation) -- C:\ProgramData\Symantec\Definitions\VirusDefs\20061106.064\NAVENG.SYS -- (NAVENG [On_Demand | Running])
[2006-11-21 12:44:14 | 00,831,880 | ---- | M] (Symantec Corporation) -- C:\ProgramData\Symantec\Definitions\VirusDefs\20061106.064\NAVEX15.SYS -- (NAVEX15 [On_Demand | Running])
[2008-11-18 09:16:07 | 00,029,192 | ---- | M] () -- C:\Windows\System32\drivers\ndisprot.sys -- (Ndisprot [On_Demand | Stopped])
[2006-11-02 01:50:19 | 00,045,160 | ---- | M] (IBM Corporation) -- C:\Windows\System32\drivers\nfrd960.sys -- (nfrd960 [Disabled | Stopped])
[2006-11-02 00:57:06 | 00,030,720 | ---- | M] (National Semiconductor Corporation) -- C:\Windows\System32\drivers\nscirda.sys -- (NSCIRDA [On_Demand | Running])
[2006-11-02 00:57:30 | 00,016,384 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\nsiproxy.sys -- (nsiproxy [System | Running])
[2007-05-04 14:05:04 | 00,006,144 | ---- | M] (NewTech Infosystems, Inc.) -- C:\Windows\System32\drivers\NTIDrvr.sys -- (NTIDrvr [On_Demand | Running])
[2006-11-01 23:36:50 | 00,020,608 | ---- | M] (N-trig Innovative Technologies) -- C:\Windows\System32\drivers\ntrigdigi.sys -- (ntrigdigi [Disabled | Stopped])
[2006-11-02 01:50:24 | 00,088,680 | ---- | M] (NVIDIA Corporation) -- C:\Windows\System32\drivers\nvraid.sys -- (nvraid [Disabled | Stopped])
[2006-11-02 01:50:13 | 00,040,040 | ---- | M] (NVIDIA Corporation) -- C:\Windows\System32\drivers\nvstor.sys -- (nvstor [Disabled | Stopped])
[2006-11-02 01:50:40 | 00,106,600 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\NV_AGP.SYS -- (nv_agp [On_Demand | Stopped])
[2007-04-03 09:04:28 | 00,039,680 | ---- | M] (O2Micro ) -- C:\Windows\System32\drivers\o2media.sys -- (O2MDRDR [Boot | Running])
[2007-04-02 15:11:08 | 00,035,712 | ---- | M] (O2Micro ) -- C:\Windows\System32\drivers\o2sd.sys -- (O2SDRDR [Boot | Running])
[2006-11-02 01:04:35 | 00,878,080 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\PEAuth.sys -- (PEAUTH [Auto | Running])
[2008-02-07 03:09:06 | 00,070,144 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\pacer.sys -- (PSched [System | Running])
[2007-04-12 17:43:24 | 00,020,264 | ---- | M] (HiTRUST) -- C:\Windows\System32\drivers\psdfilter.sys -- (PSDFilter [Boot | Running])
[2007-04-12 17:43:30 | 00,016,680 | ---- | M] (HiTRUST) -- C:\Windows\System32\drivers\PSDNServ.sys -- (PSDNServ [Boot | Running])
[2007-04-12 17:43:28 | 00,060,712 | ---- | M] (HiTRUST) -- C:\Windows\System32\drivers\psdvdisk.sys -- (psdvdisk [Boot | Running])
[2006-11-02 01:51:45 | 00,900,712 | ---- | M] (QLogic Corporation) -- C:\Windows\System32\drivers\ql2300.sys -- (ql2300 [Disabled | Stopped])
[2006-11-02 01:50:35 | 00,106,088 | ---- | M] (QLogic Corporation) -- C:\Windows\System32\drivers\ql40xx.sys -- (ql40xx [Disabled | Stopped])
[2006-11-02 04:34:31 | 00,031,232 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\qwavedrv.sys -- (QWAVEdrv [On_Demand | Stopped])
[2006-11-02 01:02:01 | 00,006,144 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\RDPENCDD.sys -- (RDPENCDD [System | Running])
[2008-11-18 09:19:04 | 00,005,760 | ---- | M] () -- C:\Windows\System32\drivers\restore.sys -- (restore [On_Demand | Stopped])
[2006-11-02 00:56:49 | 00,060,416 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\rspndr.sys -- (rspndr [Auto | Running])
[2006-11-01 23:30:56 | 00,044,544 | ---- | M] (Realtek Corporation) -- C:\Windows\System32\drivers\Rtlh86.sys -- (RTL8169 [On_Demand | Stopped])
[2006-11-02 01:50:16 | 00,076,392 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\sbp2port.sys -- (sbp2port [Disabled | Stopped])
[2008-07-06 23:40:49 | 00,056,108 | ---- | M] (PowerISO Computing, Inc.) -- C:\Windows\System32\drivers\scdemu.sys -- (SCDEmu [System | Running])
[2006-11-02 00:35:12 | 00,082,432 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\sdbus.sys -- (sdbus [Disabled | Stopped])
[2006-11-01 22:37:21 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\Windows\System32\drivers\secdrv.sys -- (secdrv [Auto | Running])
[2008-02-13 03:09:25 | 00,019,968 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\sermouse.sys -- (sermouse [Disabled | Stopped])
[2008-02-07 09:16:31 | 00,013,312 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\sffdisk.sys -- (sffdisk [Disabled | Stopped])
[2008-02-07 09:16:31 | 00,012,800 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\sffp_mmc.sys -- (sffp_mmc [On_Demand | Stopped])
[2008-02-07 09:16:31 | 00,012,800 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\sffp_sd.sys -- (sffp_sd [On_Demand | Stopped])
[2006-11-02 01:49:51 | 00,053,352 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\SISAGP.SYS -- (sisagp [On_Demand | Stopped])
[2006-11-02 01:50:10 | 00,038,504 | ---- | M] (Silicon Integrated Systems Corp.) -- C:\Windows\System32\drivers\sisraid2.sys -- (SiSRaid2 [Disabled | Stopped])
[2006-11-02 01:50:16 | 00,071,784 | ---- | M] (Silicon Integrated Systems) -- C:\Windows\System32\drivers\sisraid4.sys -- (SiSRaid4 [Disabled | Stopped])
[2006-11-02 00:57:10 | 00,066,048 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\smb.sys -- (Smb [System | Running])
[2007-06-12 10:38:26 | 01,729,152 | ---- | M] () -- C:\Windows\System32\drivers\snp2uvc.sys -- (SNP2UVC [On_Demand | Running])
[2006-11-21 12:45:36 | 00,406,672 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv [On_Demand | Stopped])
[2006-11-02 01:49:35 | 00,018,536 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\spldr.sys -- (spldr [Boot | Running])
[2008-02-18 19:49:23 | 00,716,272 | ---- | M] () -- C:\Windows\System32\drivers\sptd.sys -- (sptd [Boot | Running])
[2006-11-21 12:45:42 | 00,245,880 | ---- | M] (Symantec Corporation) -- C:\Windows\System32\drivers\srtsp.sys -- (SRTSP [On_Demand | Running])
[2006-11-21 12:45:42 | 00,275,576 | ---- | M] (Symantec Corporation) -- C:\Windows\System32\drivers\srtspl.sys -- (SRTSPL [On_Demand | Stopped])
[2006-11-21 12:45:42 | 00,024,184 | ---- | M] (Symantec Corporation) -- C:\Windows\System32\drivers\srtspx.sys -- (SRTSPX [System | Running])
[2008-02-06 18:21:32 | 00,130,048 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\srv2.sys -- (srv2 [On_Demand | Running])
[2008-02-06 18:21:32 | 00,084,992 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\srvnet.sys -- (srvnet [On_Demand | Running])
[2006-11-02 01:50:05 | 00,035,944 | ---- | M] (LSI Logic) -- C:\Windows\System32\drivers\symc8xx.sys -- (Symc8xx [Disabled | Stopped])
[2007-05-04 14:10:02 | 00,109,744 | ---- | M] (Symantec Corporation) -- C:\Windows\System32\drivers\SYMEVENT.SYS -- (SymEvent [On_Demand | Running])
[2006-11-21 12:45:52 | 00,026,384 | ---- | M] (Symantec Corporation) -- C:\Windows\System32\drivers\symredrv.sys -- (SYMREDRV [On_Demand | Running])
[2006-11-21 12:45:52 | 00,185,744 | ---- | M] (Symantec Corporation) -- C:\Windows\System32\drivers\symtdi.sys -- (SYMTDI [System | Running])
[2006-11-02 01:49:56 | 00,031,848 | ---- | M] (LSI Logic) -- C:\Windows\System32\drivers\sym_hi.sys -- (Sym_hi [Disabled | Stopped])
[2006-11-02 01:50:03 | 00,034,920 | ---- | M] (LSI Logic) -- C:\Windows\System32\drivers\sym_u3.sys -- (Sym_u3 [Disabled | Stopped])
[2006-10-23 11:17:32 | 00,179,896 | ---- | M] (Synaptics, Inc.) -- C:\Windows\System32\drivers\SynTP.sys -- (SynTP [On_Demand | Running])
[2006-11-02 00:57:47 | 00,027,648 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\tcpipreg.sys -- (tcpipreg [Auto | Running])
[2006-11-02 00:57:35 | 00,068,096 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\tdx.sys -- (tdx [System | Running])
[2006-11-02 01:02:07 | 00,023,552 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\tssecsrv.sys -- (tssecsrv [On_Demand | Running])
[2008-02-07 09:15:52 | 00,015,360 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\TUNMP.SYS -- (tunmp [On_Demand | Running])
[2008-02-07 09:15:52 | 00,023,040 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\tunnel.sys -- (tunnel [On_Demand | Running])
[2006-11-02 01:49:59 | 00,056,936 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\UAGP35.SYS -- (uagp35 [On_Demand | Stopped])
[2006-11-02 01:50:04 | 00,058,472 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\ULIAGPKX.SYS -- (uliagpkx [On_Demand | Stopped])
[2006-11-02 01:51:25 | 00,235,112 | ---- | M] (ULi Electronics Inc.) -- C:\Windows\System32\drivers\uliahci.sys -- (uliahci [Disabled | Stopped])
[2006-11-02 01:50:35 | 00,098,408 | ---- | M] (Promise Technology, Inc.) -- C:\Windows\System32\drivers\ulsata.sys -- (UlSata [Disabled | Stopped])
[2006-11-02 01:50:45 | 00,115,816 | ---- | M] (Promise Technology, Inc.) -- C:\Windows\System32\drivers\ulsata2.sys -- (ulsata2 [Disabled | Stopped])
[2006-11-02 00:55:24 | 00,034,816 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\umbus.sys -- (umbus [On_Demand | Running])
[2006-11-02 00:55:22 | 00,007,168 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\umpass.sys -- (UMPass [On_Demand | Stopped])
[2008-02-18 10:16:24 | 00,030,464 | ---- | M] (Apple, Inc.) -- C:\Windows\System32\drivers\usbaapl.sys -- (USBAAPL [On_Demand | Stopped])
[2006-11-02 00:55:09 | 00,068,608 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\usbcir.sys -- (usbcir [Disabled | Stopped])
[2006-11-02 00:55:20 | 00,132,352 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\usbvideo.sys -- (usbvideo [On_Demand | Stopped])
[2006-11-02 00:57:48 | 00,014,848 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\usb8023x.sys -- (usb_rndisx [On_Demand | Stopped])
[2006-11-02 00:53:56 | 00,026,112 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\vgapnp.sys -- (vga [On_Demand | Stopped])
[2006-11-02 00:30:19 | 00,039,424 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\viac7.sys -- (ViaC7 [Disabled | Stopped])
[2006-11-02 01:49:30 | 00,017,512 | ---- | M] (VIA Technologies, Inc.) -- C:\Windows\System32\drivers\viaide.sys -- (viaide [Disabled | Stopped])
[2007-05-02 19:54:26 | 00,050,280 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\volmgr.sys -- (volmgr [Boot | Running])
[2006-11-02 01:51:30 | 00,290,408 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\volmgrx.sys -- (volmgrx [Boot | Running])
[2006-11-02 01:50:41 | 00,112,232 | ---- | M] (VIA Technologies Inc.,Ltd) -- C:\Windows\System32\drivers\vsmraid.sys -- (vsmraid [Disabled | Stopped])
[2006-11-02 00:52:52 | 00,020,608 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\wacompen.sys -- (WacomPen [Disabled | Stopped])
[2006-11-02 01:49:38 | 00,019,560 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\wd.sys -- (Wd [Disabled | Stopped])
[2008-02-13 03:09:26 | 00,495,160 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\Wdf01000.sys -- (Wdf01000 [Boot | Running])
[2006-11-09 07:53:48 | 00,659,968 | ---- | M] (Conexant Systems, Inc.) -- C:\Windows\System32\drivers\HSX_CNXT.sys -- (winachsf [On_Demand | Running])
[2008-02-07 03:08:43 | 00,011,264 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\wmiacpi.sys -- (WmiAcpi [On_Demand | Running])
[2006-11-02 00:58:26 | 00,015,872 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\ws2ifsl.sys -- (ws2ifsl [Disabled | Stopped])
[2006-08-05 08:39:10 | 00,008,192 | ---- | M] (Conexant Systems, Inc.) -- C:\Windows\System32\drivers\XAudio.sys -- (XAudio [Auto | Running])
[2007-12-06 09:51:00 | 00,298,496 | ---- | M] (Marvell) -- C:\Windows\System32\drivers\yk60x86.sys -- (yukonwlh [On_Demand | Stopped])
[2006-11-02 16:51:58 | 00,013,560 | ---- | M] (Cyberlink Corp.) -- C:\Program Files\CyberLink\PowerDVD\000.fcl -- ({95808DC4-FA4A-4c74-92FE-5B863F82066B} [Auto | Running])

