Jump to content


Photo

My browser has been hijacked by search-daily.com! HELP!


  • Please log in to reply
35 replies to this topic

#1 Ultrad321

Ultrad321

    Member

  • Members
  • PipPip
  • 20 posts

Posted 08 December 2007 - 05:41 AM

When I try to follow a google search link it redirects me to this search-daily.net website. I have been reading around seeing that others have had this problem, trying to fix it but I can't. It just doesnt go away. I am hoping you guys can help me with it

I have tried my F-prot antivirus, Spybot - S and D, Ad-Aware 2007, and Hijack This, but nothing seems to work.

PLEASE HELP ME! I know some about computers but it is past my knowledge point.

I have microsoft XP professional x64 so my comp is 64 bit in case that matters

here is my hijackthis log, attached is my last ad-aware log before from earlier in the day before I began trying to eliminate this with hijackthis.

in addition to this there was another bho with a name like 4vxmpgs or something like that in my sysWOW64 folder that i thought might be it so i deleted it, but the search daily did not go away. it might still be lingering around on my comp somewhere.

Logfile of HijackThis v1.99.1
Scan saved at 1:08:43 AM, on 12/8/2007
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
C:\Program Files (x86)\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files (x86)\FSI\F-Prot\fpavupdm.exe
C:\WINDOWS\SysWOW64\PnkBstrA.exe
C:\WINDOWS\SysWOW64\wwSecure.exe
C:\Program Files (x86)\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files (x86)\AIM6\aim6.exe
C:\Program Files (x86)\Webroot\Washer\wwDisp.exe
C:\WINDOWS\SysWOW64\ctfmon.exe
C:\Program Files (x86)\FSI\F-Prot\F-Sched.exe
C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\iPod\bin\iPodService.exe
C:\Program Files (x86)\AIM6\aolsoftware.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Program Files (x86)\hijackthis\HijackThis.exe
C:\WINDOWS\system32\drwtsn32.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {293D6DCB-E93F-42F9-BB5B-A11EF759210C} - C:\WINDOWS\SysWow64\dpvacmv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [FRISK FP-Scheduler] "C:\Program Files (x86)\FSI\F-Prot\F-Sched.exe" STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [CatalystRegistration] "C:\Program Files (x86)\ATI\CatalystRegistration\dolce.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files (x86)\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Window Washer] C:\Program Files (x86)\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files (x86)\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\OFFICE11\REFIEBAR.DLL
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} (dlControl.UserControl1) - http://www.livemetal...r/dlControl.CAB
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.c...driveragent.cab
O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\SYSTEM32\dimsntfy.dll
O20 - Winlogon Notify: EFS - C:\WINDOWS\SYSTEM32\sclgntfy.dll
O20 - Winlogon Notify: Themes - C:\WINDOWS\system32\camaddin.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files (x86)\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2saag.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing)
O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software - C:\Program Files (x86)\FSI\F-Prot\fpavupdm.exe
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files (x86)\iPod\bin\iPodService.exe
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe (file missing)
O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)
O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Virtual Disk Service (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe (file missing)
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)
O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

Attached Files


Edited by Ultrad321, 08 December 2007 - 06:51 AM.


#2 HJThis

HJThis

    Advanced Member

  • Volunteer Security Advisor
  • PipPipPip
  • 4076 posts

Posted 08 December 2007 - 05:28 PM

Hello.Ultrad321 & Welcome

First your running an outdated Ver of Hijack-This remove/uninstall the Ver you have now and install this Ver.

Download HJTInstall.exe to your Desktop.

Doubleclick HJTInstall.exe to install it.
By default it will install to C:\Program Files\Trend Micro\HijackThis .
Click on Install.
It will create a HijackThis icon on the desktop.
Once installed, it will launch HijackThis.
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
Save the log to a convenient location as you'll need to post it soon.
Don't use the Analyse This button, its findings are dangerous if misinterpreted.
Don't have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.
=====================

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 3.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 3".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    • Java 2 Runtime Environment, SE v1.4.2
    • J2SE Runtime Environment 5.0
    • J2SE Runtime Environment 5.0 Update 6
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u3-windows-i586-p.exe to install the newest version.
Let me know in your next reply how things are now.

=========================

Then after doing all above run this online scan, come back here with it's scan results and new Hijack-This log.

Lets run an F-Secure online scan for Viruses, Spyware and RootKits:
  • Go to http://support.f-sec.../home/ols.shtml
  • Scroll to the bottom of the page and click the Start scanning button. A window will pop up.
  • Allow the Active X control to be installed on your computer, then click the Accept button
  • Click Full System Scan and allow the components to download and the scan to complete.
  • If malware is found, check Submit samples to F-Secure then select Automatic cleaning
  • When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report)
  • Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post
If Automatic cleaning with Submit samples hangs, click Cancel, then New Scan
  • When the cleaning option is presented, Uncheck Submit samples to F-Secure
  • Click Automatic cleaning
  • When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report)
  • Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post
Notes:
  • This scan will only work with Internet Explorer
  • You must have administrator rights to run this scan
  • This scan can take several hours, so please be patient


Gogo :)
Die Hijacker Die

Member of
ALLIANCE OF SECURITY ANALYSIS PROFESSIONALS

Since 2004

Warning My killer dog at work.

QUOTE

#3 Ultrad321

Ultrad321

    Member

  • Members
  • PipPip
  • 20 posts

Posted 08 December 2007 - 06:21 PM

ok i am running f-secure right now. just wanted to let you know that i found a file nljazrum.dat in my sysWOW64 folder that was created and modified, etc. at the precise date and time that I know this worm found its way to my computer--It seems suspicious. also my pf usage is up, i think this thing is slowing down my computer and/or messing with my processes or something. these things are malicious, cuz at the same time that file was created (along with the 4vmxdpmgs.exe file i deleted earlier) my system restore was turned off by this thing. whenever this f-secure is done i will run a new hijack this and post it.

#4 Ultrad321

Ultrad321

    Member

  • Members
  • PipPip
  • 20 posts

Posted 08 December 2007 - 07:09 PM

ok here is the f-secure scan result and my post-scan hijack this

f-secure scan log:

Scanning Report
Saturday, December 08, 2007 13:14:36 - 13:51:06
Computer name: DREWS-SGAMER
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\


--------------------------------------------------------------------------------

Result: 9 malware found
Packed.Win32.NSAnti.r (virus)
C:\DOCUMENTS AND SETTINGS\DEFAULT USER\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5X6ZKLYZ\CONTEXTPLUS[1].EXE (Submitted)
Possible Browser Hijack attempt (spyware)
System (Disinfected)
Tracking Cookie (spyware)
System (Disinfected)
Trojan.Win32.Pakes.bpw (virus)
C:\PROGRAM FILES (X86)\HIJACKTHIS\BACKUPS\BACKUP-20071207-233006-457.DLL (Renamed & Submitted)
C:\PROGRAM FILES (X86)\HIJACKTHIS\BACKUPS\BACKUP-20071207-233103-479.DLL (Renamed & Submitted)
C:\PROGRAM FILES (X86)\HIJACKTHIS\BACKUPS\BACKUP-20071207-233123-734.DLL (Renamed & Submitted)
C:\PROGRAM FILES (X86)\HIJACKTHIS\BACKUPS\BACKUP-20071207-233141-958.DLL (Renamed & Submitted)
C:\PROGRAM FILES (X86)\HIJACKTHIS\BACKUPS\BACKUP-20071207-235336-312.DLL (Renamed & Submitted)
C:\PROGRAM FILES (X86)\HIJACKTHIS\BACKUPS\BACKUP-20071208-000717-169.DLL (Renamed & Submitted)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 38314
System: 3458
Not scanned: 2
Actions:
Disinfected: 2
Renamed: 6
Deleted: 0
None: 1
Submitted: 7
Files not scanned:
C:\PAGEFILE.SYS
C:\WINDOWS\SOFTWAREDISTRIBUTION\EVENTCACHE\{4A522605-6BF8-476C-A40C-A6BEF70FFAE6}.BIN

