WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93083 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Help Needed With Possible Blaster Worm Problem

Started by bigsi69 , Aug 06 2007 09:42 AM

Please log in to reply

50 replies to this topic

#16 bigsi69

Authentic Member

Authentic Member
27 posts

Posted 12 August 2007 - 11:23 AM

This is the cmd log d:\windows\system32\cmd.exe Version: 5.1.2600.2180 Created: 15/03/2006 13:00:00 Modified: 15/03/2006 13:00:00 Size: 388,608 bytes Attributes: Archive d:\windows\system32\dllcache\cmd.exe Version: 5.1.2600.2180 Created: 15/03/2006 13:00:00 Modified: 15/03/2006 13:00:00 Size: 388,608 bytes Attributes: Archive Compressed And this is the regedit log c:\windows\help\regedit.chm Version: Created: 15/03/2006 13:00:00 Modified: 15/03/2006 13:00:00 Size: 46,684 bytes Attributes: Archive c:\windows\help\regedit.hlp Version: Created: 15/03/2006 13:00:00 Modified: 15/03/2006 13:00:00 Size: 12,886 bytes Attributes: Archive d:\windows\help\regedit.chm Version: Created: 15/03/2006 13:00:00 Modified: 15/03/2006 13:00:00 Size: 46,684 bytes Attributes: Archive d:\windows\help\regedit.hlp Version: Created: 15/03/2006 13:00:00 Modified: 15/03/2006 13:00:00 Size: 12,886 bytes Attributes: Archive d:\windows\regedit.exe Version: 5.1.2600.2180 Created: 15/03/2006 13:00:00 Modified: 15/03/2006 13:00:00 Size: 146,432 bytes Attributes: Archive d:\windows\system32\dllcache\regedit.exe Version: 5.1.2600.2180 Created: 15/03/2006 13:00:00 Modified: 15/03/2006 13:00:00 Size: 146,432 bytes Attributes: Archive Compressed

Advertisements

Register to Remove

#17 bigsi69

Authentic Member

Authentic Member
27 posts

Posted 12 August 2007 - 11:26 AM

I have 2 old windows installations on my second hard drive which i don't use they both need wiping but i don't know how to erase them without deleting any of my data which i do need, this could be where the problem is hiding.

#18 Jintan

Advanced Member

Visiting Fellow
791 posts

Posted 12 August 2007 - 02:54 PM

Could be - we'll see as we go along, but be sure not to transfer files of this system to any other computers, or even use things like thumb drives on both this and another computer.

Good seeing those files - now move copies fom the D drive folders to the C drive folders:

d:\windows\system32\cmd.exe <--- this file

C:\Windows\System32 <--- here

d:\windows\regedit.exe <--- this file

C:\windows <--- here

Then to be sure click to install UnHookExec.inf again, then try that remove.bat you created as well. Then run the ComboFix scan as previously instructed.

#19 bigsi69

Authentic Member

Authentic Member
27 posts

Posted 13 August 2007 - 10:01 AM

Hi again, right here goes , this could be a long one, everything seems to be running ok, except when i ran the sdfix in safe mode , i got this which popped up alot

"SDFix config.nt. The system file is not suitable for running MS-DOS and Microsoft Windows applications. Choose 'Close' to terminate the application."

I chose to press ignore, whether this was right or wrong the program eventually finished and this was the results file

SDFix: Version 1.98

Run by bigsi69 on 13/08/2007 at 16:32

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\system32\cmd.com - Deleted

Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.

Final Check:

Remaining Services:
------------------

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\SopCast\\SopCast.exe"="C:\\Program Files\\SopCast\\SopCast.exe:*:Enabled:SopCast Main Application"
"C:\\Documents and Settings\\bigsi69\\Application Data\\SopCast\\adv\\SopAdver.exe"="C:\\Documents and Settings\\bigsi69\\Application Data\\SopCast\\adv\\SopAdver.exe:*:Disabled:SopCast Adver"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"C:\\Program Files\\Blubster\\Blubster.exe"="C:\\Program Files\\Blubster\\Blubster.exe:*:Enabled:Blubster"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

C:\Limit.exe
C:\WINDOWS\MSCONFIG.EXE
C:\WINDOWS\system32\MSCONFIG.EXE
C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp

Finished

After that i ran the combofix.exe this is the log file for the application........