========== (R ) Internet Explorer ==========

outlawz28
Intermediate
Intermediate

Status :
Online
Offline

Posts : 84
Joined : 2008-11-19
OS : Windows Vista Home Premium
Points : 29649
# Likes : 0

View user profile

Back to top Go down

Solved Re: Please Help (Trojan Problem)

Post by outlawz28 on Thu Nov 20, 2008 12:33 am

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL"=http://en.us.acer.yahoo.com
"Default_Search_URL"=http://go.microsoft.com/fwlink/?LinkId=54896
"Default_Secondary_Page_URL"=
"Extensions Off Page"=about:NoAdd-ons
"Local Page"=%SystemRoot%\system32\blank.htm
"Search Page"=http://go.microsoft.com/fwlink/?LinkId=54896
"Security Risk Page"=about:SecurityRisk
"Start Page"=http://en.us.acer.yahoo.com

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page"=C:\Windows\system32\blank.htm
"Search Page"=http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
"Start Page"=http://www.google.ca/
"StartPageCache"=

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL]
""=http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\Windows\System32\ieframe.dll (Microsoft Corporation)
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0
"ProxyOverride" = *.local

========== (O1) Hosts File ==========

HOSTS File = (942 bytes) - C:\Windows\System32\drivers\etc\Hosts
First 25 entries...
127.0.0.1 localhost
::1 localhost
127.0.0.1 [You must be registered and logged in to see this link.]
127.0.0.1 [You must be registered and logged in to see this link.]
127.0.0.1 [You must be registered and logged in to see this link.]
127.0.0.1 [You must be registered and logged in to see this link.]
127.0.0.1 mininova.org
127.0.0.1 mininova.com
127.0.0.1 thepiratebay.org
127.0.0.1 suprbay.org