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure Libra: 2.4.2, 2007-11-28
F-Secure AVP: 7.0.171, 2007-12-08
F-Secure Orion: 1.2.37, 2007-12-08
F-Secure Blacklight: 1.0.64
F-Secure Draco: 1.0.35, 1008-150-72
F-Secure Pegasus: 1.19.0, 2007-11-03
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB BAT LNK ANI AVB CEO CMD LSP MAP MHT MIF PDF PHP POT WMF NWS TAR TGZ WSF ZL? {* ZIP JAR ARJ LZH TAR TGZ GZ CAB RAR BZ2 HQX
Use Advanced heuristics

--------------------------------------------------------------------------------

Copyright © 1998-2006 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.



hijack this log from after f-secure scan:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:59:39 PM, on 12/8/2007
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files (x86)\FSI\F-Prot\fpavupdm.exe
C:\WINDOWS\SysWOW64\PnkBstrA.exe
C:\WINDOWS\SysWOW64\wwSecure.exe
C:\Program Files (x86)\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files (x86)\Webroot\Washer\wwDisp.exe
C:\WINDOWS\SysWOW64\ctfmon.exe
C:\Program Files (x86)\FSI\F-Prot\F-Sched.exe
C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\iPod\bin\iPodService.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {293D6DCB-E93F-42F9-BB5B-A11EF759210C} - C:\WINDOWS\SysWow64\dpvacmv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [FRISK FP-Scheduler] "C:\Program Files (x86)\FSI\F-Prot\F-Sched.exe" STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [CatalystRegistration] "C:\Program Files (x86)\ATI\CatalystRegistration\dolce.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files (x86)\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Window Washer] C:\Program Files (x86)\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Policies\Explorer\Run: [udhrat] C:\WINDOWS\system32\udhrat.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [kffo] C:\PROGRA~2\COMMON~1\kffo\kffom.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [kffo] C:\PROGRA~2\COMMON~1\kffo\kffom.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files (x86)\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\OFFICE11\REFIEBAR.DLL
O15 - ESC Trusted Zone: http://runonce.msn.com
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} (dlControl.UserControl1) - http://www.livemetal...r/dlControl.CAB
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.c...driveragent.cab
O20 - Winlogon Notify: Themes - C:\WINDOWS\system32\camaddin.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files (x86)\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2saag.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing)
O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software - C:\Program Files (x86)\FSI\F-Prot\fpavupdm.exe
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files (x86)\iPod\bin\iPodService.exe
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe (file missing)
O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)
O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Virtual Disk Service (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe (file missing)
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)
O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

--
End of file - 7368 bytes

#5 HJThis

HJThis

    Advanced Member

  • Volunteer Security Advisor
  • PipPipPip
  • 4076 posts

Posted 08 December 2007 - 07:42 PM

Hi.Ultrad321

Now I'm not 100% sure this tool will run on your PC! but give it a try.

Download ComboFix from Here or Here to your Desktop.

[*]Double click combofix.exe and follow the prompts.
[*]When finished, it shall produce a log for you. Post that log and a HiJackThis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall


Gogo :)
Die Hijacker Die

Member of
ALLIANCE OF SECURITY ANALYSIS PROFESSIONALS

Since 2004

Warning My killer dog at work.

QUOTE

#6 Ultrad321

Ultrad321

    Member

  • Members
  • PipPip
  • 20 posts

Posted 08 December 2007 - 08:46 PM

combofix is not working on my computer. it starts scanning then the window goes away and it never scans.

what should i do next?

#7 HJThis

HJThis

    Advanced Member

  • Volunteer Security Advisor
  • PipPipPip
  • 4076 posts

Posted 08 December 2007 - 09:04 PM

Hi.Ultrad321

Ok not sure run this one.

Please download Deckard's System Scanner (DSS) to your Desktop.

[*]Close all applications and windows.
[*]Double-click on DSS.exe to run it, and follow the prompts.
[*]The scan may take a minute. When the scan is complete, two text files will open - Main.txt and Extra.txt

Extra Note: When running DSS, some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so. Also, it may happen that your Antivirus flags DSS as suspicious. Please allow the Deckard's System Scanner to run and don't let your Antivirus delete it. (In this case, it may be better to temporary disable your Antivirus)

Post the main.txt and extra.txt from the C:\Deckard\System Scanner folder into your next reply.


Gogo ;)
Die Hijacker Die

Member of
ALLIANCE OF SECURITY ANALYSIS PROFESSIONALS

Since 2004

Warning My killer dog at work.

QUOTE

#8 Ultrad321

Ultrad321

    Member

  • Members
  • PipPip
  • 20 posts

Posted 08 December 2007 - 10:26 PM

the first time it ran it used the older version of hijack this, so i reran it for it to use the new version but did not get an extra file the second time. so the main file is from the second scan with new hijackthis and the extra from the first scan when it used the older hijackthis

attached is my latest HJT log if you need it. i will also put it at the bottom of this post

i have noticed a few suspicious files that I think might be related to my problem but i will wait for your input to take any action.

main.txt:

Deckard's System Scanner v20071014.68
Run by Administrator on 2007-12-08 17:03:58
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 05:04 PM, on 2007-12-08
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files (x86)\FSI\F-Prot\fpavupdm.exe
C:\WINDOWS\SysWOW64\PnkBstrA.exe
C:\WINDOWS\SysWOW64\wwSecure.exe
C:\Program Files (x86)\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files (x86)\Webroot\Washer\wwDisp.exe
C:\WINDOWS\SysWOW64\ctfmon.exe
C:\Program Files (x86)\FSI\F-Prot\F-Sched.exe
C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files (x86)\iPod\bin\iPodService.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\PROGRA~2\TRENDM~1\HIJACK~1\Administrator.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {10F02D85-BCB8-4AD4-BCA8-CBBA548FC64B} - C:\WINDOWS\SysWow64\dpvacmv.dll
O2 - BHO: (no name) - {293D6DCB-E93F-42F9-BB5B-A11EF759210C} - C:\WINDOWS\SysWow64\dpvacmv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7BCD843D-31F6-493D-BDA9-BDC6F721542C} - C:\WINDOWS\SysWow64\dpvacmv.dll
O4 - HKLM\..\Run: [FRISK FP-Scheduler] "C:\Program Files (x86)\FSI\F-Prot\F-Sched.exe" STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [CatalystRegistration] "C:\Program Files (x86)\ATI\CatalystRegistration\dolce.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files (x86)\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Window Washer] C:\Program Files (x86)\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Policies\Explorer\Run: [udhrat] C:\WINDOWS\system32\udhrat.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [kffo] C:\PROGRA~2\COMMON~1\kffo\kffom.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [kffo] C:\PROGRA~2\COMMON~1\kffo\kffom.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files (x86)\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\OFFICE11\REFIEBAR.DLL
O15 - ESC Trusted Zone: http://runonce.msn.com
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} (dlControl.UserControl1) - http://www.livemetal...r/dlControl.CAB
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.c...driveragent.cab
O20 - Winlogon Notify: Themes - C:\WINDOWS\system32\camaddin.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files (x86)\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2saag.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing)
O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software - C:\Program Files (x86)\FSI\F-Prot\fpavupdm.exe
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files (x86)\iPod\bin\iPodService.exe
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe (file missing)
O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)
O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Virtual Disk Service (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe (file missing)
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)
O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

--
End of file - 7520 bytes

-- Files created between 2007-11-08 and 2007-12-08 -----------------------------

2007-12-08 12:59:49 0 d-------- C:\Program Files (x86)\Common Files\Java
2007-12-08 12:43:31 0 d-------- C:\Program Files (x86)\Trend Micro
2007-12-07 23:06:09 0 d-------- C:\Program Files (x86)\SpywareGuard
2007-12-07 16:23:04 0 d-------- C:\Documents and Settings\Administrator\Application Data\GetRightToGo
2007-12-07 02:43:08 119552 --a------ C:\WINDOWS\system32\nljazrum.dat
2007-12-07 02:35:27 19456 --a------ C:\WINDOWS\system32\drivers\ylcgcuoq.dat
2007-12-07 02:35:24 54784 --a------ C:\WINDOWS\system32\audiosrva.dll
2007-12-07 02:35:00 0 d-------- C:\WINDOWS\system32\AppCert
2007-12-07 02:34:45 84992 --a------ C:\WINDOWS\system32\dpvacmv.dll
2007-11-09 23:45:37 500224 --a------ C:\Program Files (x86)\FS0J.EXE