ComboFix 07-08-09.3 - "bigsi69" 2007-08-13 16:39:56.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.737 [GMT 1:00]
* Created a new restore point

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Autorun.inf
D:\Autorun.inf

((((((((((((((((((((((((( Files Created from 2007-07-13 to 2007-08-13 )))))))))))))))))))))))))))))))

2007-08-13 16:39 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-13 16:30 <DIR> d-------- C:\WINDOWS\ERUNT
2007-08-12 18:38 <DIR> d-------- C:\Program Files\Blubster
2007-08-11 21:17 <DIR> d-------- C:\DOCUME~1\bigsi69\Phone Browser
2007-08-11 21:11 <DIR> d-------- C:\Program Files\PC Connectivity Solution
2007-08-11 21:11 <DIR> d-------- C:\Program Files\DIFX
2007-08-11 21:11 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2007-08-11 21:11 <DIR> d-------- C:\Program Files\Common Files\Nokia
2007-08-11 21:11 <DIR> d-------- C:\DOCUME~1\bigsi69\APPLIC~1\PC Suite
2007-08-11 21:11 <DIR> d-------- C:\DOCUME~1\bigsi69\APPLIC~1\Nokia
2007-08-11 21:11 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\PC Suite
2007-08-11 21:10 90,624 --a------ C:\WINDOWS\system32\nmwcdcls.dll
2007-08-11 21:10 8,320 --a------ C:\WINDOWS\system32\drivers\nmwcdc.sys
2007-08-11 21:10 65,536 --a------ C:\WINDOWS\system32\nmwcdcocls.dll
2007-08-11 21:10 137,216 --a------ C:\WINDOWS\system32\drivers\nmwcd.sys
2007-08-11 21:10 12,288 --a------ C:\WINDOWS\system32\drivers\nmwcdcm.sys
2007-08-11 21:10 12,288 --a------ C:\WINDOWS\system32\drivers\nmwcdcj.sys
2007-08-11 21:10 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-08-11 21:10 <DIR> d-------- C:\Program Files\Nokia
2007-08-11 21:10 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Installations
2007-08-11 16:37 <DIR> d-------- C:\DOCUME~1\bigsi69\APPLIC~1\WinRAR
2007-08-10 20:23 <DIR> d-------- C:\VundoFix Backups
2007-08-10 03:56 <DIR> d-------- C:\DOCUME~1\bigsi69\APPLIC~1\Azureus
2007-08-10 03:53 <DIR> d-------- C:\Program Files\Azureus
2007-08-09 17:30 <DIR> d-------- C:\WINDOWS\CSC
2007-08-09 16:16 <DIR> d-------- C:\Program Files\Google
2007-08-09 16:16 <DIR> d-------- C:\DOCUME~1\bigsi69\APPLIC~1\Google
2007-08-09 16:16 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-08-09 15:19 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-08-09 08:19 <DIR> d-------- C:\DOCUME~1\bigsi69\APPLIC~1\vlc
2007-08-09 06:26 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-08-09 06:25 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-08-09 06:25 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-08-09 06:23 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-08-09 06:18 <DIR> d-------- C:\Program Files\MSBuild
2007-08-09 06:15 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2007-08-09 06:15 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-08-09 06:14 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2007-08-09 06:08 23,040 --------- C:\WINDOWS\kb913800.exe
2007-08-08 06:53 <DIR> d-------- C:\WINDOWS\RegisteredPackages
2007-08-08 06:50 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2007-08-08 06:39 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-08-08 06:36 23,856 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-08-08 06:36 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2007-08-08 06:34 <DIR> d--hs---- C:\DOCUME~1\bigsi69\UserData
2007-08-08 06:34 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-08-08 06:26 8 --a------ C:\WINDOWS\system32\nvModes.dat
2007-08-08 06:26 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\nView_Profiles
2007-08-08 06:25 <DIR> dr-hsc--- C:\WINDOWS\system32\dllcache\taskmgr.exe
2007-08-08 06:25 <DIR> dr-hsc--- C:\WINDOWS\system32\dllcache\regedit.exe
2007-08-08 06:25 <DIR> dr-hsc--- C:\WINDOWS\system32\dllcache\msconfig.exe
2007-08-08 06:25 <DIR> dr-hsc--- C:\WINDOWS\system32\dllcache\command.com
2007-08-08 06:25 <DIR> dr-hsc--- C:\WINDOWS\system32\dllcache\cmd.exe
2007-08-08 06:25 <DIR> dr-hsc--- C:\WINDOWS\system32\dllcache\cmd.com
2007-08-08 06:25 <DIR> dr-hs---- C:\WINDOWS\system32\taskmgr.exe
2007-08-08 06:25 <DIR> dr-hs---- C:\WINDOWS\system32\command.com
2007-08-08 06:24 208,896 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2007-08-08 06:24 208,896 --a------ C:\WINDOWS\system32\nvudisp.exe
2007-08-08 06:24 <DIR> d-------- C:\WINDOWS\nview
2007-08-08 06:23 <DIR> d-------- C:\NVIDIA
2007-08-08 06:21 90,112 -r------- C:\WINDOWS\soundman.exe
2007-08-08 06:21 82,944 --a--c--- C:\WINDOWS\system32\dllcache\wdmaud.sys
2007-08-08 06:21 82,944 --a------ C:\WINDOWS\system32\drivers\wdmaud.sys
2007-08-08 06:21 7,552 --a--c--- C:\WINDOWS\system32\dllcache\mskssrv.sys
2007-08-08 06:21 7,552 --a------ C:\WINDOWS\system32\drivers\MSKSSRV.sys
2007-08-08 06:21 60,800 --a--c--- C:\WINDOWS\system32\dllcache\sysaudio.sys
2007-08-08 06:21 60,800 --a------ C:\WINDOWS\system32\drivers\sysaudio.sys
2007-08-08 06:21 60,288 --a--c--- C:\WINDOWS\system32\dllcache\drmk.sys
2007-08-08 06:21 60,288 --a------ C:\WINDOWS\system32\drivers\drmk.sys
2007-08-08 06:21 6,400 --a--c--- C:\WINDOWS\system32\dllcache\splitter.sys
2007-08-08 06:21 6,400 --a------ C:\WINDOWS\system32\drivers\splitter.sys
2007-08-08 06:21 54,272 --a--c--- C:\WINDOWS\system32\dllcache\swmidi.sys
2007-08-08 06:21 54,272 --a------ C:\WINDOWS\system32\drivers\swmidi.sys
2007-08-08 06:21 52,864 --a--c--- C:\WINDOWS\system32\dllcache\dmusic.sys
2007-08-08 06:21 52,864 --a------ C:\WINDOWS\system32\drivers\DMusic.sys
2007-08-08 06:21 5,376 --a--c--- C:\WINDOWS\system32\dllcache\mspclock.sys
2007-08-08 06:21 5,376 --a------ C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2007-08-08 06:21 40,960 -r------- C:\WINDOWS\system32\ChCfg.exe
2007-08-08 06:21 4,992 --a--c--- C:\WINDOWS\system32\dllcache\mspqm.sys
2007-08-08 06:21 4,992 --a------ C:\WINDOWS\system32\drivers\MSPQM.sys
2007-08-08 06:21 4,096 --a--c--- C:\WINDOWS\system32\dllcache\ksuser.dll
2007-08-08 06:21 4,096 --a------ C:\WINDOWS\system32\ksuser.dll
2007-08-08 06:21 3,727,680 -r------- C:\WINDOWS\system32\drivers\alcxwdm.sys
2007-08-08 06:21 2,944 --a--c--- C:\WINDOWS\system32\dllcache\drmkaud.sys
2007-08-08 06:21 2,944 --a------ C:\WINDOWS\system32\drivers\drmkaud.sys
2007-08-08 06:21 172,416 --a--c--- C:\WINDOWS\system32\dllcache\kmixer.sys
2007-08-08 06:21 172,416 --a------ C:\WINDOWS\system32\drivers\kmixer.sys
2007-08-08 06:21 157,184 -r------- C:\WINDOWS\system32\RtlCPAPI.dll
2007-08-08 06:21 145,792 --a--c--- C:\WINDOWS\system32\dllcache\portcls.sys
2007-08-08 06:21 145,792 --a------ C:\WINDOWS\system32\drivers\portcls.sys
2007-08-08 06:21 142,464 --a--c--- C:\WINDOWS\system32\dllcache\aec.sys
2007-08-08 06:21 142,464 --a------ C:\WINDOWS\system32\drivers\aec.sys
2007-08-08 06:21 10,459,136 -r------- C:\WINDOWS\system32\RTLCPL.exe
2007-08-08 06:21 <DIR> d-------- C:\Program Files\Realtek Sound Manager
2007-08-08 06:21 <DIR> d-------- C:\Program Files\AvRack
2007-08-08 06:20 307,200 -r------- C:\WINDOWS\alcupd.exe
2007-08-08 06:20 212,992 -r------- C:\WINDOWS\alcrmv.exe
2007-08-08 06:20 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2007-08-08 06:20 <DIR> d-------- C:\Program Files\Realtek AC97
2007-08-08 06:20 <DIR> d-------- C:\Program Files\Common Files\InstallShield