========== (O3) Toolbars ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
"{5CBE3B7C-1E47-477e-A7DD-396DB0476E29}" (HKLM) -- C:\Windows\System32\eDStoolbar.dll (HiTRUST)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
"{90222687-F593-4738-B738-FBEE9C7B26DF}" (HKLM) -- c:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll (Symantec Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser]
"{5CBE3B7C-1E47-477E-A7DD-396DB0476E29}" (HKLM) -- C:\Windows\System32\eDStoolbar.dll (HiTRUST)

========== (O4) Run Keys ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Acer Assist Launcher"=C:\Program Files\Acer Assist\launcher.exe ()
"Acer Product Registration"="C:\Program Files\Acer Registration\ACE1.exe" /startup (Leader Technologies)
"Acer Tour"= File not found
"Acer Tour Reminder"=C:\Acer\AcerTour\Reminder.exe (Acer Inc.)
"Adobe Reader Speed Launcher"="c:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" (Adobe Systems Incorporated)
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" (Symantec Corporation)
"eDataSecurity Loader"=C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe (HiTRUST)
"eRecoveryService"= File not found
"IS CfgWiz"="c:\Program Files\Common Files\Symantec Shared\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\cltUIStb.exe" /MODULE CfgWiz /GUID {BC8D3EAF-F864-4d4b-AB4D-B3D0C32E2840} /MODE CfgWiz /CMDLINE "REBOOT" (Symantec Corporation)
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" ()
"LManager"=C:\PROGRA~1\LAUNCH~1\LManager.exe (Dritek System Inc.)
"MSConfig"="C:\Windows\system32\msconfig.exe" /auto (Microsoft Corporation)
"osCheck"="c:\Program Files\Norton Internet Security\osCheck.exe" (Symantec Corporation)
"PLFSet"=rundll32.exe C:\Windows\PLFSet.dll,PLFDefSetting ( )
"PWRISOVM.EXE"=C:\Program Files\PowerISO\PWRISOVM.EXE (PowerISO Computing, Inc.)
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" (Cyberlink Corp.)
"RtHDVCpl"=RtHDVCpl.exe (Realtek Semiconductor)
"Skytel"=Skytel.exe (Realtek Semiconductor Corp.)
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" (Sun Microsystems, Inc.)
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.)
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" ()
"Windows Defender"=%ProgramFiles%\Windows Defender\MSASCui.exe -hide (Microsoft Corporation)
"Windows Mobile Device Center"=%windir%\WindowsMobile\wmdc.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Acer Tour Reminder"=C:\Acer\AcerTour\Reminder.exe (Acer Inc.)
"ehTray.exe"=C:\Windows\ehome\ehTray.exe (Microsoft Corporation)
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background (Microsoft Corporation)
"Sidebar"=C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (Microsoft Corporation)
"StartCCC"=C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe File not found
"UIWatcher"=C:\Program Files\Ashampoo\Ashampoo UnInstaller 3\UIWatcher.exe File not found
"WindowsWelcomeCenter"=rundll32.exe oobefldr.dll,ShowWelcomeCenter (Microsoft Corporation)
"WMPNSCFG"=C:\Program Files\Windows Media Player\WMPNSCFG.exe (Microsoft Corporation)

========== (O6 & O7) Current Version Policies ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"ConsentPromptBehaviorAdmin"=2
"ConsentPromptBehaviorUser"=1
"EnableInstallerDetection"=1
"EnableLUA"=1
"EnableSecureUIAPaths"=1
"EnableVirtualization"=1
"PromptOnSecureDesktop"=1
"ValidateAdminCodeSignatures"=0
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"scforceoption"=0
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"FilterAdministratorToken"=0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats]
"CF_TEXT"=1
"CF_BITMAP"=2
"CF_OEMTEXT"=7
"CF_DIB"=8
"CF_PALETTE"=9
"CF_UNICODETEXT"=13
"CF_DIBV5"=17

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoFolderOptions"=1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"DisableRegistryTools"=0

========== (O8) IE Context Menu Extensions ==========

outlawz28
Intermediate
Intermediate

Status :
Online
Offline

Posts : 84
Joined : 2008-11-19
OS : Windows Vista Home Premium
Points : 29649
# Likes : 0

View user profile

Back to top Go down

Solved Re: Please Help (Trojan Problem)

Post by outlawz28 on Thu Nov 20, 2008 12:33 am

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\]
&D&ownload &with BitComet: C:\Program Files\BitComet\BitComet.exe [2008-01-31 23:20:14 | 02,194,744 | ---- | M] ([You must be registered and logged in to see this link.]
&D&ownload all video with BitComet: C:\Program Files\BitComet\BitComet.exe [2008-01-31 23:20:14 | 02,194,744 | ---- | M] ([You must be registered and logged in to see this link.]
&D&ownload all with BitComet: C:\Program Files\BitComet\BitComet.exe [2008-01-31 23:20:14 | 02,194,744 | ---- | M] ([You must be registered and logged in to see this link.]
E&xport to Microsoft Excel: C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE [2008-08-04 15:12:50 | 10,354,176 | ---- | M] (Microsoft Corporation)

========== (O9) IE Extensions ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F}: Button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 -- %SystemRoot%\WindowsMobile\INetRepl.dll [2007-05-31 08:21:16 | 00,176,520 | ---- | M] (Microsoft Corporation)
{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F}: Menu: @C:\Windows\WindowsMobile\INetRepl.dll,-223 -- %SystemRoot%\WindowsMobile\INetRepl.dll [2007-05-31 08:21:16 | 00,176,520 | ---- | M] (Microsoft Corporation)
{92780B25-18CC-41C8-B9BE-3C9C571A8263}: Button: Research -- %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [2007-04-19 13:10:18 | 00,063,840 | ---- | M] (Microsoft Corporation)
{D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A}: Button: BitComet -- %ProgramFiles%\BitComet\tools\BitCometBHO_1.2.1.2.dll [2008-01-25 02:06:28 | 00,496,952 | ---- | M] (BitComet)

========== (O12) Internet Explorer Plugins ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\]
PluginsPage: "" = [You must be registered and logged in to see this link.]
PluginsPageFriendlyName: "" = Microsoft ActiveX Gallery

========== (O13) Default Prefixes ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
""=http://

========== (O16) DPF ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\]
{20A60F0D-9AFA-4515-A0FD-83BD84642501}: [You must be registered and logged in to see this link.] -- Checkers Class
{4F1E5B1A-2A80-42CA-8532-2D05CB959537}: [You must be registered and logged in to see this link.] -- MSN Photo Upload Tool
{8AD9C840-044E-11D1-B3E9-00805F499D93}: [You must be registered and logged in to see this link.] -- Java Plug-in 1.6.0_04
{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}: [You must be registered and logged in to see this link.] -- Reg Error: Key does not exist or could not be opened.
{C3F79A2B-B9B4-4A66-B012-3EE46475B072}: [You must be registered and logged in to see this link.] -- MessengerStatsClient Class
{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}: [You must be registered and logged in to see this link.] -- Java Plug-in 1.6.0_04
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}: [You must be registered and logged in to see this link.] -- Java Plug-in 1.6.0_04

========== (O17) DNS Name Servers ==========

{3094503E-9C51-454F-9130-0F1F488D86F5} (Servers: | Description: Microsoft Windows Mobile Remote Adapter)
{CB1DD564-091C-494F-B075-D0E8F65421BF} (Servers: | Description: Broadcom 802.11g Network Adapter)

========== Shell Execute Hooks ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{A2587760-63ED-4EF5-B30D-A7C5B53EE597}" (HKLM) -- C:\Windows\system32\opnkkIAQ.dll File not found

========== HKLM *SecurityProviders* ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders]
"SecurityProviders"=credssp.dll
>[2006-11-02 01:46:03 | 00,015,360 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\credssp.dll

========== LSA *Security Packages* ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Security Packages"=kerberos,msv1_0,schannel,wdigest,tspkg,
>[2006-11-02 01:46:13 | 00,061,440 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\TSpkg.dll