-- Find3M Report ---------------------------------------------------------------

2007-12-08 13:00:07 0 d-------- C:\Program Files (x86)\Java
2007-12-08 12:59:49 0 d-------- C:\Program Files (x86)\Common Files
2007-12-07 22:33:48 0 d-------- C:\Program Files (x86)\Viewpoint
2007-12-07 16:26:42 0 d--h----- C:\Program Files (x86)\InstallShield Installation Information
2007-11-11 14:46:55 0 d-------- C:\Documents and Settings\Administrator\Application Data\LimeWire
2007-11-09 23:39:07 487354 --a------ C:\Program Files (x86)\P9SFS0J.rar
2007-11-09 22:20:04 0 d-------- C:\Program Files (x86)\Activision
2007-11-09 22:17:29 0 d-------- C:\Program Files (x86)\Diablo II
2007-11-05 19:55:00 2 --ahs---- C:\Documents and Settings\Administrator\Application Data\evf
2007-11-04 17:01:35 0 d-------- C:\Documents and Settings\Administrator\Application Data\Command & Conquer 3 Tiberium Wars
2007-11-04 02:53:20 0 d-------- C:\Program Files (x86)\Electronic Arts
2007-10-30 03:25:20 0 d-------- C:\Program Files (x86)\AIM6
2007-10-27 16:33:40 1980198419 --a------ C:\Program Files (x86)\BioShock_PC_Demo.zip
2007-10-27 16:10:01 45975 --a------ C:\Program Files (x86)\aohv4-lbcp.zip
2007-10-27 14:51:27 0 d-------- C:\Documents and Settings\Administrator\Application Data\Codemasters
2007-10-27 14:39:49 0 d-------- C:\Documents and Settings\Administrator\Application Data\InstallShield
2007-10-27 14:39:19 0 d-------- C:\Program Files (x86)\AGEIA Technologies
2007-10-27 14:39:01 0 d-------- C:\Program Files (x86)\Common Files\Wise Installation Wizard
2007-10-27 14:36:33 0 d-------- C:\Program Files (x86)\Common Files\InstallShield
2007-10-26 18:05:22 0 d-------- C:\Documents and Settings\Administrator\Application Data\Bioshock
2007-10-26 17:48:39 0 d-------- C:\Program Files (x86)\Common Files\ATI Technologies
2007-10-26 16:48:19 0 --a------ C:\WINDOWS\ativpsrm.bin
2007-10-26 16:40:45 0 d-------- C:\Documents and Settings\Administrator\Application Data\ATI
2007-10-26 16:10:13 0 d-------- C:\Program Files (x86)\ATI
2007-10-26 16:02:53 0 d-------- C:\Program Files (x86)\ATI Technologies
2007-10-11 20:45:17 0 d-------- C:\Program Files (x86)\Doom 3
2007-09-28 20:05:00 660992 -----n--- C:\WINDOWS\system32\ati2saag.exe <Not Verified; ; ATI Smart>


-- Registry Dump ---------------------------------------------------------------



-- End of Deckard's System Scanner: finished at 2007-12-08 17:06:17 ------------





extra.txt:

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft® Windows® XP Professional x64 Edition (build 3790) SP 2.0
Architecture: X64; Language: English

CPU 0: AMD Athlon™ 64 Processor 3200+
Percentage of Memory in Use: 21%
Physical Memory (total/avail): 1023.38 MiB / 802.37 MiB
Pagefile Memory (total/avail): 3002.97 MiB / 2561.24 MiB
Virtual Memory (total/avail): 4095.88 MiB / 3946.42 MiB

C: is Fixed (NTFS) - 152.66 GiB total, 52.08 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - Maxtor 6B160M0 - 152.66 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 152.66 GiB - C:



-- Security Center -------------------------------------------------------------

Windows Internal Firewall is enabled.

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files (x86)\\Valve\\Steam\\Steam.exe"="C:\\Program Files (x86)\\Valve\\Steam\\Steam.exe:*:Enabled:Steam"
"C:\\Program Files (x86)\\Valve\\Steam\\SteamApps\\ultrad321\\half-life 2 deathmatch\\hl2.exe"="C:\\Program Files (x86)\\Valve\\Steam\\SteamApps\\ultrad321\\half-life 2 deathmatch\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files (x86)\\AIM\\aim.exe"="C:\\Program Files (x86)\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files (x86)\\Valve\\Steam\\SteamApps\\ultrad321\\counter-strike source\\hl2.exe"="C:\\Program Files (x86)\\Valve\\Steam\\SteamApps\\ultrad321\\counter-strike source\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe"="C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe:*:Enabled:Mozilla Firefox"
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer (64-bit)"
"C:\\Program Files (x86)\\FSI\\F-Prot\\F-Sched.exe"="C:\\Program Files (x86)\\FSI\\F-Prot\\F-Sched.exe:*:Enabled:Scheduler"
"C:\\Program Files (x86)\\FSI\\F-Prot\\FP-Win.exe"="C:\\Program Files (x86)\\FSI\\F-Prot\\FP-Win.exe:*:Enabled:OnDemand Scanner"
"C:\\Program Files (x86)\\Lavasoft\\Ad-Aware SE Personal\\Ad-Aware.exe"="C:\\Program Files (x86)\\Lavasoft\\Ad-Aware SE Personal\\Ad-Aware.exe:*:Enabled:Ad-Aware SE Personal"
"C:\\Program Files (x86)\\FSI\\F-Prot\\FP-Updater\\Updater.exe"="C:\\Program Files (x86)\\FSI\\F-Prot\\FP-Updater\\Updater.exe:*:Enabled:Updater"
"C:\\Program Files (x86)\\WASTE\\WASTE.exe"="C:\\Program Files (x86)\\WASTE\\WASTE.exe:*:Enabled:WASTE"
"C:\\Program Files (x86)\\Windows Media Player\\wmplayer.exe"="C:\\Program Files (x86)\\Windows Media Player\\wmplayer.exe:*:Enabled:Windows Media Player"
"C:\\Program Files (x86)\\Microsoft Games\\Halo\\halo.exe"="C:\\Program Files (x86)\\Microsoft Games\\Halo\\halo.exe:*:Enabled:Halo"
"C:\\Program Files (x86)\\Valve\\Steam\\SteamApps\\ultrad321\\half-life 2\\hl2.exe"="C:\\Program Files (x86)\\Valve\\Steam\\SteamApps\\ultrad321\\half-life 2\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files (x86)\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files (x86)\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"
"C:\\Program Files (x86)\\Activision\\Call of Duty 2\\CoD2MP_s.exe"="C:\\Program Files (x86)\\Activision\\Call of Duty 2\\CoD2MP_s.exe:*:Enabled:CoD2MP_s"
"C:\\Program Files (x86)\\Sierra\\FEAR\\FEAR.exe"="C:\\Program Files (x86)\\Sierra\\FEAR\\FEAR.exe:*:Enabled:FEAR"
"C:\\Program Files (x86)\\GameSpy Arcade\\Aphex.exe"="C:\\Program Files (x86)\\GameSpy Arcade\\Aphex.exe:*:Enabled:GameSpy Arcade"
"C:\\Program Files (x86)\\Ubisoft\\Crytek\\Far Cry\\Bin32\\FarCry.exe"="C:\\Program Files (x86)\\Ubisoft\\Crytek\\Far Cry\\Bin32\\FarCry.exe:*:Enabled:Far Cry"
"C:\\Program Files (x86)\\Sierra\\FEAR\\fpupdate.exe"="C:\\Program Files (x86)\\Sierra\\FEAR\\fpupdate.exe:*:Enabled:fpupdate"
"C:\\Program Files (x86)\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files (x86)\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"
"C:\\Program Files (x86)\\EA GAMES\\Battlefield 1942\\BF1942.exe"="C:\\Program Files (x86)\\EA GAMES\\Battlefield 1942\\BF1942.exe:*:Enabled:BF1942"
"C:\\Program Files (x86)\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files (x86)\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\WINDOWS\\system32\\mmc.exe"="C:\\WINDOWS\\system32\\mmc.exe:*:Enabled:Microsoft Management Console"
"C:\\Program Files (x86)\\uTorrent\\uTorrent.exe"="C:\\Program Files (x86)\\uTorrent\\uTorrent.exe:*:Enabled:µTorrent"
"C:\\Program Files (x86)\\AIM6\\aim6.exe"="C:\\Program Files (x86)\\AIM6\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files (x86)\\BitTorrent_DNA\\dna.exe"="C:\\Program Files (x86)\\BitTorrent_DNA\\dna.exe:*:Enabled:BitTorrent DNA"
"C:\\Program Files (x86)\\BitTorrent\\bittorrent.exe"="C:\\Program Files (x86)\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files (x86)\\iTunes\\iTunes.exe"="C:\\Program Files (x86)\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\WINDOWS\\SysWOW64\\PnkBstrA.exe"="C:\\WINDOWS\\SysWOW64\\PnkBstrA.exe:*:Enabled:PnkBstrA"
"C:\\WINDOWS\\SysWOW64\\PnkBstrB.exe"="C:\\WINDOWS\\SysWOW64\\PnkBstrB.exe:*:Enabled:PnkBstrB"
"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\\WINDOWS\\system32\\rundll32.exe"="C:\\WINDOWS\\system32\\rundll32.exe:*:Enabled:Run a DLL as an App"
"C:\\WINDOWS\\SysWOW64\\4vmxdpmgs.exe"="C:\\WINDOWS\\SysWOW64\\4vmxdpmgs.exe:*:Disabled:4vmxdpmgs"
"C:\\Program Files (x86)\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"="C:\\Program Files (x86)\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe:*:Enabled:Call of Duty® 4 - Modern Warfare™ "