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2010-08-08 03:13 --------- d-------- C:\DOCUME~1\bigsi69\APPLIC~1\Lavasoft
2010-08-08 03:12 --------- d-------- C:\Program Files\Lavasoft
2010-08-08 03:12 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-08 02:56 --------- d-------- C:\DOCUME~1\bigsi69\APPLIC~1\SopCast
2008-08-08 02:55 --------- d-------- C:\Program Files\VideoLAN
2008-08-08 02:53 --------- d-------- C:\Program Files\SopCast
2008-08-08 01:56 --------- d-------- C:\Program Files\EPSON
2007-06-24 11:05 557056 -r-hs---- C:\WINDOWS\system32\MSCONFIG.EXE
2007-06-24 11:05 557056 -r-hs---- C:\WINDOWS\MSCONFIG.EXE
2007-06-24 11:05 557056 -r-hs---- C:\Limit.exe
2007-06-08 08:11 831048 --a------ C:\WINDOWS\system32\WudfUpdate_01005.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 13:56]
"SoundMan"="SOUNDMAN.EXE" [2005-09-22 17:42 C:\WINDOWS\soundman.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-04-19 13:26]
"nwiz"="nwiz.exe" [2007-04-19 13:26 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-04-19 13:26]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-06-18 15:10]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-15 13:00]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Nokia.PCSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