========== Safeboot Options ==========

"AlternateShell"=cmd.exe

========== CDRom AutoRun Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun" = 1

========== Autorun Files on Drives ==========

autoexec.bat [REM Dummy file for NTVDM | ]
[2006-09-18 13:43:36 | 00,000,024 | ---- | M] () -- C:\autoexec.bat -- [ NTFS ]

autorun.inf [[autorun] | shellexecute="resycled\boot.com c:" | shell\Open\command="resycled\boot.com c:" | shell=Open | ]
[2008-11-18 09:15:57 | 00,000,103 | RHS- | M] () -- C:\autorun.inf -- [ NTFS ]

autorun.inf [[autorun] | shellexecute="resycled\boot.com d:" | shell\Open\command="resycled\boot.com d:" | shell=Open | ]
[2008-11-18 09:15:57 | 00,000,103 | RHS- | M] () -- D:\autorun.inf -- [ NTFS ]


========== MountPoints2 ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{77496956-7526-11dd-a088-0016d3ef9634}\Shell\AutoRun\command]
""=1nkbd8h.bat


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{77496956-7526-11dd-a088-0016d3ef9634}\Shell\explore\Command]
""=1nkbd8h.bat


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{77496956-7526-11dd-a088-0016d3ef9634}\Shell\open\Command]
""=1nkbd8h.bat

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F\Shell]
""=AutoRun


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F\Shell\AutoRun\command]
""=F:\setup.exe -- File not found

outlawz28
Intermediate
Intermediate

Status :
Online
Offline

Posts : 84
Joined : 2008-11-19
OS : Windows Vista Home Premium
Points : 29649
# Likes : 0

View user profile

Back to top Go down

Solved Re: Please Help (Trojan Problem)

Post by outlawz28 on Thu Nov 20, 2008 12:33 am

========== Files/Folders - Created Within 30 Days ==========

[2008-11-19 16:12:38 | 01,701,519 | -H-- | C] () -- C:\Users\Sunny\AppData\Local\IconCache.db
[2008-11-19 16:03:06 | 00,000,000 | ---D | C] -- C:\Users\Sunny\Desktop\New Folder
[2008-11-19 16:02:25 | 21,455,01184 | -HS- | C] () -- C:\hiberfil.sys
[2008-11-18 21:53:45 | 00,000,000 | ---D | C] -- C:\CombO-fIx.exe
[2008-11-18 21:53:39 | 00,320,000 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\CF6930.exe
[2008-11-18 21:49:38 | 00,000,000 | ---D | C] -- C:\Avenger
[2008-11-18 21:43:22 | 00,731,136 | ---- | C] () -- C:\Users\Sunny\Desktop\avenger.exe
[2008-11-18 18:40:49 | 00,320,000 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\CF2020.exe
[2008-11-18 18:26:35 | 00,320,000 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\CF31999.exe
[2008-11-18 18:22:41 | 00,320,000 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\CF31166.exe
[2008-11-18 18:14:22 | 00,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
[2008-11-18 18:14:22 | 00,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2008-11-18 18:14:22 | 00,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2008-11-18 18:14:22 | 00,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2008-11-18 18:14:22 | 00,089,504 | ---- | C] (Smallfrogs Studio) -- C:\Windows\fdsv.exe
[2008-11-18 18:14:22 | 00,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2008-11-18 18:14:22 | 00,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2008-11-18 18:14:22 | 00,049,152 | ---- | C] () -- C:\Windows\VFIND.exe
[2008-11-18 18:14:22 | 00,028,672 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2008-11-18 18:14:11 | 00,320,000 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\CF29573.exe
[2008-11-18 18:13:26 | 00,320,000 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\CF29426.exe
[2008-11-18 18:13:25 | 00,031,744 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\swsc.exe
[2008-11-18 18:09:52 | 00,000,000 | ---D | C] -- C:\Windows\ERDNT
[2008-11-18 18:09:52 | 00,000,000 | ---D | C] -- C:\Qoobox
[2008-11-18 17:07:24 | 00,002,560 | ---- | C] (BitComet) -- C:\Windows\System32\bitcometres.dll
[2008-11-18 09:20:35 | 00,000,000 | ---D | C] -- C:\Windows\Minidump
[2008-11-18 09:20:06 | 15,636,9191 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2008-11-18 09:19:04 | 00,005,760 | ---- | C] () -- C:\Windows\System32\drivers\restore.sys
[2008-11-18 09:17:31 | 00,103,428 | ---- | C] () -- C:\Windows\System32\msxml71.dll
[2008-11-18 09:17:23 | 00,002,348 | ---- | C] () -- C:\Windows\System32\TDSSwfdm.dll
[2008-11-18 09:17:22 | 00,073,728 | ---- | C] () -- C:\Windows\System32\TDSSujov.dll
[2008-11-18 09:17:21 | 00,031,232 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\TDSSpfpe.dll
[2008-11-18 09:17:20 | 00,029,696 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\TDSSxrei.dll
[2008-11-18 09:17:20 | 00,000,000 | ---- | C] () -- C:\Windows\System32\cmdl.lock
[2008-11-18 09:17:19 | 00,068,698 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\cmdl.exe
[2008-11-18 09:17:19 | 00,003,306 | ---- | C] () -- C:\Windows\System32\cnf.dat
[2008-11-18 09:17:18 | 00,000,527 | ---- | C] () -- C:\Windows\System32\TDSSxcrd.dat
[2008-11-18 09:17:16 | 00,035,840 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\TDSSwrhm.dll
[2008-11-18 09:17:15 | 00,000,000 | RHSD | C] -- C:\RECYCLER
[2008-11-18 09:17:11 | 00,104,448 | ---- | C] () -- C:\ggfxrw.exe
[2008-11-18 09:17:07 | 00,023,040 | ---- | C] () -- C:\Windows\System32\fklame32.dll
[2008-11-18 09:17:05 | 00,000,705 | ---- | C] () -- C:\cxcnowy.exe
[2008-11-18 09:17:04 | 00,000,002 | ---- | C] () -- C:\715660275
[2008-11-18 09:16:57 | 00,037,376 | ---- | C] () -- C:\Windows\System32\yayvTlKC.dll
[2008-11-18 09:16:07 | 00,029,192 | ---- | C] () -- C:\Windows\System32\drivers\ndisprot.sys
[2008-11-18 09:15:57 | 00,000,103 | RHS- | C] () -- C:\autorun.inf
[2008-11-18 09:15:57 | 00,000,000 | RHSD | C] -- C:\resycled
[2008-11-18 09:15:39 | 00,000,000 | ---D | C] -- C:\Program Files\homeview
[2008-11-18 09:15:31 | 00,000,000 | ---D | C] -- C:\Windows\HDTVXviD Codec
[2008-11-16 22:34:30 | 00,428,603 | ---- | C] () -- C:\Users\Sunny\Documents\09f1500011.jpg
[2008-11-16 22:34:25 | 00,418,491 | ---- | C] () -- C:\Users\Sunny\Documents\09f1500021.jpg
[2008-11-16 22:34:21 | 00,422,718 | ---- | C] () -- C:\Users\Sunny\Documents\09f1500041.jpg
[2008-11-16 13:18:42 | 00,019,968 | ---- | C] () -- C:\Users\Sunny\Documents\87101 Order Number.doc
[2008-11-12 22:37:46 | 00,026,825 | ---- | C] () -- C:\Users\Sunny\Documents\DSC_0307.JPG
[2008-11-12 01:00:59 | 01,341,440 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msxml6.dll
[2008-11-12 01:00:59 | 00,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msxml6r.dll
[2008-11-12 01:00:54 | 01,194,496 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msxml3.dll
[2008-11-12 01:00:54 | 00,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msxml3r.dll
[2008-11-12 01:00:50 | 00,211,456 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\drivers\mrxsmb10.sys
[2008-11-12 00:44:45 | 00,041,830 | ---- | C] () -- C:\Users\Sunny\Documents\n524280083_4736585_6859.jpg
[2008-11-08 19:40:46 | 00,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin
[2008-11-08 19:35:52 | 00,000,000 | ---D | C] -- C:\Program Files\Microsoft Silverlight
[2008-11-03 15:29:28 | 00,078,235 | ---- | C] () -- C:\Users\Sunny\Documents\Kim-Kardashian_3vkr-actressblogs-1.jpg
[2008-10-31 14:17:02 | 01,244,672 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mcmde.dll
[2008-10-31 14:17:02 | 00,428,032 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\EncDec.dll
[2008-10-31 14:17:02 | 00,292,352 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\psisdecd.dll
[2008-10-31 14:17:02 | 00,217,088 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\psisrndr.ax
[2008-10-31 14:17:01 | 00,177,152 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mpg2splt.ax
[2008-10-31 14:17:01 | 00,080,896 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\MSNP.ax
[2008-10-31 14:17:01 | 00,068,608 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\Mpeg2Data.ax
[2008-10-31 14:17:01 | 00,057,856 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\MSDvbNP.ax
[2008-10-30 16:15:40 | 00,441,856 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32spl.dll
[2008-10-30 16:15:40 | 00,037,376 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\printcom.dll
[2008-10-23 20:52:30 | 00,001,800 | ---- | C] () -- C:\Users\Public\Desktop\Easy CD-DA Extractor.lnk
[2008-10-23 20:52:28 | 00,000,000 | ---D | C] -- C:\Windows\Easy CD-DA Extractor 11.5.3
[2008-10-23 20:52:27 | 00,000,000 | ---D | C] -- C:\Program Files\Easy CD-DA Extractor 11
[2008-10-23 18:24:32 | 00,425,472 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\netapi32.dll
[2008-10-22 14:53:31 | 00,000,967 | ---- | C] () -- C:\Users\Public\Desktop\POWERPNT - Shortcut.lnk
[2008-10-22 14:52:56 | 00,000,000 | ---D | C] -- C:\Program Files\Microsoft ActiveSync
[2008-10-21 22:17:26 | 00,001,061 | ---- | C] () -- C:\Users\Sunny\Desktop\Revo Uninstaller.lnk
[2008-10-21 22:17:26 | 00,000,000 | ---D | C] -- C:\Program Files\VS Revo Group
[2008-10-21 22:13:13 | 00,000,000 | ---D | C] -- C:\ProgramData\Ashampoo
[2008-10-21 21:57:56 | 00,000,000 | ---D | C] -- C:\Users\Sunny\AppData\Local\Seven Zip
[2008-10-21 21:55:11 | 00,000,000 | ---D | C] -- C:\Program Files\Microsoft Visual Studio
[2008-10-21 21:54:57 | 00,000,000 | ---D | C] -- C:\Program Files\Microsoft Works