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Administrator\Application Data
CLASSPATH=.;C:\Program Files (x86)\Java\jre1.5.0_04\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files (x86)\Common Files
CommonProgramFiles(x86)=C:\Program Files (x86)\Common Files
CommonProgramW6432=C:\Program Files\Common Files
COMPUTERNAME=DREWS-SGAMER
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Administrator
LOGONSERVER=\\DREWS-SGAMER
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files (x86)\QuickTime\QTSystem\;C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_ARCHITEW6432=AMD64
PROCESSOR_IDENTIFIER=AMD64 Family 15 Model 47 Stepping 2, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=2f02
ProgramFiles=C:\Program Files (x86)
ProgramFiles(x86)=C:\Program Files (x86)
ProgramW6432=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files (x86)\Java\jre1.5.0_04\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
USERDOMAIN=DREWS-SGAMER
USERNAME=Administrator
USERPROFILE=C:\Documents and Settings\Administrator
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files (x86)\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> MsiExec /X{85EBB283-65AF-4C53-9EBE-7C0A232762F7}
ABIT uGuru --> RunDll32 C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files (x86)\InstallShield Installation Information\{FF8500E6-EA0D-11D7-8755-0080C8F92A32}\Setup.exe" -l0x9
Ad-Aware 2007 --> MsiExec.exe /X{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player ActiveX --> C:\WINDOWS\SysWOW64\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
AGEIA PhysX v7.03.21 --> MsiExec.exe /X{85EBB283-65AF-4C53-9EBE-7C0A232762F7}
AIM 6 --> C:\Program Files (x86)\AIM6\uninst.exe
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
Athlon 64 Processor Driver --> RunDll32 C:\PROGRA~2\COMMON~1\INSTAL~1\PROFES~1\RunTime91\Intel32\Ctor.dll,LaunchSetup "C:\Program Files (x86)\InstallShield Installation Information\{C151CE54-E7EA-4804-854B-F515368B0798}\setup.exe" -l0x9
ATI - Software Uninstall Utility --> C:\Program Files (x86)\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI AVIVO Codecs --> MsiExec.exe /I{89DE67AD-08B8-4699-A55D-CA5C0AF82BF3}
ATI Catalyst Control Center --> RunDll32 C:\PROGRA~2\COMMON~1\INSTAL~1\PROFES~1\RunTime91\Intel32\Ctor.dll,LaunchSetup "C:\Program Files (x86)\InstallShield Installation Information\{055EE59D-217B-43A7-ABFF-507B966405D8}\setup.exe" -l0x0
ATI Control Panel --> C:\PROGRA~2\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{F8A2AF2E-DDE7-429C-A803-89FA9E0F4805} /l1033
Birth of the Federation --> C:\WINDOWS\IsUninst.exe -f"c:\program files (x86)\botf\Uninst.isu"
Call of Duty® 2 --> C:\PROGRA~2\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{D0A05794-48C2-4424-A15A-9F20FCFDD374} /l1033
Call of Duty® 4 - Modern Warfare™ --> C:\Program Files (x86)\InstallShield Installation Information\{E48469CC-635E-4FD5-A122-1497C286D217}\setup.exe -runfromtemp -l0x0409
Call of Duty® 4 - Modern Warfare™ 1.2 Patch --> C:\Program Files (x86)\InstallShield Installation Information\{E5141379-B2D9-4BBC-BB2A-5805541571DD}\setup.exe -runfromtemp -l0x0409
Call of Duty® 4 - Modern Warfare™ 1.3 Patch --> C:\Program Files (x86)\InstallShield Installation Information\{050C1C8E-4A4D-4C2F-B9AE-67E60EE91B7F}\setup.exe -runfromtemp -l0x0409
Catalyst Registration --> MsiExec.exe /X{5E2691D1-9EDF-43E8-9CF2-E3DF6A17706E}
Command & Conquer 3 --> MsiExec.exe /I{DDEDAF6C-488E-4CDA-8276-1CCF5F3C5C32}
Command & Conquer Red Alert 2 --> C:\Westwood\RA2\Uninstll.EXE
Doom 3 --> C:\PROGRA~2\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{584267B8-0BB0-4D18-9FFA-726576619E9A} /l1033 /x
Doom II for Windows 95 --> C:\Program Files\Doom II for Windows 95\uninstl.exe /S C:\Program Files\Doom II for Windows 95
F-Prot for Windows --> RunDll32 C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files (x86)\InstallShield Installation Information\{9FD12630-1991-46F5-8479-92DE1EAE87DA}\setup.exe" -l0x9
Far Cry --> C:\PROGRA~2\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{D6DBDC2A-E72C-4284-B6AD-6B3B61B4DABC}
FEAR --> RunDll32 C:\PROGRA~2\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files (x86)\InstallShield Installation Information\{2B653229-9854-4989-B780-D978F5F13EAB}\setup.exe" -l0x9 /zU -removeonly
GameSpy Arcade --> C:\PROGRA~2\GAMESP~1\UNWISE.EXE C:\PROGRA~2\GAMESP~1\INSTALL.LOG
Google Earth --> RunDll32 C:\PROGRA~2\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files (x86)\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly
Half-Life 2: Episode Two --> "C:\Program Files (x86)\Valve\Steam\steam.exe" steam://uninstall/420
Half-Life® 2 --> MsiExec.exe /I{D45EC259-4A19-4656-B588-C2C360DD18EA}
HijackThis 1.99.1 --> C:\Program Files (x86)\hijackthis\HijackThis.exe /uninstall
InterActual Player --> C:\Program Files\InterActual\InterActual Player\inuninst.exe
iTunes --> MsiExec.exe /I{B8A204BC-7177-470E-BBDD-47256D05B325}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
LimeWire 4.14.8 --> "C:\Program Files (x86)\LimeWire\uninstall.exe"
Macromedia Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Max Payne --> RunDll32 C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files (x86)\InstallShield Installation Information\{39930321-4C58-4B8B-BCBF-342698C9801D}\Setup.exe" uninstall uninstall
Max Payne 2 --> RunDll32 C:\PROGRA~2\COMMON~1\INSTAL~1\PROFES~1\RunTime701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files (x86)\InstallShield Installation Information\{EFE1AB94-5466-4B6E-BE31-FF4C115FD25D}\Setup.exe" -l0x9
Medieval II Total War --> C:\Program Files (x86)\InstallShield Installation Information\{C0698BDA-0D29-40EE-8570-A31106DF9AB1}\setup.exe -runfromtemp -l0x0009 -removeonly
Medieval II Total War : Kingdoms : Americas --> C:\Program Files (x86)\InstallShield Installation Information\{75983B66-804C-40D1-BA13-64DAF652A6F1}\setup.exe -runfromtemp -l0x0009 -removeonly
Medieval II Total War : Kingdoms : Britannia --> C:\Program Files (x86)\InstallShield Installation Information\{CEDDEE73-3D36-41C2-AA40-29355D9FBD63}\setup.exe -runfromtemp -l0x0009 -removeonly
Medieval II Total War : Kingdoms : Crusades --> C:\Program Files (x86)\InstallShield Installation Information\{02A10468-2F1C-447C-AD8E-4DEDDEA25AE2}\setup.exe -runfromtemp -l0x0009 -removeonly
Medieval II Total War : Kingdoms : Teutonic --> C:\Program Files (x86)\InstallShield Installation Information\{7AEE1963-7001-4C37-BC20-2FAEB74AA41C}\setup.exe -runfromtemp -l0x0009 -removeonly
Microsoft .NET Framework 1.1 --> msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1 --> MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1 Hotfix (KB928366) --> "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft Halo --> "C:\Program Files (x86)\Microsoft Games\Halo\UNINSTAL.EXE" /runtemp /addremove
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{91110409-6000-11D3-8CFE-0150048383C9}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual J# .NET Redistributable Package 1.1 --> MsiExec.exe /X{1A655D51-1423-48A3-B748-8F5A0BE294C8}
Mozilla Firefox (1.0.7) --> C:\WINDOWS\UninstallFirefox.exe /ua "1.0.7 (en-US)"
MSXML 4.0 SP2 (KB927978) --> MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181) --> MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 Parser and SDK --> MsiExec.exe /I{716E0306-8318-4364-8B8F-0CC4E9376BAC}
MSXML4 Parser --> MsiExec.exe /I{01501EBA-EC35-4F9F-8889-3BE346E5DA13}
Nero OEM --> C:\Program Files (x86)\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
NvMixer --> RunDll32 C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files (x86)\InstallShield Installation Information\{D7A6C517-11F2-419F-B5BB-27772B939698}\Setup.exe" -uninstall
Pocket Tanks 1.00b --> "C:\Program Files (x86)\Pocket Tanks\unins000.exe"
PowerDVD --> RunDll32 C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files (x86)\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
QuickTime --> MsiExec.exe /I{95A890AA-B3B1-44B6-9C18-A8F7AB3EE7FC}
RealPlayer --> C:\Program Files (x86)\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Rome - Total War™ --> C:\PROGRA~2\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{4089999C-6CB7-4F9D-A2F6-DB158DBF91FB} /l1033 /x
Rome Total War - patch 1.3 --> RunDll32 C:\PROGRA~2\COMMON~1\INSTAL~1\PROFES~1\RunTime701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files (x86)\InstallShield Installation Information\{A5D65411-8E73-4C85-AD80-9FE8B7391CF9}\Setup.exe" -l0x9
Security Update for Microsoft .NET Framework 2.0 (x64) (KB928365) --> C:\WINDOWS\SysWOW64\msiexec.exe /promptrestart /uninstall {8056AC9E-49C5-4375-9ADE-B2F862C9DF51} /package {B6EC01E7-431D-4D29-B9D4-E1D74CAF0AB0}
Sid Meier's Civilization 4 --> RunDll32 C:\PROGRA~2\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\Intel32\Ctor.dll,LaunchSetup "C:\Program Files (x86)\InstallShield Installation Information\{CFBCE791-2D53-4FCE-B3FB-D6E01F4112E8}\setup.exe" -l0x9 -removeonly
Spybot - Search & Destroy 1.4 --> "C:\Program Files (x86)\Spybot - Search & Destroy\unins000.exe"
Starcraft --> C:\WINDOWS\SCunin.exe C:\WINDOWS\SCunin.dat
Steam™ --> MsiExec.exe /X{048298C9-A4D3-490B-9FF9-AB023A9238F3}
SWF Opener --> "C:\Program Files (x86)\UnH Solutions\SWF Opener\unins000.exe"
TeamSpeak 2 RC2 --> "C:\Program Files (x86)\Teamspeak2_RC2\unins000.exe"
Total Realism Mod --> C:\Program Files (x86)\Firaxis Games\Sid Meier's Civilization 4\Mods\Total Realism\uninstall.exe
Ultimate Doom for Windows 95 --> C:\Program Files\Ultimate Doom for Windows 95\uninstl.exe /S C:\Program Files\Ultimate Doom for Windows 95
Window Washer --> C:\WINDOWS\Unwash6.exe
WinRAR archiver --> C:\Program Files (x86)\WinRAR\uninstall.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type3452 / Error
Event Submitted/Written: 12/07/2007 09:58:51 PM
Event ID/Source: 0 / wwSecure.exe
Event Description:
The service process could not connect to the service controller

Event Record #/Type3447 / Error
Event Submitted/Written: 12/07/2007 02:02:33 PM
Event ID/Source: 10005 / MsiInstaller
Event Description:
Product: F-PROT Antivirus for Windows -- This setup of F-PROT Antivirus for Windows requires 32-bit Windows 2000, Windows XP or Windows Server 2003. To install F-PROT Antivirus on 64-bit Windows please use 64-bit version of F-PROT Antivirus for Windows

Event Record #/Type3445 / Error
Event Submitted/Written: 12/07/2007 02:00:56 PM
Event ID/Source: 10005 / MsiInstaller
Event Description:
Product: F-PROT Antivirus for Windows -- This setup of F-PROT Antivirus for Windows requires 32-bit Windows 2000, Windows XP or Windows Server 2003. To install F-PROT Antivirus on 64-bit Windows please use 64-bit version of F-PROT Antivirus for Windows

Event Record #/Type3443 / Error
Event Submitted/Written: 12/07/2007 01:57:35 PM
Event ID/Source: 10005 / MsiInstaller
Event Description:
Product: F-PROT Antivirus for Windows -- This setup of F-PROT Antivirus for Windows requires 32-bit Windows 2000, Windows XP or Windows Server 2003. To install F-PROT Antivirus on 64-bit Windows please use 64-bit version of F-PROT Antivirus for Windows

Event Record #/Type3433 / Error
Event Submitted/Written: 11/29/2007 04:48:33 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 7.0.6000.16544, faulting module flash9d.ocx, version 9.0.47.0, fault address 0x0009a014.
Processing media-specific event for [iexplore.exe!ws!]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type37726 / Error
Event Submitted/Written: 12/08/2007 04:48:04 PM / 12/08/2007 04:48:05 PM
Event ID/Source: 12294 / ati2mtag
Event Description:


Event Record #/Type37710 / Error
Event Submitted/Written: 12/08/2007 03:35:47 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Keyboard Class Monitor service failed to start due to the following error:
%%1083

Event Record #/Type37706 / Error
Event Submitted/Written: 12/08/2007 03:35:16 PM / 12/08/2007 03:35:21 PM
Event ID/Source: 12294 / ati2mtag
Event Description:


Event Record #/Type37703 / Error
Event Submitted/Written: 12/08/2007 03:34:58 PM / 12/08/2007 03:35:21 PM
Event ID/Source: 1060 / Application Popup
Event Description:
\SystemRoot\SysWow64\Drivers\GEARAspiWDM.sys has been blocked from loading due to incompatibility with this system. Please contact your software
vendor for a compatible version of the driver.

Event Record #/Type37702 / Error
Event Submitted/Written: 12/08/2007 03:34:58 PM / 12/08/2007 03:35:21 PM
Event ID/Source: 1060 / Application Popup
Event Description:
\SystemRoot\SysWow64\Drivers\GEARAspiWDM.sys has been blocked from loading due to incompatibility with this system. Please contact your software
vendor for a compatible version of the driver.



-- End of Deckard's System Scanner: finished at 2007-12-08 16:55:54 ------------




latest Hijack This log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:08 PM, on 12/08/2007
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files (x86)\FSI\F-Prot\fpavupdm.exe
C:\Program Files (x86)\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files (x86)\Webroot\Washer\wwDisp.exe
C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\SysWOW64\ctfmon.exe
C:\WINDOWS\SysWOW64\PnkBstrA.exe
C:\Program Files (x86)\FSI\F-Prot\F-Sched.exe
C:\WINDOWS\SysWOW64\wwSecure.exe
C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files (x86)\iPod\bin\iPodService.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O1 - Hosts: be placed in the first column followed by the corresponding host name.
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {10F02D85-BCB8-4AD4-BCA8-CBBA548FC64B} - C:\WINDOWS\SysWow64\dpvacmv.dll
O2 - BHO: (no name) - {293D6DCB-E93F-42F9-BB5B-A11EF759210C} - C:\WINDOWS\SysWow64\dpvacmv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7BCD843D-31F6-493D-BDA9-BDC6F721542C} - C:\WINDOWS\SysWow64\dpvacmv.dll
O4 - HKLM\..\Run: [FRISK FP-Scheduler] "C:\Program Files (x86)\FSI\F-Prot\F-Sched.exe" STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [CatalystRegistration] "C:\Program Files (x86)\ATI\CatalystRegistration\dolce.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files (x86)\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Window Washer] C:\Program Files (x86)\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe /startupscan
O4 - HKCU\..\Policies\Explorer\Run: [udhrat] C:\WINDOWS\system32\udhrat.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [kffo] C:\PROGRA~2\COMMON~1\kffo\kffom.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [kffo] C:\PROGRA~2\COMMON~1\kffo\kffom.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files (x86)\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\OFFICE11\REFIEBAR.DLL
O15 - ESC Trusted Zone: http://runonce.msn.com
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} (dlControl.UserControl1) - http://www.livemetal...r/dlControl.CAB
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.c...driveragent.cab
O20 - Winlogon Notify: Themes - C:\WINDOWS\system32\camaddin.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files (x86)\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2saag.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing)
O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software - C:\Program Files (x86)\FSI\F-Prot\fpavupdm.exe
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files (x86)\iPod\bin\iPodService.exe
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe (file missing)
O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)
O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Virtual Disk Service (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe (file missing)
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)
O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

--
End of file - 7734 bytes

Attached Files


Edited by Ultrad321, 09 December 2007 - 12:31 AM.


#9 HJThis

HJThis

    Advanced Member

  • Volunteer Security Advisor
  • PipPipPip
  • 4076 posts

Posted 09 December 2007 - 03:29 AM

Hi.Ultrad321

Sorry for the hold-up here ran into a problem of my own. I would like to have a look at some files here.

Please submit the following files for analysis.

Jotti File Submission:

[*]Please go to Jotti's malware scan
[*]Copy and paste the following file path into the "File to upload & scan"box on the top of the page:

C:\WINDOWS\SysWow64\dpvacmv.dll
C:\WINDOWS\system32\udhrat.exe
C:\WINDOWS\system32\nljazrum.dat
C:\WINDOWS\system32\drivers\ylcgcuoq.dat
C:\WINDOWS\system32\audiosrva.dll
C:\WINDOWS\SysWOW64\4vmxdpmgs.exe


[*]Click on the submit button
[*]Please post the results in your next reply.

Please note that if you are submitting more than one file they will have to be entered one at a time.

Please come back here with the scan results.

Gogo ;)
Die Hijacker Die

Member of
ALLIANCE OF SECURITY ANALYSIS PROFESSIONALS

Since 2004

Warning My killer dog at work.

QUOTE

#10 Ultrad321

Ultrad321

    Member

  • Members
  • PipPip
  • 20 posts

Posted 09 December 2007 - 04:39 AM

ok here are my results

File: dpvacmv.dll
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: b9c228372922f8901791e9c11274d5c7
Packers detected: PE_PATCH.UPX, UPX
Bit9 reports: File not found
Scan taken on 09 Dec 2007 04:20:54 (GMT)
A-Squared Found nothing
AntiVir Found TR/Spy.BZub.NGP.7
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found Trojan.Spy.Bzub.NGP
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found Trojan.DownLoader.origin
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found Trojan-PWS.Win32.Lmir
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found BZub.ARU
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing


udhrat.exe (note this was a problem file taht i got rid of last year, or so i thought, so the file itself might not still be on my comp)

The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file


File: nljazrum.dat
Status: OK
MD5: 343dcf82198435f175d4bf252c5b2fee
Packers detected: -
Bit9 reports: File not found

Scanner results
Scan taken on 09 Dec 2007 04:25:01 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

ylcgcuoq.dat

The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

File: audiosrva.dll
Status: INFECTED/MALWARE
MD5: afb9102775751a5a2ad07fb25b971d89
Packers detected: -
Bit9 reports: File not found

Scanner results
Scan taken on 09 Dec 2007 04:28:53 (GMT)
A-Squared Found nothing
AntiVir Found TR/Crypt.Morphine.Gen
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found Obfustat.ABPN
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

4vmxdpmgs.exe (note I manually deleted this file earlier)

The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

#11 HJThis

HJThis

    Advanced Member

  • Volunteer Security Advisor
  • PipPipPip
  • 4076 posts

Posted 09 December 2007 - 04:53 AM

Hey.Ultrad321

Hmm could I ask that you run this tool for me. Then post new HijackThis logfile.

http://www.f-secure....s/f-look2me.exe

Once downloaded

Run the tool by double-clicking on f-look2me.exe.
Reboot the machine.

Gogo ;)
Die Hijacker Die

Member of
ALLIANCE OF SECURITY ANALYSIS PROFESSIONALS

Since 2004

Warning My killer dog at work.

QUOTE

#12 Ultrad321

Ultrad321

    Member

  • Members
  • PipPip
  • 20 posts

Posted 09 December 2007 - 05:26 AM

it keeps telling me that look2 me is not found. i tried actually going to the website and downloading the zip too, but it did not work either.

I dont know if that means taht the look2me virus is not on my computer, or if the program doesnt work right , but here is my HJT log anyways.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:32 AM, on 12/09/2007
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files (x86)\FSI\F-Prot\fpavupdm.exe
C:\WINDOWS\SysWOW64\PnkBstrA.exe
C:\WINDOWS\SysWOW64\wwSecure.exe
C:\Program Files (x86)\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files (x86)\AIM6\aim6.exe
C:\Program Files (x86)\Webroot\Washer\wwDisp.exe
C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files (x86)\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\SysWOW64\ctfmon.exe
C:\Program Files (x86)\FSI\F-Prot\F-Sched.exe
C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\ATI\CatalystRegistration\dolce.exe
C:\Program Files (x86)\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files (x86)\iPod\bin\iPodService.exe
C:\Program Files (x86)\AIM6\aolsoftware.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O1 - Hosts: be placed in the first column followed by the corresponding host name.
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {10F02D85-BCB8-4AD4-BCA8-CBBA548FC64B} - C:\WINDOWS\SysWow64\dpvacmv.dll
O2 - BHO: (no name) - {293D6DCB-E93F-42F9-BB5B-A11EF759210C} - C:\WINDOWS\SysWow64\dpvacmv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7BCD843D-31F6-493D-BDA9-BDC6F721542C} - C:\WINDOWS\SysWow64\dpvacmv.dll
O4 - HKLM\..\Run: [FRISK FP-Scheduler] "C:\Program Files (x86)\FSI\F-Prot\F-Sched.exe" STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [CatalystRegistration] "C:\Program Files (x86)\ATI\CatalystRegistration\dolce.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files (x86)\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Window Washer] C:\Program Files (x86)\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe /startupscan
O4 - HKCU\..\Policies\Explorer\Run: [udhrat] C:\WINDOWS\system32\udhrat.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [kffo] C:\PROGRA~2\COMMON~1\kffo\kffom.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [kffo] C:\PROGRA~2\COMMON~1\kffo\kffom.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files (x86)\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\OFFICE11\REFIEBAR.DLL
O15 - ESC Trusted Zone: http://runonce.msn.com
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} (dlControl.UserControl1) - http://www.livemetal...r/dlControl.CAB
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.c...driveragent.cab
O20 - Winlogon Notify: Themes - C:\WINDOWS\system32\camaddin.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files (x86)\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2saag.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing)
O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software - C:\Program Files (x86)\FSI\F-Prot\fpavupdm.exe
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files (x86)\iPod\bin\iPodService.exe
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe (file missing)
O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)
O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Virtual Disk Service (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe (file missing)
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)
O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

--
End of file - 7790 bytes

Edited by Ultrad321, 09 December 2007 - 05:38 AM.


#13 HJThis

HJThis

    Advanced Member

  • Volunteer Security Advisor
  • PipPipPip
  • 4076 posts

Posted 09 December 2007 - 08:24 AM

Hey.Ultrad321

Sorry about the delay my wireless has gone nut's today.

Now download The Avenger
by Swandog46, and save it to your Desktop.

Don't run just Yet!

=========================

Open Notepad and copy and paste the following quotebox into a new text document. (Don't forget to copy and paste REGEDIT4!)
( Do not copy the word quote)

REGEDIT4

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{10F02D85-BCB8-4AD4-BCA8-CBBA548FC64B}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{293D6DCB-E93F-42F9-BB5B-A11EF759210C}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7BCD843D-31F6-493D-BDA9-BDC6F721542C}]


Save this as fix.reg Choose to save as *all files and place it on your Desktop.
It should look like this:
Double-click on it and when it asks you if you want to merge the contents to the registry, click Yes/OK.

=======================

Now run

Extract avenger.exe from the Zip file and save it to your desktop
Run avenger.exe by double-clicking on it.
Check the 'Input script manually' box.
Click on the magnifying glass icon.
Copy everything in the Quote box below, and paste it in the box that opens:

Files to delete:
C:\WINDOWS\SysWow64\dpvacmv.dll
C:\WINDOWS\system32\udhrat.exe
C:\WINDOWS\system32\nljazrum.dat
C:\WINDOWS\system32\drivers\ylcgcuoq.dat
C:\WINDOWS\system32\audiosrva.dll
C:\WINDOWS\SysWOW64\4vmxdpmgs.exe
C:\WINDOWS\system32\camaddin.dll


Now click the 'Done' button.
Click on the traffic light icon and OK the prompt.
You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
A log file from Avenger will be produced at C:\avenger.txt

===========================

Please make sure to do a reboot come back here with the Avenger.txt and new Hijack-This log.

Gogo ;)
Die Hijacker Die

Member of
ALLIANCE OF SECURITY ANALYSIS PROFESSIONALS

Since 2004

Warning My killer dog at work.

QUOTE

#14 Ultrad321

Ultrad321

    Member

  • Members
  • PipPip
  • 20 posts

Posted 09 December 2007 - 09:07 AM

ok heres whats happening. because of my 64 bit system i have to run avenger in compatability mode in the first place. Even so, everything goes normally until after it boots back up, when in the black dos program operation box it says a whole bunch of stuff about not having the right files, etc. it goes away after a few seconds and the log file is blank.

and the offending items still show up on HJT.

do you know why my avenger is messing up? is HJT capable of fixing these?

new HTJ log just for the hell of it. something new is on there too i think--O4 - HKLM\..\Run: [ksrilaxa] C:\ctjekswn.bat--I dont recognize this one, it might be suspicious




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 04:28 AM, on 12/09/2007
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files (x86)\FSI\F-Prot\fpavupdm.exe
C:\WINDOWS\SysWOW64\PnkBstrA.exe
C:\WINDOWS\SysWOW64\wwSecure.exe
C:\Program Files (x86)\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files (x86)\Webroot\Washer\wwDisp.exe
C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\SysWOW64\ctfmon.exe
C:\Program Files (x86)\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files (x86)\FSI\F-Prot\F-Sched.exe
C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files (x86)\iPod\bin\iPodService.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O1 - Hosts: be placed in the first column followed by the corresponding host name.
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {10F02D85-BCB8-4AD4-BCA8-CBBA548FC64B} - C:\WINDOWS\SysWow64\dpvacmv.dll
O2 - BHO: (no name) - {293D6DCB-E93F-42F9-BB5B-A11EF759210C} - C:\WINDOWS\SysWow64\dpvacmv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7BCD843D-31F6-493D-BDA9-BDC6F721542C} - C:\WINDOWS\SysWow64\dpvacmv.dll
O4 - HKLM\..\Run: [FRISK FP-Scheduler] "C:\Program Files (x86)\FSI\F-Prot\F-Sched.exe" STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [CatalystRegistration] "C:\Program Files (x86)\ATI\CatalystRegistration\dolce.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ksrilaxa] C:\ctjekswn.bat
O4 - HKCU\..\Run: [Window Washer] C:\Program Files (x86)\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe /startupscan
O4 - HKCU\..\Policies\Explorer\Run: [udhrat] C:\WINDOWS\system32\udhrat.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [kffo] C:\PROGRA~2\COMMON~1\kffo\kffom.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [kffo] C:\PROGRA~2\COMMON~1\kffo\kffom.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files (x86)\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\OFFICE11\REFIEBAR.DLL
O15 - ESC Trusted Zone: http://runonce.msn.com
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} (dlControl.UserControl1) - http://www.livemetal...r/dlControl.CAB
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.c...driveragent.cab
O20 - Winlogon Notify: Themes - C:\WINDOWS\system32\camaddin.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files (x86)\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2saag.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing)
O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software - C:\Program Files (x86)\FSI\F-Prot\fpavupdm.exe
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files (x86)\iPod\bin\iPodService.exe
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe (file missing)
O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)
O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Virtual Disk Service (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe (file missing)
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)
O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

--
End of file - 7653 bytes

Edited by Ultrad321, 09 December 2007 - 09:42 AM.


#15 HJThis

HJThis

    Advanced Member

  • Volunteer Security Advisor
  • PipPipPip
  • 4076 posts

Posted 09 December 2007 - 04:29 PM

Hey.Ultrad321

Sorry I keep thinking your on XP! not sure it may work on 003, Let's see if we can get them this way.

1. Close all programs so that you are at your desktop.
2. Double-click on the My Computer icon.
3. Select the Tools menu and click Folder Options.
4. After the new window appears select the View tab.
5. Put a checkmark in the checkbox labeled Display the contents of system folders.
6. Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
7. Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
8. Remove the checkmark from the checkbox labeled Hide protected operating system files.
9. Press the Apply button and then the OK button and shutdown My Computer.
10. Now your computer is configured to show all hidden files.

===================================

Reboot into safe mode. To do so, restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

===================================

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these FILES (if present):
C:\WINDOWS\SysWow64\dpvacmv.dll<---This file
C:\WINDOWS\system32\udhrat.exe<---This file
C:\WINDOWS\system32\nljazrum.dat<---This file
C:\WINDOWS\system32\drivers\ylcgcuoq.dat<---This file
C:\WINDOWS\system32\audiosrva.dll<---This file
C:\WINDOWS\SysWOW64\4vmxdpmgs.exe<---This file
C:\WINDOWS\system32\camaddin.dll<---This file

===================================

NOTE: As for the last file found let it be for now. Let's find out what it is first.

After doing the above reboot till me how it goes. Show me new HijackThis logfile.

Gogo ;)
Die Hijacker Die

Member of
ALLIANCE OF SECURITY ANALYSIS PROFESSIONALS

Since 2004

Warning My killer dog at work.

QUOTE

#16 Ultrad321

Ultrad321

    Member

  • Members
  • PipPip
  • 20 posts

Posted 09 December 2007 - 06:50 PM

One thing is that (before the deleting of these files, havent had any yet) i have noticed the popups returning--every once in a while the warning triangle would come up with "SCAN YOUR SYSTEM--NOW!", etc.) and i would click it to make it go away.

here is how it went:

C:\WINDOWS\SysWow64\dpvacmv.dll<---This file* (deleted)
C:\WINDOWS\system32\udhrat.exe<---This file* (not present)
C:\WINDOWS\system32\nljazrum.dat<---This file* (deleted)
C:\WINDOWS\system32\audiosrva.dll<---This file* (deleted)
C:\WINDOWS\SysWOW64\4vmxdpmgs.exe<---This file* (not present)
C:\WINDOWS\system32\camaddin.dll<---This file* (not present)

all good, 3 files deleted, 3 not present (two of which I had deleted earlier udhrat and 4vmx) except that C:\WINDOWS\SysWOW64\Drivers\ylcgcuoq.dat<---windows said that this file is in use (because it is not checked read only, it is not write protected) and won't let me delete it. I tried using hijack this' delete on reboot feature but it did not work. Also now that I have its actual location i tried to scan it to jottis, but it is being blocked--I know it is not 0 bytes because it is 19 kb. it somehow blocking its own scan and deletion.

Don't want to count my chickens before they hatch, but after deleting those files i have not been redirected in my searches (knock on wood * * *). The internet still seems sluggish, but that probably is just ylcgcuoq and/or that new file from before.

here is my HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:43 PM, on 12/09/2007
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files (x86)\FSI\F-Prot\fpavupdm.exe
C:\WINDOWS\SysWOW64\PnkBstrA.exe
C:\WINDOWS\SysWOW64\wwSecure.exe
C:\Program Files (x86)\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files (x86)\Webroot\Washer\wwDisp.exe
C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files (x86)\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\SysWOW64\ctfmon.exe
C:\Program Files (x86)\FSI\F-Prot\F-Sched.exe
C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files (x86)\iPod\bin\iPodService.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O1 - Hosts: be placed in the first column followed by the corresponding host name.
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {10F02D85-BCB8-4AD4-BCA8-CBBA548FC64B} - C:\WINDOWS\SysWow64\dpvacmv.dll (file missing)
O2 - BHO: (no name) - {293D6DCB-E93F-42F9-BB5B-A11EF759210C} - C:\WINDOWS\SysWow64\dpvacmv.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7BCD843D-31F6-493D-BDA9-BDC6F721542C} - C:\WINDOWS\SysWow64\dpvacmv.dll (file missing)
O4 - HKLM\..\Run: [FRISK FP-Scheduler] "C:\Program Files (x86)\FSI\F-Prot\F-Sched.exe" STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [CatalystRegistration] "C:\Program Files (x86)\ATI\CatalystRegistration\dolce.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [Window Washer] C:\Program Files (x86)\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe /startupscan
O4 - HKCU\..\Policies\Explorer\Run: [udhrat] C:\WINDOWS\system32\udhrat.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [kffo] C:\PROGRA~2\COMMON~1\kffo\kffom.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [kffo] C:\PROGRA~2\COMMON~1\kffo\kffom.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files (x86)\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\OFFICE11\REFIEBAR.DLL
O15 - ESC Trusted Zone: http://runonce.msn.com
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} (dlControl.UserControl1) - http://www.livemetal...r/dlControl.CAB
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.c...driveragent.cab
O20 - Winlogon Notify: Themes - C:\WINDOWS\system32\camaddin.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files (x86)\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2saag.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing)
O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software - C:\Program Files (x86)\FSI\F-Prot\fpavupdm.exe
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files (x86)\iPod\bin\iPodService.exe
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe (file missing)
O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)
O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Virtual Disk Service (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe (file missing)
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)
O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

--
End of file - 7597 bytes

Edited by Ultrad321, 09 December 2007 - 07:06 PM.


#17 HJThis

HJThis

    Advanced Member

  • Volunteer Security Advisor
  • PipPipPip
  • 4076 posts

Posted 09 December 2007 - 08:21 PM

Hey.Ultrad321

Nice work not sure if this tool will work but give it a try.

=======================
Please download OTMoveIt by OldTimer.

* Save it to your desktop.

Don't run just Yet!

=======================
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {10F02D85-BCB8-4AD4-BCA8-CBBA548FC64B} - C:\WINDOWS\SysWow64\dpvacmv.dll (file missing)
O2 - BHO: (no name) - {293D6DCB-E93F-42F9-BB5B-A11EF759210C} - C:\WINDOWS\SysWow64\dpvacmv.dll (file missing)
O2 - BHO: (no name) - {7BCD843D-31F6-493D-BDA9-BDC6F721542C} - C:\WINDOWS\SysWow64\dpvacmv.dll (file missing)

O4 - HKCU\..\Policies\Explorer\Run: [udhrat] C:\WINDOWS\system32\udhrat.exe

O20 - Winlogon Notify: Themes - C:\WINDOWS\system32\camaddin.dll (file missing)

Now close all windows and browsers, other than HiJackThis, then click Fix Checked.

Close Hijackthis.

===========================

Run the tool.

[*]Save it to your desktop.
[*]Please double-click OTMoveIt.exe to run it.
[*]Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\udhrat.exe
C:\WINDOWS\SysWOW64\Drivers\ylcgcuoq.dat

[*]Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
[*]Click the red Moveit! button.
[*]Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please "Copy" the results from the "Results" window (to the right) and then "Paste" them into your next reply on the forum.

=========================

Come back here with results from OTMoveIt and new HijackThis log.

Gogo :o
Die Hijacker Die

Member of
ALLIANCE OF SECURITY ANALYSIS PROFESSIONALS

Since 2004

Warning My killer dog at work.

QUOTE

#18 Ultrad321

Ultrad321

    Member

  • Members
  • PipPip
  • 20 posts

Posted 09 December 2007 - 09:41 PM

first time i tried it restarted and before loading up my desktop i received a blue screen of death talking about the nvata64 driver and something messing up, talking about beginning dump of physical memory, then i restarted and it loaded up fine, but with our friend ylcgcuoq.dat still infesting my machine. I am wary of trying it again

should I?

the HJT part worked fine, anyway. (knock on wood) my searches are no longer being redirected, but I am still very suspicious of ylcgcuoq.dat due to its successful resistance to being deleted. That BSOD scared me, i hoep this thing does not tear up my system as we try to remove it.

here is the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 04:37 PM, on 12/09/2007
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files (x86)\FSI\F-Prot\fpavupdm.exe
C:\WINDOWS\SysWOW64\PnkBstrA.exe
C:\WINDOWS\SysWOW64\wwSecure.exe
C:\Program Files (x86)\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files (x86)\Webroot\Washer\wwDisp.exe
C:\WINDOWS\SysWOW64\ctfmon.exe
C:\Program Files (x86)\FSI\F-Prot\F-Sched.exe
C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files (x86)\iPod\bin\iPodService.exe
C:\Documents and Settings\Administrator\Desktop\OTMoveIt.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O1 - Hosts: be placed in the first column followed by the corresponding host name.
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [FRISK FP-Scheduler] "C:\Program Files (x86)\FSI\F-Prot\F-Sched.exe" STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [CatalystRegistration] "C:\Program Files (x86)\ATI\CatalystRegistration\dolce.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Window Washer] C:\Program Files (x86)\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe /startupscan
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [kffo] C:\PROGRA~2\COMMON~1\kffo\kffom.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [kffo] C:\PROGRA~2\COMMON~1\kffo\kffom.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files (x86)\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\OFFICE11\REFIEBAR.DLL
O15 - ESC Trusted Zone: http://runonce.msn.com
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} (dlControl.UserControl1) - http://www.livemetal...r/dlControl.CAB
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.c...driveragent.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files (x86)\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2saag.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing)
O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software - C:\Program Files (x86)\FSI\F-Prot\fpavupdm.exe
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files (x86)\iPod\bin\iPodService.exe
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe (file missing)
O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)
O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Virtual Disk Service (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe (file missing)
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)
O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

--
End of file - 7254 bytes

#19 HJThis

HJThis

    Advanced Member

  • Volunteer Security Advisor
  • PipPipPip
  • 4076 posts

Posted 09 December 2007 - 09:48 PM

Hi.Ultrad321

No don't go after it again. Let me go find out how we can go for it. Hm till I find something did you try right clicking the ylcgcuoq.dat and see if you can rename to say ylcgcuoq.txt try it till me if you can.

Gogo :o
Die Hijacker Die

Member of
ALLIANCE OF SECURITY ANALYSIS PROFESSIONALS

Since 2004

Warning My killer dog at work.

QUOTE

#20 Ultrad321

Ultrad321

    Member

  • Members
  • PipPip
  • 20 posts

Posted 09 December 2007 - 10:20 PM

It won't let me--access denied make sure file is not in use or write protected, etc.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users