R3 FETNDIS;VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\fetnd5.sys
R3 MTsensor;ATK0110 ACPI UTILITY;C:\WINDOWS\system32\DRIVERS\ASACPI.sys
S3 idsvc;Windows CardSpace;"C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe"
S3 nmwcd;Nokia USB Phone Parent;C:\WINDOWS\system32\drivers\nmwcd.sys
S3 nmwcdc;Nokia USB Generic;C:\WINDOWS\system32\drivers\nmwcdc.sys
S3 nmwcdcj;Nokia USB Port;C:\WINDOWS\system32\drivers\nmwcdcj.sys
S3 nmwcdcm;Nokia USB Modem;C:\WINDOWS\system32\drivers\nmwcdcm.sys
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service;"C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
auto\command- C:\Limit.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Limit.exe
explore\command- C:\Limit.exe
open\command- C:\Limit.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
auto\command- D:\Limit.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Limit.exe
explore\command- D:\Limit.exe
open\command- D:\Limit.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-13 16:40:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-13 16:40:53
C:\ComboFix-quarantined-files.txt ... 2007-08-13 16:40

--- E O F ---

Then i ran HijackThis again and this is the final log (i hope)......

Logfile of HijackThis v1.99.1
Scan saved at 16:44:07, on 13/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1186551262375
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.su...ows-i586-jc.cab
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

I'm keeping my fingers crossed, you've been a star throughout this.....

:wall:

#20 Jintan

Advanced Member

Visiting Fellow
791 posts

Posted 13 August 2007 - 02:24 PM

Looks like some cross infection going on here between drives. Stay with the steps we work through here and we should get things cleaned up. One more swapped out legit file to replace and let's see if other of the same infected files are there before doing the next cleaning steps.

Go to Start > Run and type:

cmd.exe

and ok. Copy and paste the below string after the prompt >

dir /s /a "c:\MSCONFIG*.*" > c:\find22.txt & start notepad c:\find22.txt

Your drive will be scanned and when finished, Notepad will pop up with some information. Copy and paste it in this thread.

Also let's check for some files. The following is not the cleanest method but the best my scripting skills will provide us right now.

Open Notepad again and copy/paste the following text.

@ECHO OFF
if exist show2.txt del /q show2.txt
cd C:\Windows\System32
dir /A:-D /O:S > c:\show2.txt
cd C:\Windows
dir /A:-D /O:S >> c:\show2.txt & start notepad c:\show2.txt

Then go to File - Save as..., and save the file to your desktop as "sizer.bat" (be sure to include the quotes "" in the name). Then click on sizer.bat to run the file check. Once that completes a text box will open. Scroll through that long list of files and locate all files that are 557056 bytes in size (this will be listed just to the left of the file names). Copy/paste back here all the files found that match that size please.

#21 bigsi69

Authentic Member

Authentic Member
27 posts

Posted 14 August 2007 - 08:42 AM

Hi there again, This is the 1st log you requested Volume in drive C has no label. Volume Serial Number is 806F-A262 Directory of c:\WINDOWS 24/06/2007 11:05 557,056 MSCONFIG.EXE 1 File(s) 557,056 bytes Directory of c:\WINDOWS\Help 15/03/2006 13:00 17,240 msconfig.chm 1 File(s) 17,240 bytes Directory of c:\WINDOWS\pchealth\helpctr\binaries 08/08/2007 06:25 <DIR> msconfig.exe 0 File(s) 0 bytes Directory of c:\WINDOWS\system32 24/06/2007 11:05 557,056 MSCONFIG.EXE 1 File(s) 557,056 bytes Directory of c:\WINDOWS\system32\dllcache 08/08/2007 06:25 <DIR> msconfig.exe 0 File(s) 0 bytes Total Files Listed: 3 File(s) 1,131,352 bytes 2 Dir(s) 66,352,832,512 bytes free And these are the two files i found that were the relevant size, the 1st was located in: Directory of C:\WINDOWS\system32 - 24/06/2007 11:05 557,056 MSCONFIG.EXE the 2nd was located in: Directory of C:\WINDOWS - 24/06/2007 11:05 557,056 MSCONFIG.EXE