========== Files - Modified Within 30 Days ==========

[2008-11-19 16:14:49 | 00,003,472 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2008-11-19 16:14:49 | 00,003,472 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2008-11-19 16:14:40 | 00,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2008-11-19 16:14:26 | 00,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2008-11-19 16:14:20 | 21,455,01184 | -HS- | M] () -- C:\hiberfil.sys
[2008-11-19 16:14:16 | 15,636,9191 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2008-11-19 16:12:38 | 01,701,519 | -H-- | M] () -- C:\Users\Sunny\AppData\Local\IconCache.db
[2008-11-19 16:09:06 | 00,002,348 | ---- | M] () -- C:\Windows\System32\TDSSwfdm.dll
[2008-11-18 21:53:03 | 00,320,000 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\CF6930.exe
[2008-11-18 18:45:20 | 00,073,728 | ---- | M] () -- C:\Windows\System32\TDSSujov.dll
[2008-11-18 18:45:15 | 00,031,232 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\TDSSpfpe.dll
[2008-11-18 18:45:13 | 00,029,696 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\TDSSxrei.dll
[2008-11-18 18:45:10 | 00,035,840 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\TDSSwrhm.dll
[2008-11-18 18:45:05 | 00,000,527 | ---- | M] () -- C:\Windows\System32\TDSSxcrd.dat
[2008-11-18 18:40:45 | 00,320,000 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\CF2020.exe
[2008-11-18 18:26:30 | 00,320,000 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\CF31999.exe
[2008-11-18 18:22:15 | 00,320,000 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\CF31166.exe
[2008-11-18 18:14:07 | 00,320,000 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\CF29573.exe
[2008-11-18 18:13:22 | 00,320,000 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\CF29426.exe
[2008-11-18 17:17:08 | 00,001,356 | ---- | M] () -- C:\Users\Sunny\AppData\Local\d3d9caps.dat
[2008-11-18 17:07:24 | 00,002,560 | ---- | M] (BitComet) -- C:\Windows\System32\bitcometres.dll
[2008-11-18 17:06:46 | 00,111,616 | ---- | M] () -- C:\Users\Sunny\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008-11-18 09:19:04 | 00,005,760 | ---- | M] () -- C:\Windows\System32\drivers\restore.sys
[2008-11-18 09:17:31 | 00,103,428 | ---- | M] () -- C:\Windows\System32\msxml71.dll
[2008-11-18 09:17:20 | 00,068,698 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cmdl.exe
[2008-11-18 09:17:20 | 00,000,000 | ---- | M] () -- C:\Windows\System32\cmdl.lock
[2008-11-18 09:17:19 | 00,003,306 | ---- | M] () -- C:\Windows\System32\cnf.dat
[2008-11-18 09:17:14 | 00,104,448 | ---- | M] () -- C:\ggfxrw.exe
[2008-11-18 09:17:07 | 00,023,040 | ---- | M] () -- C:\Windows\System32\fklame32.dll
[2008-11-18 09:17:06 | 00,000,705 | ---- | M] () -- C:\cxcnowy.exe
[2008-11-18 09:17:05 | 00,000,002 | ---- | M] () -- C:\715660275
[2008-11-18 09:16:56 | 00,037,376 | ---- | M] () -- C:\Windows\System32\yayvTlKC.dll
[2008-11-18 09:16:56 | 00,000,942 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2008-11-18 09:16:07 | 00,029,192 | ---- | M] () -- C:\Windows\System32\drivers\ndisprot.sys
[2008-11-18 09:15:57 | 00,000,103 | RHS- | M] () -- C:\autorun.inf
[2008-11-17 21:06:17 | 00,000,501 | ---- | M] () -- C:\Users\Sunny\Documents\My Sharing Folders.lnk
[2008-11-16 22:34:31 | 00,428,603 | ---- | M] () -- C:\Users\Sunny\Documents\09f1500011.jpg
[2008-11-16 22:34:26 | 00,418,491 | ---- | M] () -- C:\Users\Sunny\Documents\09f1500021.jpg
[2008-11-16 22:34:23 | 00,422,718 | ---- | M] () -- C:\Users\Sunny\Documents\09f1500041.jpg
[2008-11-16 18:03:20 | 00,000,937 | ---- | M] () -- C:\Users\Sunny\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Acer Product Registration.lnk
[2008-11-16 13:18:42 | 00,019,968 | ---- | M] () -- C:\Users\Sunny\Documents\87101 Order Number.doc
[2008-11-16 13:17:03 | 00,002,609 | ---- | M] () -- C:\Users\Sunny\Desktop\Microsoft Office Word 2003.lnk
[2008-11-12 22:37:41 | 00,026,825 | ---- | M] () -- C:\Users\Sunny\Documents\DSC_0307.JPG
[2008-11-12 00:44:46 | 00,041,830 | ---- | M] () -- C:\Users\Sunny\Documents\n524280083_4736585_6859.jpg
[2008-11-09 17:53:05 | 00,795,120 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2008-11-09 17:53:05 | 00,673,684 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2008-11-09 17:53:05 | 00,125,236 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2008-11-08 19:40:46 | 00,000,000 | ---- | M] () -- C:\Windows\ativpsrm.bin
[2008-11-03 16:10:25 | 17,318,336 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\mrt.exe
[2008-11-03 15:29:29 | 00,078,235 | ---- | M] () -- C:\Users\Sunny\Documents\Kim-Kardashian_3vkr-actressblogs-1.jpg
[2008-10-23 20:52:30 | 00,001,800 | ---- | M] () -- C:\Users\Public\Desktop\Easy CD-DA Extractor.lnk
[2008-10-22 14:54:44 | 00,000,376 | ---- | M] () -- C:\Windows\ODBC.INI
[2008-10-22 14:53:31 | 00,000,967 | ---- | M] () -- C:\Users\Public\Desktop\POWERPNT - Shortcut.lnk
[2008-10-22 08:02:12 | 00,103,768 | ---- | M] () -- C:\Users\Sunny\AppData\Local\GDIPFONTCACHEV1.DAT
[2008-10-22 07:54:09 | 00,386,440 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2008-10-22 00:06:09 | 00,000,128 | ---- | M] () -- C:\Windows\win.ini
[2008-10-21 22:17:26 | 00,001,061 | ---- | M] () -- C:\Users\Sunny\Desktop\Revo Uninstaller.lnk
< End of report >

outlawz28
Intermediate
Intermediate

Status :
Online
Offline

Posts : 84
Joined : 2008-11-19
OS : Windows Vista Home Premium
Points : 29649
# Likes : 0

View user profile

Back to top Go down

Solved Re: Please Help (Trojan Problem)

Post by Belahzur on Thu Nov 20, 2008 12:49 am

Thanks. Looks good, just a few things to delete now.
First, lets get rid of the wareout service and some leftovers to stop the infection returning.

Now open a new notepad file.
Input this into the notepad file:

@echo off
sc stop "Windows Tribute Service"
sc delete "Windows Tribute Service"
del Fixservices.bat
exit

Save this as Fixservices.bat, save it to your desktop.
Double click Fixservices.bat and the black cmd window will open and close, this is normal.

After you've done that.


  • Now open a another new notepad file.
  • Input this into the notepad file:

    Windows Registry Editor Version 5.00

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
    "NoFolderOptions"=-
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
    "DisableRegistryTools"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    "{A2587760-63ED-4EF5-B30D-A7C5B53EE597}"=-
    [-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{77496956-7526-11dd-a088-0016d3ef9634}]
    [-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{77496956-7526-11dd-a088-0016d3ef9634}]
    [-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{77496956-7526-11dd-a088-0016d3ef9634}]

  • Save this as fix.reg, save it to your desktop.
  • Double click fix.reg to run it.
  • Select yes to the registry merge prompt.

====


We need to run the avenger one last time.

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):


Files to delete:
C:\Windows\System32\TDSSwfdm.dll
C:\Windows\System32\TDSSujov.dll
C:\Windows\System32\TDSSxcrd.dat
C:\Windows\System32\TDSSpfpe.dll
C:\Windows\System32\TDSSxrei.dll
C:\Windows\System32\TDSSwrhm.dll
C:\Windows\System32\CF2020.exe
C:\Windows\System32\CF31999.exe
C:\Windows\System32\CF31166.exe
C:\Windows\System32\CF29573.exe
C:\Windows\System32\CF29426.exe
C:\Windows\System32\CF29573.exe
C:\ggfxrw.exe
C:\cxcnowy.exe
C:\Windows\System32\yayvTlKC.dll
C:\Windows\System32\fklame32.dll
C:\autorun.inf
D:\autorun.inf
C:\resycled\boot.com
C:\CombO-fIx.exe

Folders to delete:
C:\resycled
C:\715660275
C:\Qoobox

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Don't tick the box below.
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Solved Re: Please Help (Trojan Problem)

Post by outlawz28 on Thu Nov 20, 2008 1:11 am

Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\Windows\System32\TDSSwfdm.dll" deleted successfully.
File "C:\Windows\System32\TDSSujov.dll" deleted successfully.
File "C:\Windows\System32\TDSSxcrd.dat" deleted successfully.
File "C:\Windows\System32\TDSSpfpe.dll" deleted successfully.
File "C:\Windows\System32\TDSSxrei.dll" deleted successfully.
File "C:\Windows\System32\TDSSwrhm.dll" deleted successfully.
File "C:\Windows\System32\CF2020.exe" deleted successfully.
File "C:\Windows\System32\CF31999.exe" deleted successfully.
File "C:\Windows\System32\CF31166.exe" deleted successfully.
File "C:\Windows\System32\CF29573.exe" deleted successfully.
File "C:\Windows\System32\CF29426.exe" deleted successfully.

Error: file "C:\Windows\System32\CF29573.exe" not found!
Deletion of file "C:\Windows\System32\CF29573.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "C:\ggfxrw.exe" deleted successfully.
File "C:\cxcnowy.exe" deleted successfully.
File "C:\Windows\System32\yayvTlKC.dll" deleted successfully.
File "C:\Windows\System32\fklame32.dll" deleted successfully.
File "C:\autorun.inf" deleted successfully.
File "D:\autorun.inf" deleted successfully.
File "C:\resycled\boot.com" deleted successfully.

Error: "C:\CombO-fIx.exe" is a folder, not a file!
Deletion of file "C:\CombO-fIx.exe" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory

Folder "C:\resycled" deleted successfully.

Error: "C:\715660275" is not a folder! It may instead be a file.
Deletion of folder "C:\715660275" failed!
Status: 0xc0000103 (STATUS_NOT_A_DIRECTORY)
--> use "Files to delete:" instead of "Folders to delete:" to delete an ordinary file

Folder "C:\Qoobox" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

outlawz28
Intermediate
Intermediate

Status :
Online
Offline

Posts : 84
Joined : 2008-11-19
OS : Windows Vista Home Premium
Points : 29649
# Likes : 0

View user profile

Back to top Go down

Solved Re: Please Help (Trojan Problem)

Post by Belahzur on Thu Nov 20, 2008 1:14 am

Were done here.
You have been an awesome warrior, well done. Cheers Mate

Delete this folder:
C:\avenger

Empty your recycle bin.
How is the machine now?

Everything looks great --- your HijackThis log appears to be clean. Smile
Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers. Goofy

1) Please navigate to [You must be registered and logged in to see this link.] and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

[You must be registered and logged in to see this link.]
A tutorial on using Ad-Aware to remove spyware from your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using Spybot to remove spyware from your computer may be found [You must be registered and logged in to see this link.]. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

[You must be registered and logged in to see this link.]
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found [You must be registered and logged in to see this link.].

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
[You must be registered and logged in to see this link.]

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

5) Finally, consider maintaining a firewall. Some good free firewalls are [You must be registered and logged in to see this link.], or
[You must be registered and logged in to see this link.]
A tutorial on understanding and using firewalls may be found [You must be registered and logged in to see this link.].

Please also read Tony Klein's excellent article: [You must be registered and logged in to see this link.]

Hopefully this should take care of your problems! Good luck. Big Grin


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Solved Re: Please Help (Trojan Problem)

Post by outlawz28 on Thu Nov 20, 2008 1:21 am

Computer seems to be running smooth. You guys are amazing! I cant thank you enough. Now is my computer good to go? Like if im going to purchase anything online with credit cards, do banking and that sort of stuff?

outlawz28
Intermediate
Intermediate

Status :
Online
Offline

Posts : 84
Joined : 2008-11-19
OS : Windows Vista Home Premium
Points : 29649
# Likes : 0

View user profile

Back to top Go down

Solved Re: Please Help (Trojan Problem)

Post by outlawz28 on Thu Nov 20, 2008 1:23 am

Also can i remove combo fix avenger and those programs i installed?

outlawz28
Intermediate
Intermediate

Status :
Online
Offline

Posts : 84
Joined : 2008-11-19
OS : Windows Vista Home Premium
Points : 29649
# Likes : 0

View user profile

Back to top Go down

Solved Re: Please Help (Trojan Problem)

Post by Belahzur on Thu Nov 20, 2008 1:23 am

Yep. Big Grin
Just read my prevention speech above and you'll be fine. Smile


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Solved Re: Please Help (Trojan Problem)

Post by outlawz28 on Thu Nov 20, 2008 1:26 am

Thank you Again. This site is amazing!!

outlawz28
Intermediate
Intermediate

Status :
Online
Offline

Posts : 84
Joined : 2008-11-19
OS : Windows Vista Home Premium
Points : 29649
# Likes : 0

View user profile

Back to top Go down

Solved Re: Please Help (Trojan Problem)

Post by Belahzur on Thu Nov 20, 2008 1:27 am

Thank You! Thank You!