#22 bigsi69

Authentic Member

Authentic Member
27 posts

Posted 14 August 2007 - 08:52 AM

while i was doing the repairs you suggested yesterday i told you that i received the following error message while in safe mode "16 bit MS-DOS Subystem. The system file is not suitable for running MS-DOS and Microsoft Windows applications. Choose 'close' to terminate the application." I went onto the microsoft website and found that this can be fixed, would i be okay to try and fix it now or have i to wait until we have finished sorting my current problems. I don't want to mess up any of the good work you've been doing so far, so i thought i'd better ask.

#23 Jintan

Advanced Member

Visiting Fellow
791 posts

Posted 14 August 2007 - 11:19 AM

Good you asked about making independent changes there, and the answer is pretty much it is really truly not a good idea. Some of the tools we use rely also on "low level" tool access to accomplish the deeds by using 16 bit DOS emulators, and infection squirrels know this and cause unwanted file changes specifically targeting those. Likely if you Click Here and download xp_fix.exe to your desktop, and click the downloaded file to run the repair, it will return the correct autoexec.nt file and other corrections for that. But none of the usual search and solve techniques for these type of problems if you would.

Same size on that msconfig is a problem, as well as those recent modification dates. To be sure, locate and zip up a copy of one, then just go here and follow the instructions to upload the file. This copy will be good enough:

c:\WINDOWS\MSCONFIG.EXE

You DO NOT need to be a member to upload, anybody can upload the files. We need to make sure if you have any good copies there for us. I see infection did stick a zero byte fake copy in the correct msconfig.exe directory, so it just may be this that is a problem (but again recent dates are a concern on the other copies).

#24 bigsi69

Authentic Member

Authentic Member
27 posts

Posted 15 August 2007 - 09:36 AM

Strange things are afoot, when i searched through my C drive to find the msconfig.exe it wasn't there in fact it wasn't anywhere on my pc, even after i installed an xp update and restarted it still wasn't there. I tried to access Run\msconfig and i was asked to insert my xp disc to replace lost files which i did. After this the file i was looking for ended up in a folder called Prefetech (this is not where i've usually seen it). Anyhow i copied the file and have uploaded it as requested. On the subject of the xp fix you suggested i downloaded the program to my desktop and ran it only to be confonted by this message: The file C:\WINDOWS\system32\command.com could not be opened The mystery deepens :blink:

#25 Jintan

Advanced Member

Visiting Fellow
791 posts

Posted 15 August 2007 - 06:02 PM

It's an autorun infection that is blocking changes we are attempting to make using some older techniques. The Prefetch file is not an actual file copy (it's more a reload path of files that allow the reloading of the actual msconfig.exe) so wouldn't give the info we're after. And here the actual copies are hidden.

Do you have access to a different system for downloading and transfer of files? You will need to download a copy of msconfig.exe from here, and place that in the following folder:

c:\WINDOWS\pchealth\helpctr\binaries

But first we need to eliminate all the zero byte dummy files placed by infection. If this next few steps do what I would expect you should be able to download that new msconfig.exe and locate it to the right folder without issues.

ComboFix has it's own built in means of getting around the tricks so let's rely on that to assist.

Go here and download Flash_Disinfector.exe and save it to your desktop.

Doubleclick on Flash_Disinfector.exe to run it and follow the prompts. Wait until it has finished scanning and then exit the program.

The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well. In this case I believe we are mainly discussing the other drives, but if there is a thumb drive involved there (you would know best) have it installed as well.

Open notepad and copy/paste the text in the quotebox below into it:

Suspect::
C:\Limit.exe
D:\Limit.exe
C:\WINDOWS\MSCONFIG.EXE
C:\WINDOWS\system32\MSCONFIG.EXE
Files::
C:\Limit.exe
D:\Limit.exe
c:\windows\system32\cmd.com
C:\WINDOWS\MSCONFIG.EXE
C:\WINDOWS\system32\MSCONFIG.EXE
C:\WINDOWS\MSCONFIG.EXE
c:\WINDOWS\pchealth\helpctr\binaries\MSCONFIG.EXE
c:\WINDOWS\system32\MSCONFIG.EXE
c:\WINDOWS\system32\dllcache\MSCONFIG.EXE
C:\WINDOWS\system32\command.com
Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]

Save this as "CFScript"

(include the "quotation marks" with the name)

Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When the fix completes it will create a C:\ComboFix.txt log. Please post that log in your next reply.