I will add solved tags to this topic, but leave it open for 1 week should you have any questions.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Solved Re: Please Help (Trojan Problem)

Post by outlawz28 on Thu Nov 20, 2008 6:07 am

Hey i dont know why but everything just seems to be a bit slow. Like when i click on firefox to open or anyother files to open its slower now.

outlawz28
Intermediate
Intermediate

Status :
Online
Offline

Posts : 84
Joined : 2008-11-19
OS : Windows Vista Home Premium
Points : 29649
# Likes : 0

View user profile

Back to top Go down

Solved Re: Please Help (Trojan Problem)

Post by outlawz28 on Thu Nov 20, 2008 6:19 am

here is a hijack txt to help

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:19:12 PM, on 11/19/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSLoader.exe
C:\Windows\system32\taskeng.exe
C:\Users\Sunny\AppData\Local\Temp\RtkBtMnt.exe
C:\Program Files\Launch Manager\LManager.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Acer\Empowering Technology\ENET\ENMTRAY.EXE
C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE
C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\BitComet\BitComet.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Sunny\Downloads\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: ::1 localhost
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "c:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [PLFSet] rundll32.exe C:\Windows\PLFSet.dll,PLFDefSetting
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "c:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [Acer Assist Launcher] C:\Program Files\Acer Assist\launcher.exe
O4 - HKLM\..\Run: [Acer Product Registration] "C:\Program Files\Acer Registration\ACE1.exe" /startup
O4 - HKLM\..\Run: [Acer Tour Reminder] C:\Acer\AcerTour\Reminder.exe
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALuNotify.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [Acer Tour Reminder] C:\Acer\AcerTour\Reminder.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [UIWatcher] C:\Program Files\Ashampoo\Ashampoo UnInstaller 3\UIWatcher.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Acer Product Registration.lnk = C:\Program Files\Acer Registration\ACE1.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Empowering Technology Launcher.lnk = ?
O8 - Extra context menu item: &D&ownload &with BitComet - [You must be registered and logged in to see this link.] Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - [You must be registered and logged in to see this link.] Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - [You must be registered and logged in to see this link.] Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - [You must be registered and logged in to see this link.] Files\BitComet\tools\BitCometBHO_1.2.1.2.dll/206 (file missing)
O13 - Gopher Prefix:
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - [You must be registered and logged in to see this link.]
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - [You must be registered and logged in to see this link.]
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: eDataSecurity Service - HiTRSUT - C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: O2Micro Flash Memory Card Service (o2flash) - O2Micro International - C:\Program Files\O2Micro Oz128 Driver\o2flash.exe
O23 - Service: QuickBooks Database Manager Service (QBCFMonitorService) - - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 11522 bytes

outlawz28
Intermediate
Intermediate

Status :
Online
Offline

Posts : 84
Joined : 2008-11-19
OS : Windows Vista Home Premium
Points : 29649
# Likes : 0

View user profile

Back to top Go down

Solved Re: Please Help (Trojan Problem)

Post by Belahzur on Thu Nov 20, 2008 9:29 am

We can get rid of some stuff on startup, but to be honest, you should consider getting rid of Symantec. Norton (Symantec) is a huge resource hog.

Consider using one of the following instead of Norton.

1) [You must be registered and logged in to see this link.]
-Free anti-virus software for Windows.
-Detects and removes more than 50,000 viruses. Free support.
2) [You must be registered and logged in to see this link.]
-Anti-virus program for Windows.
-The home edition is freeware for noncommercial user.
3) [You must be registered and logged in to see this link.]
- Free edition of the AVG anti-virus program for Windows.
- Available for single computer use for home and non commercial use.
=====
Clean your temp files.

Download [You must be registered and logged in to see this link.]

  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
If you use Firefox browser, do this also:

  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.


This should give you back some space on your HDD.

Please download Purera.exe from [You must be registered and logged in to see this link.]

  • First, unzip the program.
  • Double click Purera.exe to open it.
  • When it opens, press the "Clean" button.
  • This will open up a menu of options.
  • Tick the box that says "Check All"
  • Then press the "Clean Selected" button.
  • This will start the cleaning proccess.
  • For a minute or two, Purera.exe may act like it isn't responding, but let it run.
  • After it's done, it will make a log file of what it's removed, but I don't need to see it.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Solved Re: Please Help (Trojan Problem)

Post by outlawz28 on Fri Nov 21, 2008 12:30 am

how do i get rid of some of the stuff on startup|?

outlawz28
Intermediate
Intermediate

Status :
Online
Offline

Posts : 84
Joined : 2008-11-19
OS : Windows Vista Home Premium
Points : 29649
# Likes : 0

View user profile

Back to top Go down

Solved Re: Please Help (Trojan Problem)

Post by Belahzur on Fri Nov 21, 2008 12:32 am

We can use Hijack This to do that. We'll do it, but let me know if you decide to switch from Norton to one of the 3 I posted above.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Solved Re: Please Help (Trojan Problem)

Post by outlawz28 on Fri Nov 21, 2008 12:43 am

I dont mind switching should I uninstall norton and install one of those 3?

outlawz28
Intermediate
Intermediate

Status :
Online
Offline

Posts : 84
Joined : 2008-11-19
OS : Windows Vista Home Premium
Points : 29649
# Likes : 0

View user profile

Back to top Go down

Solved Re: Please Help (Trojan Problem)

Post by Belahzur on Fri Nov 21, 2008 12:48 am

Yes.
Firstly, I would prefer you use Avast!, it's small and easy to use. Download the free version of it before uninstall Norton, so you don't do any surfing without an AV.
Once you have the .exe on your desktop of Avast!, uninstall Norton.

Press Start > Control Panel > Add/remove programs
Uninstall all this by pressing the Remove button on the right after selecting each one.
Uninstall any products on the uninstall list with the words Symantec or Norton in the name.

Once you've switched, post a new Hijack This log. Smile


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Solved Re: Please Help (Trojan Problem)

Post by outlawz28 on Fri Nov 21, 2008 1:23 am

here is the hijack this log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:22:02 PM, on 11/20/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSLoader.exe
C:\Program Files\Launch Manager\LManager.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Users\Sunny\AppData\Local\Temp\RtkBtMnt.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\ehome\ehmsas.exe
C:\Acer\Empowering Technology\ENET\ENMTRAY.EXE
C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE
C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE
C:\Program Files\Internet Explorer\IEUser.exe
C:\Windows\system32\rundll32.exe
C:\Users\Sunny\Downloads\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: ::1 localhost
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [PLFSet] rundll32.exe C:\Windows\PLFSet.dll,PLFDefSetting
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "c:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [Acer Assist Launcher] C:\Program Files\Acer Assist\launcher.exe
O4 - HKLM\..\Run: [Acer Product Registration] "C:\Program Files\Acer Registration\ACE1.exe" /startup
O4 - HKLM\..\Run: [Acer Tour Reminder] C:\Acer\AcerTour\Reminder.exe
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [Acer Tour Reminder] C:\Acer\AcerTour\Reminder.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [UIWatcher] C:\Program Files\Ashampoo\Ashampoo UnInstaller 3\UIWatcher.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Acer Product Registration.lnk = C:\Program Files\Acer Registration\ACE1.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Empowering Technology Launcher.lnk = ?
O8 - Extra context menu item: &D&ownload &with BitComet - [You must be registered and logged in to see this link.] Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - [You must be registered and logged in to see this link.] Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - [You must be registered and logged in to see this link.] Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - [You must be registered and logged in to see this link.] Files\BitComet\tools\BitCometBHO_1.2.1.2.dll/206 (file missing)
O13 - Gopher Prefix:
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - [You must be registered and logged in to see this link.]
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - [You must be registered and logged in to see this link.]
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: eDataSecurity Service - HiTRSUT - C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: O2Micro Flash Memory Card Service (o2flash) - O2Micro International - C:\Program Files\O2Micro Oz128 Driver\o2flash.exe
O23 - Service: QuickBooks Database Manager Service (QBCFMonitorService) - - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 10804 bytes

outlawz28
Intermediate
Intermediate

Status :
Online
Offline

Posts : 84
Joined : 2008-11-19
OS : Windows Vista Home Premium
Points : 29649
# Likes : 0