Right after that run Flash Disinfector again.

Then also click on the previously downloaded xp_fix.exe then as well to return all three of those files.

Then run a second ComboFix scan. This will rename that first one to c:\combofix2.txt, so you will be posting back both c:\combofix.txt and c:\combofix2.txt - I would like a before and after snapshot so to speak.

Advertisements

Register to Remove

#26 bigsi69

Authentic Member

Authentic Member
27 posts

Posted 16 August 2007 - 01:46 PM

I seem to be having the old issue i had before where programs won't run, the flash disinfector wouldn't run, the screen just flashed when i tried it, and when i put the script into the combofix.exe it just opened an empty cmd.exe folder page like before.

#27 Jintan

Advanced Member

Visiting Fellow
791 posts

Posted 16 August 2007 - 03:58 PM

Are these other hard drives slaved - not dual boot? An unusual situation but as you have system files in more than one location and on more than one drive cross infection is occurring. I can suggest you physically disconnect the other drives to concentrate on repairs on this one or we may be spinning our wheels here. Post back on that so I can get a better understanding of the setup there.

#28 bigsi69

Authentic Member

Authentic Member
27 posts

Posted 17 August 2007 - 08:46 AM

The other drive is a slave, the only reason i had a second operating system on there is that a few weeks ago i reformatted what i thought was my original dirve, my second one had all my saved data on it, unfortunately i formatted the wrong one and lost everything. I then used the one i formatted as my main drive subsequently leaving some data and the old operating system on my original first drive. Hope that makes sense, reading it back confuses me ( in short i don't have a dual boot system)

#29 Jintan

Advanced Member

Visiting Fellow
791 posts

Posted 17 August 2007 - 05:57 PM

No, that really clears things up. If you would go ahead and disconnect the slaved drive for now, and we'll have to make decisions on that later. Then run new scans with ComboFix, HijackThis and Silent Runners, and post back here any successful scan results along with your usual clear info on what issues are currently occurring and what errors occurred.

#30 bigsi69

Authentic Member

Authentic Member
27 posts

Posted 20 August 2007 - 04:37 AM

Hi again , sorry i haven't been replying this weekend , iv'e been really busy with the kids. Right, down to business, i tried running the flash disinfector program that you suggested in an earlier post, unfortunately it came back with this error

"Windows - No Disk. Exception Processing Message c0000013 Parameters 75b6bf9c 4 75b6bf9c 75b6bf9c"

I then ran the ComboFix.exe with the CFscript that you gave me , this is the log it created ( it also found certain malware items that it wanted me to upload to their site for analysis)

ComboFix 07-08-17.2 - "bigsi69" 2007-08-20 11:21:04.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.726 [GMT 1:00]
Command switches used :: C:\Documents and Settings\bigsi69\Desktop\CFScript
* Created a new restore point

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Autorun.inf

((((((((((((((((((((((((( Files Created from 2007-07-20 to 2007-08-20 )))))))))))))))))))))))))))))))

2007-08-20 10:57 388,608 --a------ C:\WINDOWS\system32\cmd.exe
2007-08-19 10:58 <DIR> d-------- C:\Program Files\Nokia
2007-08-19 10:58 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2007-08-19 10:58 <DIR> d-------- C:\Program Files\Common Files\Nokia
2007-08-19 10:50 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-08-19 10:50 <DIR> d-------- C:\Program Files\Your Uninstaller 2006
2007-08-19 10:50 <DIR> d-------- C:\DOCUME~1\bigsi69\APPLIC~1\URSoft
2007-08-15 16:01 <DIR> dr-hs---- C:\WINDOWS\system32\cmd.com
2007-08-15 15:55 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-08-13 18:55 <DIR> d-------- C:\DOCUME~1\bigsi69\APPLIC~1\Ahead
2007-08-13 18:52 <DIR> d-------- C:\Program Files\coverXP
2007-08-13 18:22 <DIR> d-------- C:\Program Files\Common Files\Ahead
2007-08-13 18:22 <DIR> d-------- C:\Program Files\Ahead
2007-08-13 16:30 <DIR> d-------- C:\WINDOWS\ERUNT
2007-08-13 09:43 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-08-12 21:19 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Ahead
2007-08-12 21:16 <DIR> d-------- C:\Program Files\Nero
2007-08-12 21:16 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Nero
2007-08-12 18:38 <DIR> d-------- C:\Program Files\Blubster
2007-08-12 17:36 <DIR> d-------- C:\Program Files\Duplicate File Remover
2007-08-12 16:22 146,432 --a------ C:\WINDOWS\regedit.exe
2007-08-11 21:17 <DIR> d-------- C:\DOCUME~1\bigsi69\Phone Browser
2007-08-11 21:11 <DIR> d-------- C:\Program Files\PC Connectivity Solution
2007-08-11 21:11 <DIR> d-------- C:\Program Files\DIFX
2007-08-11 21:11 <DIR> d-------- C:\DOCUME~1\bigsi69\APPLIC~1\PC Suite
2007-08-11 21:11 <DIR> d-------- C:\DOCUME~1\bigsi69\APPLIC~1\Nokia
2007-08-11 21:11 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\PC Suite
2007-08-11 21:10 90,624 --a------ C:\WINDOWS\system32\nmwcdcls.dll
2007-08-11 21:10 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-08-11 21:10 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Installations
2007-08-11 16:37 <DIR> d-------- C:\DOCUME~1\bigsi69\APPLIC~1\WinRAR
2007-08-11 15:53 <DIR> d-------- C:\WINDOWS\pss
2007-08-10 20:28 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-10 20:23 <DIR> d-------- C:\VundoFix Backups
2007-08-10 17:35 <DIR> d-------- C:\Program Files\SlySoft
2007-08-10 03:56 <DIR> d-------- C:\DOCUME~1\bigsi69\APPLIC~1\Azureus
2007-08-10 03:53 <DIR> d-------- C:\Program Files\Azureus
2007-08-09 20:01 <DIR> d-------- C:\Program Files\Real
2007-08-09 20:01 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-08-09 20:01 <DIR> d-------- C:\Program Files\Common Files\Real
2007-08-09 20:01 <DIR> d-------- C:\DOCUME~1\bigsi69\APPLIC~1\Real
2007-08-09 17:30 <DIR> d-------- C:\WINDOWS\CSC
2007-08-09 16:16 <DIR> d-------- C:\Program Files\Google
2007-08-09 16:16 <DIR> d-------- C:\DOCUME~1\bigsi69\APPLIC~1\Google
2007-08-09 16:16 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-08-09 15:19 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-08-09 08:19 <DIR> d-------- C:\DOCUME~1\bigsi69\APPLIC~1\vlc
2007-08-09 06:26 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-08-09 06:25 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-08-09 06:25 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-08-09 06:23 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-08-09 06:18 <DIR> d-------- C:\Program Files\MSBuild
2007-08-09 06:15 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2007-08-09 06:15 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-08-09 06:14 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2007-08-09 06:08 23,040 --------- C:\WINDOWS\kb913800.exe
2007-08-08 06:53 <DIR> d-------- C:\WINDOWS\RegisteredPackages
2007-08-08 06:50 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2007-08-08 06:39 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-08-08 06:36 23,856 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-08-08 06:36 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2007-08-08 06:34 <DIR> d--hs---- C:\DOCUME~1\bigsi69\UserData
2007-08-08 06:34 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-08-08 06:26 8 --a------ C:\WINDOWS\system32\nvModes.dat
2007-08-08 06:26 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\nView_Profiles
2007-08-08 06:25 <DIR> dr-hs---- C:\WINDOWS\system32\taskmgr.exe
2007-08-08 06:25 <DIR> dr-hs---- C:\WINDOWS\system32\command.com
2007-08-08 06:24 208,896 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2007-08-08 06:24 208,896 --a------ C:\WINDOWS\system32\nvudisp.exe
2007-08-08 06:24 <DIR> d-------- C:\WINDOWS\nview
2007-08-08 06:23 <DIR> d-------- C:\NVIDIA
2007-08-08 06:21 90,112 -r------- C:\WINDOWS\soundman.exe
2007-08-08 06:21 82,944 --a------ C:\WINDOWS\system32\drivers\wdmaud.sys
2007-08-08 06:21 7,552 --a------ C:\WINDOWS\system32\drivers\MSKSSRV.sys
2007-08-08 06:21 60,800 --a------ C:\WINDOWS\system32\drivers\sysaudio.sys
2007-08-08 06:21 60,288 --a------ C:\WINDOWS\system32\drivers\drmk.sys
2007-08-08 06:21 6,400 --a------ C:\WINDOWS\system32\drivers\splitter.sys
2007-08-08 06:21 54,272 --a------ C:\WINDOWS\system32\drivers\swmidi.sys
2007-08-08 06:21 52,864 --a------ C:\WINDOWS\system32\drivers\DMusic.sys
2007-08-08 06:21 5,376 --a------ C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2007-08-08 06:21 40,960 -r------- C:\WINDOWS\system32\ChCfg.exe
2007-08-08 06:21 4,992 --a------ C:\WINDOWS\system32\drivers\MSPQM.sys
2007-08-08 06:21 4,096 --a------ C:\WINDOWS\system32\ksuser.dll
2007-08-08 06:21 3,727,680 -r------- C:\WINDOWS\system32\drivers\alcxwdm.sys
2007-08-08 06:21 2,944 --a------ C:\WINDOWS\system32\drivers\drmkaud.sys
2007-08-08 06:21 172,416 --a------ C:\WINDOWS\system32\drivers\kmixer.sys
2007-08-08 06:21 157,184 -r------- C:\WINDOWS\system32\RtlCPAPI.dll
2007-08-08 06:21 145,792 --a------ C:\WINDOWS\system32\drivers\portcls.sys
2007-08-08 06:21 142,464 --a------ C:\WINDOWS\system32\drivers\aec.sys
2007-08-08 06:21 10,459,136 -r------- C:\WINDOWS\system32\RTLCPL.exe
2007-08-08 06:21 <DIR> d-------- C:\Program Files\Realtek Sound Manager
2007-08-08 06:21 <DIR> d-------- C:\Program Files\AvRack
2007-08-08 06:20 307,200 -r------- C:\WINDOWS\alcupd.exe
2007-08-08 06:20 212,992 -r------- C:\WINDOWS\alcrmv.exe
2007-08-08 06:20 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2007-08-08 06:20 <DIR> d-------- C:\Program Files\Realtek AC97
2007-08-08 06:20 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2007-08-08 06:19 5,824 --a------ C:\WINDOWS\system32\drivers\ASUSHWIO.SYS
2007-08-08 06:19 5,810 -ra------ C:\WINDOWS\system32\drivers\ASACPI.sys
2007-08-08 06:17 4,718,592 --ah----- C:\DOCUME~1\bigsi69\NTUSER.DAT

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2010-08-08 03:13 --------- d-------- C:\DOCUME~1\bigsi69\APPLIC~1\Lavasoft
2010-08-08 03:12 --------- d-------- C:\Program Files\Lavasoft
2010-08-08 03:12 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-08 02:56 --------- d-------- C:\DOCUME~1\bigsi69\APPLIC~1\SopCast
2008-08-08 02:55 --------- d-------- C:\Program Files\VideoLAN
2008-08-08 02:53 --------- d-------- C:\Program Files\SopCast
2008-08-08 01:04 2970 --a------ C:\WINDOWS\pchealth\helpctr\PackageStore\SkuStore.bin
2008-08-08 01:03 8972 --a------ C:\WINDOWS\pchealth\helpctr\Config\Cntstore.bin
2007-08-13 18:47 --------- d-------- C:\Program Files\EPSON
2007-07-04 09:48 132904 --a------ C:\WINDOWS\system32\drivers\imagesrv.sys
2007-07-04 09:48 11304 --a------ C:\WINDOWS\system32\drivers\imagedrv.sys
2007-06-27 19:05 972072 --a------ C:\WINDOWS\UNNeroMediaHome.exe
2007-06-26 14:12 972072 --a------ C:\WINDOWS\UNNeroVision.exe
2007-06-26 07:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-24 11:05 557056 -r-hs---- C:\WINDOWS\system32\MSCONFIG.EXE
2007-06-24 11:05 557056 -r-hs---- C:\WINDOWS\MSCONFIG.EXE
2007-06-24 11:05 557056 -r-hs---- C:\Limit.exe
2007-06-19 14:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-13 11:23 1033216 --a------ C:\WINDOWS\explorer.exe
2007-06-08 08:11 831048 --a------ C:\WINDOWS\system32\WudfUpdate_01005.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 13:56]
"nwiz"="nwiz.exe" [2007-04-19 13:26 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-04-19 13:26]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-06-18 15:10]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-04-19 13:26]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-15 13:00]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Nokia.PCSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
"C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

R3 FETNDIS;VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\fetnd5.sys

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-20 11:22:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-20 11:22:56
C:\ComboFix-quarantined-files.txt ... 2007-08-20 11:22

--- E O F ---

Then i ran HijackThis and this is the log for that

Logfile of HijackThis v1.99.1
Scan saved at 11:25:36, on 20/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1186551262375
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.su...ows-i586-jc.cab
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

I was wondering if i am ok to re-attach my second hard drive ?, i won't connect it until i get the okay from yourself...

I didn't run silent runners because i wasn't sure what it is or where i get it...

Edited by bigsi69, 20 August 2007 - 04:38 AM.

Body Background

skin color theme