View user profile

Back to top Go down

Solved Re: Please Help (Trojan Problem)

Post by Belahzur on Fri Nov 21, 2008 1:26 pm

Hello.
Do this.


  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "c:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
    O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
    O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O4 - HKCU\..\Run: [UIWatcher] C:\Program Files\Ashampoo\Ashampoo UnInstaller 3\UIWatcher.exe


  • Press "Fix Checked"
  • Close Hijack This.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Solved Re: Please Help (Trojan Problem)

Post by outlawz28 on Sat Nov 22, 2008 9:21 am

thanks i did all that, I got one more question when I go into my email and open up a email from like xbox or anyone else I cant see the pictures even if i click on show content its just a little box with a small red square green circle and a blue shape. there seems to be this problem because even my pictures wont show what it actually is unless i click on it and open the file.

outlawz28
Intermediate
Intermediate

Status :
Online
Offline

Posts : 84
Joined : 2008-11-19
OS : Windows Vista Home Premium
Points : 29649
# Likes : 0

View user profile

Back to top Go down

Solved Re: Please Help (Trojan Problem)

Post by Belahzur on Sat Nov 22, 2008 1:46 pm

Probably just hotmail blocking them out for your protection. I wouldn't open any emails fully. (show content)
Any emails can be faked easily, this is how many people get infected.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Solved Re: Please Help (Trojan Problem)

Post by outlawz28 on Sat Nov 22, 2008 5:56 pm

There does seem to be a problem with the pictures because it wont even let me set a desktop background and it wont even show the pic as a preview when you your about to open it. Its just the name of the pic and the little small preview of the pic is missing

outlawz28
Intermediate
Intermediate

Status :
Online
Offline

Posts : 84
Joined : 2008-11-19
OS : Windows Vista Home Premium
Points : 29649
# Likes : 0

View user profile

Back to top Go down

Solved Re: Please Help (Trojan Problem)

Post by Belahzur on Sat Nov 22, 2008 6:01 pm

It's possible that Active Desktop is enabled. To Disable Active Desktop. Open the Control Panel.
Open Display Properties.
Click the Desktop tab.
Click the Customize Desktop button.
Click the Web tab in the Desktop Items window.
Make sure all checkboxes in this window are un-checked including My Current Homepage.
Restart your computer.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Solved Re: Please Help (Trojan Problem)

Post by outlawz28 on Sat Nov 22, 2008 11:03 pm

there doesnt seem to be any display properties there

outlawz28
Intermediate
Intermediate

Status :
Online
Offline

Posts : 84
Joined : 2008-11-19
OS : Windows Vista Home Premium
Points : 29649
# Likes : 0

View user profile

Back to top Go down

Solved Re: Please Help (Trojan Problem)

Post by Belahzur on Sat Nov 22, 2008 11:05 pm

My bad.
My instructions seemed like right click, double left click.
Or you can right click on the desktop > properties > customize dekstop and go from there.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Solved Re: Please Help (Trojan Problem)

Post by outlawz28 on Sat Nov 22, 2008 11:11 pm

im confused i have vista

outlawz28
Intermediate
Intermediate

Status :
Online
Offline

Posts : 84
Joined : 2008-11-19
OS : Windows Vista Home Premium
Points : 29649
# Likes : 0

View user profile

Back to top Go down

Solved Re: Please Help (Trojan Problem)

Post by Belahzur on Sat Nov 22, 2008 11:11 pm

Darn.
One second, them instructions were for XP.

[edit]
I have asked Doc to post for this, because I don't have vista and don't know the controls. LMBO or ROFL


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Solved Re: Please Help (Trojan Problem)

Post by Doctor Inferno on Sun Nov 23, 2008 2:05 am

Follow this tutorial on how to change your desktop wallpaper:

[You must be registered and logged in to see this link.]

Let me know if it works, if it doesn't we have to delete a registry key.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Status :
Online
Offline

Posts : 12017
Joined : 2007-12-26
Gender : Male
OS : Windows 7 Home Premium and Ultimate X64
Points : 104574
# Likes : 0

View user profile

Back to top Go down

Solved Re: Please Help (Trojan Problem)

Post by outlawz28 on Sun Nov 23, 2008 2:09 am

nope it doesnt work and the thing is you cant even see those pictures of like vista theme as a preview or any other pictures on my computer

outlawz28
Intermediate
Intermediate

Status :
Online
Offline

Posts : 84
Joined : 2008-11-19
OS : Windows Vista Home Premium
Points : 29649
# Likes : 0

View user profile

Back to top Go down

Solved Re: Please Help (Trojan Problem)

Post by Doctor Inferno on Sun Nov 23, 2008 1:12 pm

Ok, lets' try this. Maybe the wallpaper policy was some how enabled, this reg fix will help to remove that policy.

Download [You must be registered and logged in to see this link.] reg file to your desktop >> Right click it and select Merge.


If it doesn't work, post a screenshot of what you experiencing.

To take a screenshot,

1. Press the PrtSc/SysRq at the top of your keyboard (See illustration)



2. Open Paint by navigating to Start >> All Programs >> Accessories >> Paint

3. Press Ctrl+V so that the screen shot goes into paint.

4. Save your picture as JPG

5. Upload your picture to an image host like tinypic.com


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Status :
Online
Offline

Posts : 12017
Joined : 2007-12-26
Gender : Male
OS : Windows 7 Home Premium and Ultimate X64
Points : 104574
# Likes : 0

View user profile

Back to top Go down

Solved Re: Please Help (Trojan Problem)

Post by outlawz28 on Mon Nov 24, 2008 1:27 am

Doesn't work, here is screen shots of how it looks

[You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

outlawz28
Intermediate
Intermediate

Status :
Online
Offline

Posts : 84
Joined : 2008-11-19
OS : Windows Vista Home Premium
Points : 29649
# Likes : 0

View user profile

Back to top Go down

Solved Re: Please Help (Trojan Problem)

Post by Doctor Inferno on Mon Nov 24, 2008 4:34 am

Copy the following code in to Notepad and save it as fix thumb.reg

Code:
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"DisableThumbnails"=-

Right click the file >> Merge >> Run


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Status :
Online
Offline

Posts : 12017
Joined : 2007-12-26
Gender : Male
OS : Windows 7 Home Premium and Ultimate X64
Points : 104574
# Likes : 0

View user profile

Back to top Go down

Solved Re: Please Help (Trojan Problem)

Post by outlawz28 on Mon Nov 24, 2008 5:02 am

should i copy Windows Registry Editor Version 5.00 too or just whats under it?

outlawz28
Intermediate
Intermediate

Status :
Online
Offline

Posts : 84
Joined : 2008-11-19
OS : Windows Vista Home Premium
Points : 29649
# Likes : 0

View user profile

Back to top Go down

Page 1 of 2 1, 2  Next

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum