Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

Arcway

20 Posts

2002

March 23rd, 2008 15:00

I think I got a virus on my computer, but scans aren't picking it up.

My computer has been running bad lately, really slow too. I can't seem to install anything either, it gets half through installing then an error comes up, or it says I don't have enough space on my hardrive. I check my hardrive and find out I still have 50GBs of free space. So I have enough space, but it says I don't.

Here's one of the error messages:

Local machine: installation failed
    Installation:
        Error: Action failed for registry value HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run:AVG7_CC: creating registry value....
            Illegal operation attempted on a registry key that has been marked for deletion.  (1018)
I'm unsure what that means, but that's from trying to install AVG, that anti-virus scan software. It also seems the longer my computer is on the worse it is. As soon as I turn it on its ok, but an hour later it's running horribly. I have 2GBs of RAM so my computer shouldn't be running this slow should it? I'm hardly ever running that must stuff at once. I usually just use this to play games on. Oh, it's a desktop computer by the way, I hear laptops are bad about running slow after awhile.

 

Anyway, here's the Hijackthis scan:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:09:14 AM, on 3/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Cox\Applications\app\SysSvcNt.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn6\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn6\yt.dll
O4 - HKLM\..\Run: [www.shark-project.info] "C:\WINDOWS\inetexplorer.bat"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [sharK Server] "C:\WINDOWS\inetexplorer.bat"
O4 - HKLM\..\Policies\Explorer\Run: [Generic Host Process] C:\WINDOWS\system32\scvhost.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\James\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {03A0F84E-3E69-4B3E-B4D3-019CB73B57B3} (AuthWebWizardMain.DHTMLPage1) - http://www3.authentium.com/cssrelease/bin/WizMain.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
O16 - DPF: {5FFFA267-0B81-42B4-BE64-77B5C9FE287F} (MinWebLauncher Control) - http://www.playran.com/game/MinWebLauncher.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159037365656
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Cox High Speed Internet Security Suite System Service (AuthSysSvc) - Authentium, Inc. - C:\Program Files\Cox\Applications\app\SysSvcNt.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
O23 - Service: Windows Firewall/Internet Connection Sharing (ICS) (SharedAccess) - Unknown owner - C:\WINDOWS\C:\WINDOWS\System32\svchost.exe (file missing)

--
End of file - 8068 bytes
Let me know if you need anymore information.

bamajim

10.4K Posts

March 24th, 2008 12:00

Arcway

It will take a couple of runs at this to completely remove the infection so please be patient.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :


  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.


  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log













Microsoft MVP Consumer-Security

 


"The world is what you make of it"




Arcway

20 Posts

March 24th, 2008 15:00

Ok, just got finished trying that. It didn't work, I restarted then clicked F8, picked Safe Mode, but then I got the blue screen error. Do you need to know what the blue screen error said? I'll have to to it all over again, but I can if you need it. Thank you for helping by the way.

bamajim

10.4K Posts

March 24th, 2008 15:00

Arcway

Let's use another tool the infection may be blocking the execution

Please download Combofix and save to your desktop:
  • Note: It is important that it is saved directly to your desktop
    Close any open browsers.
    Double click on combofix.exe and follow the prompts.
    When it's finished it will produce a log.
    Post the contents of the C:\ComboFix.txt into your next reply.
    Note: Do not mouseclick combofix's window whilst it's running.
    That may cause the program to freeze/hang.
















Microsoft MVP Consumer-Security

 


"The world is what you make of it"




Arcway

20 Posts

March 24th, 2008 18:00

There was no problems this time, it worked. Here it is:

 

 

 

ComboFix 08-03-22.3 - James 2008-03-24 13:56:44.1 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.1643 [GMT -5:00]
Running from: C:\Documents and Settings\James\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
-- Other TimeOuts --
Findstr -MIF:/ "\\TTC\.pdb InsertAdvertisement" 
GREP -i "C:\\Program Files\\[^\\]*\\[^\\]*$" 
VFind -tf -s282624 "C:\Program Files\????????*[0-9].dll" 
CF12804.exe /c " VFind.exe -ltf -s-1000000 -d+2007-12-24 "C:\Program Files\*" >progfile.dat"
VFind.exe -ltf -s-1000000 -d+2007-12-24 "C:\Program Files\*" 
CF12804.exe /c " dir /a/s/b C:\_desktop.ini C:\desktop_.ini C:\cnsmin* C:\_install.exe >DirRoot"

(((((((((((((((((((((((((   Files Created from 2008-02-24 to 2008-03-24  )))))))))))))))))))))))))))))))
.

2008-03-24 11:26 . 2008-03-24 05:24   

    d--------    C:\SDFix
2008-03-13 21:04 . 2008-03-13 21:04        d--------    C:\Program Files\Dell Photo AIO Printer 922
2008-03-13 21:04 . 2001-08-17 22:36    87,040    --a------    C:\WINDOWS\system32\wiafbdrv.dll
2008-03-13 21:04 . 2001-08-17 22:36    87,040    --a--c---    C:\WINDOWS\system32\dllcache\wiafbdrv.dll
2008-03-13 21:04 . 2004-08-03 22:58    15,104    --a------    C:\WINDOWS\system32\drivers\usbscan.sys
2008-03-13 21:04 . 2004-08-03 22:58    15,104    --a--c---    C:\WINDOWS\system32\dllcache\usbscan.sys
2008-03-09 12:49 . 2008-03-09 12:49        d--------    C:\Program Files\SafeNet Sentinel
2008-03-09 12:49 . 2008-03-09 12:49        d--------    C:\Program Files\Common Files\SafeNet Sentinel
2008-03-09 12:47 . 2008-03-09 12:47        d--------    C:\Program Files\NewTek
2008-03-09 12:23 . 2008-03-09 12:23        d--------    C:\Program Files\PowerISO
2008-03-07 19:10 . 2008-03-07 19:10        d--------    C:\Program Files\Alcohol Soft
2008-03-07 08:47 . 2008-03-07 08:47        d--------    C:\Program Files\Activision
2008-03-04 17:39 . 2008-03-04 22:54    52,224    --a------    C:\WINDOWS\system32\jpg.dll
2008-03-04 01:11 . 2008-03-04 01:11    108,336    --a------    C:\WINDOWS\system32\mswinsck.ocx
2008-03-04 01:11 . 2008-03-04 01:11    28,160    --a------    C:\WINDOWS\system32\zlib.dll
2008-03-02 00:02 . 2008-03-16 16:01        d--------    C:\Program Files\BitTorrent
2008-03-01 20:36 . 2008-03-01 20:36        d--------    C:\Documents and Settings\James\Application Data\BSplayer Pro
2008-03-01 20:36 . 2008-03-02 18:31        d--------    C:\Documents and Settings\James\Application Data\BSplayer
2008-03-01 19:32 . 2008-03-01 19:32        d--------    C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-03-01 19:31 . 2008-03-22 09:23        d--------    C:\WINDOWS\system32\ZoneLabs
2008-03-01 19:31 . 2004-04-27 05:40    11,264    --a------    C:\WINDOWS\system32\SpOrder.dll
2008-03-01 19:31 . 2008-03-01 19:33    4,212    ---h-----    C:\WINDOWS\system32\zllictbl.dat
2008-03-01 19:30 . 2008-03-22 09:23        d--------    C:\WINDOWS\Internet Logs
2008-03-01 19:23 . 2007-12-14 02:59    69,632    --a------    C:\WINDOWS\system32\javacpl.cpl
2008-03-01 19:22 . 2008-03-01 19:22        d--------    C:\Program Files\Common Files\Java
2008-03-01 17:29 . 2008-03-01 20:27        d--------    C:\Program Files\Trend Micro
2008-02-28 23:21 . 2008-02-29 18:29    2,654    --a------    C:\WINDOWS\system32\tmp.reg
2008-02-28 23:19 . 2007-09-06 00:22    289,144    --a------    C:\WINDOWS\system32\VCCLSID.exe
2008-02-28 23:19 . 2006-04-27 17:49    288,417    --a------    C:\WINDOWS\system32\SrchSTS.exe
2008-02-28 23:19 . 2008-02-22 19:44    86,016    --a------    C:\WINDOWS\system32\VACFix.exe
2008-02-28 23:19 . 2008-02-08 11:37    82,432    --a------    C:\WINDOWS\system32\IEDFix.exe
2008-02-28 23:19 . 2003-06-05 21:13    53,248    --a------    C:\WINDOWS\system32\Process.exe
2008-02-28 23:19 . 2004-07-31 18:50    51,200    --a------    C:\WINDOWS\system32\dumphive.exe
2008-02-28 23:19 . 2007-10-04 00:36    25,600    --a------    C:\WINDOWS\system32\WS2Fix.exe
2008-02-27 18:08 . 2008-03-01 17:22        d--------    C:\Documents and Settings\James\Application Data\AVG7
2008-02-27 18:07 . 2008-02-27 18:07        d--------    C:\Documents and Settings\LocalService\Application Data\AVG7
2008-02-27 18:07 . 2008-03-23 11:21        d--------    C:\Documents and Settings\All Users\Application Data\avg7
2008-02-27 11:11 . 2008-03-17 17:10        d--------    C:\Program Files\a-squared Anti-Malware
2008-02-26 18:22 . 2007-12-04 08:04    837,496    --a------    C:\WINDOWS\system32\aswBoot.exe
2008-02-26 18:22 . 2004-01-09 04:13    380,928    --a------    C:\WINDOWS\system32\actskin4.ocx
2008-02-26 18:22 . 2007-12-04 07:54    95,608    --a------    C:\WINDOWS\system32\AvastSS.scr
2008-02-26 18:22 . 2007-12-04 09:55    94,544    --a------    C:\WINDOWS\system32\drivers\aswmon2.sys
2008-02-26 18:22 . 2007-12-04 09:56    93,264    --a------    C:\WINDOWS\system32\drivers\aswmon.sys
2008-02-26 18:22 . 2007-12-04 09:51    42,912    --a------    C:\WINDOWS\system32\drivers\aswTdi.sys
2008-02-26 18:22 . 2007-12-04 09:49    26,624    --a------    C:\WINDOWS\system32\drivers\aavmker4.sys
2008-02-26 18:22 . 2007-12-04 09:53    23,152    --a------    C:\WINDOWS\system32\drivers\aswRdr.sys
2008-02-26 17:47 . 2008-02-29 22:04        d--------    C:\Program Files\NetProject
2008-02-24 15:15 . 2008-02-24 15:15        d--------    C:\Program Files\Google

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-22 14:23    ---------    d--h--w    C:\Program Files\InstallShield Installation Information
2008-03-17 03:16    ---------    d-----w    C:\Program Files\Neffy
2008-03-16 17:54    ---------    d-----w    C:\Documents and Settings\James\Application Data\BitTorrent
2008-03-02 01:36    ---------    d-----w    C:\Program Files\Webteh
2008-03-02 00:23    ---------    d-----w    C:\Program Files\Java
2008-03-01 21:52    ---------    d-----w    C:\Program Files\Common Files\Adobe
2008-02-23 18:29    ---------    d-----w    C:\Program Files\The Witcher
2008-02-23 18:22    ---------    d-----w    C:\Program Files\MaxOn Soft
2008-02-23 18:22    ---------    d-----w    C:\Program Files\G-Collections
2008-02-23 18:22    ---------    d-----w    C:\Program Files\Common Files\AVSMedia
2008-02-23 18:22    ---------    d-----w    C:\Program Files\AutoMacroRecorder
2008-02-22 19:11    ---------    d-----w    C:\Program Files\Free WMA to MP3 Converter
2008-01-28 01:28    ---------    d-----w    C:\Program Files\World of Warcraft
2006-12-29 03:47    774,144    ----a-w    C:\Program Files\RngInterstitial.dll
2003-07-16 20:51    379,519    --sh--w    C:\WINDOWS\inetexplorer.bat
2007-09-10 00:07    56    --sh--r    C:\WINDOWS\system32\C89ECD524E.sys
2007-09-10 00:07    952    --sha-w    C:\WINDOWS\system32\KGyGaAvL.sys
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-12-01 00:49 4662776]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"msnmsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [ ]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 09:59 224248]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35 90112]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]
"sharK Server"="C:\WINDOWS\inetexplorer.bat" [2003-07-16 15:51 379519]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"www.shark-project.info"="C:\WINDOWS\inetexplorer.bat" [2003-07-16 15:51 379519]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-09-03 16:21:17 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"Generic Host Process"= C:\WINDOWS\system32\scvhost.exe

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Find Fast.lnk
backup=C:\WINDOWS\pss\Microsoft Find Fast.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2005-12-10 09:57 133016 C:\Program Files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ESP]
--a------ 2006-07-30 14:09 63008 C:\Program Files\Cox\Applications\app\start.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\WINDOWS\system32\scvhost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
C:\WINDOWS\system32\scvhost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-09-24 18:39 185784 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 Asapi;ASAPI;C:\WINDOWS\system32\drivers\Asapi.sys [2002-04-17 20:27]
R1 cdrdrv;cdrdrv;C:\WINDOWS\system32\drivers\cdrdrv.sys [2002-07-26 14:32]
R1 vobcom;vobcom;C:\WINDOWS\system32\drivers\vobcom.sys [2001-10-04 11:53]
R1 vobiw;vobiw;C:\WINDOWS\system32\drivers\vobiw.sys [2002-08-09 16:23]
R3 kbdcap;kbdcap;C:\WINDOWS\system32\drivers\kbdcap.sys [2006-09-14 22:05]
S1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys []
S3 XDva037;XDva037;C:\WINDOWS\system32\XDva037.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f63b9094-1ea2-11dc-aa31-0016765e33a8}]
\Shell\AutoRun\command - J:\RCAMemoryMgr.exe
\Shell\Manage your videos\command - J:\RCAMemoryMgr.exe

*Newly Created Service* - CATCHME

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{C2B7B150-B41B-B8F0-F160-F2F006DD302D}]
C:\WINDOWS\system32\My_Server.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-24 14:00:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-24 14:01:15
ComboFix-quarantined-files.txt  2008-03-24 19:00:59
.
2008-03-12 00:46:06    --- E O F --- 

bamajim

10.4K Posts

March 25th, 2008 14:00

Arcway

You have a program, that I am highly suspicious of involving a Web Address shark-project. I can find nothing good about this program.
Do you know what this program is, and did you install it on purpose?

I would like a sample of the file associated with it.


Please go HERE

Put Your Name, and Dell HJT forum

and In the file to submit box, click Browse.Using Windows Explorer
  • (Right click on "Start," select "Explore," and you will see the "tree' of file folders in the left side of the window. Click on the "+" next to any folder name to expand its contents)
Locate the file
  • C:\WINDOWS\inetexplorer.bat

In the comments tell them that I asked you to upload the file
Then Select Send File.


















Microsoft MVP Consumer-Security

 


"The world is what you make of it"




Arcway

20 Posts

March 29th, 2008 23:00

Sorry its taken so long to get back to you, haven't been near a computer the last few days. Alright, I'll fill it out. Sorry, but I don't know what it is, nor remember when I got it. when I had looked through it myself, I was wondering what it was, because I didn't remember.

 

Alright I found the file, it was under:

    C:\WINDOWS\Prefetch\inetexplorer.bat-221840DC.pf

 

I'm unsure if its the right file or not, because it has that "-221840DC.pf" at the end of it.

bamajim

10.4K Posts

March 30th, 2008 11:00

Arcway

No problem.

That is the correct file.









Microsoft MVP Consumer-Security

 


"The world is what you make of it"




Arcway

20 Posts

March 30th, 2008 17:00

Alright, let me know if there's anything I need to do. oh, and I found something else out about it. It keeps me from updating too. Firefox was trying to upload this morning and it would get about a quarter of the way before an error appeared. I restarted and tried it over again, but the updates wouldn't update.

bamajim

10.4K Posts

March 31st, 2008 13:00

Arcway

That file seems to be clean. And we still have some work to do before your PC is clean. That may still be affecting your ability to update.

I would still like to know if you are fimilar with Shark Server ?

1. Open NotePad (not wordpad). Copy and paste the following into Notepad

File::
C:\WINDOWS\system32\scvhost.exe
C:\WINDOWS\system32\My_Server.exe

Folder::
C:\Program Files\NetProject


Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"Generic Host Process"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{C2B7B150-B41B-B8F0-F160-F2F006DD302D}]
Save the File as CFScript(exactly as shown no spaces) ->> Save it to your Desktop

Using the Image as a reference, drag CFScript into ComboFix.exe

user posted image
  • You will be prompted to run Combofix again, Do so
    Following the same rules as indicated in my first post
    Then post the contents of the C:\ComboFix.txt log in your reply

2. Rerun Hijackthis and post a fresh Hijackthis log as well




Microsoft MVP Consumer-Security

 


"The world is what you make of it"

Arcway

20 Posts

April 1st, 2008 01:00

And here's the HijackThis:

 

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:06:19 PM, on 3/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Cox\Applications\app\SysSvcNt.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn6\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn6\yt.dll
O4 - HKLM\..\Run: [www.shark-project.info] "C:\WINDOWS\inetexplorer.bat"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [sharK Server] "C:\WINDOWS\inetexplorer.bat"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\James\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {03A0F84E-3E69-4B3E-B4D3-019CB73B57B3} (AuthWebWizardMain.DHTMLPage1) - http://www3.authentium.com/cssrelease/bin/WizMain.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
O16 - DPF: {5FFFA267-0B81-42B4-BE64-77B5C9FE287F} (MinWebLauncher Control) - http://www.playran.com/game/MinWebLauncher.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159037365656
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Cox High Speed Internet Security Suite System Service (AuthSysSvc) - Authentium, Inc. - C:\Program Files\Cox\Applications\app\SysSvcNt.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe

--
End of file - 7745 bytes

Arcway

20 Posts

April 1st, 2008 01:00

No, I'm afraid I've never heard of Shark Server. Do you know what it is? Is it the cause of the problem?

 

Here's the ComboFix.exe:

 ComboFix 08-03-22.3 - James 2008-03-31 20:43:36.2 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.1638 [GMT -5:00]
Running from: C:\Documents and Settings\James\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\James\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\My_Server.exe
C:\WINDOWS\system32\scvhost.exe
.
-- Other TimeOuts --
Findstr -MIF:/ "\\TTC\.pdb InsertAdvertisement"  
GREP -i "C:\\Program Files\\[^\\]*\\[^\\]*$"  
VFind -tf -s282624 "C:\Program Files\????????*[0-9].dll"  
CF3306.exe /c " VFind.exe -ltf -s-1000000 -d+2008-01-01 "C:\Program Files\*" >progfile.dat"
VFind.exe -ltf -s-1000000 -d+2008-01-01 "C:\Program Files\*"  
CF3306.exe /c " dir /a/s/b C:\_desktop.ini C:\desktop_.ini C:\cnsmin* C:\_install.exe >DirRoot"

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\NetProject

.
(((((((((((((((((((((((((   Files Created from 2008-03-01 to 2008-04-01  )))))))))))))))))))))))))))))))
.

2008-03-24 18:23 . 2008-03-26 15:34    54,156    --ah-----    C:\WINDOWS\QTFont.qfn
2008-03-24 18:23 . 2008-03-24 18:23    1,409    --a------    C:\WINDOWS\QTFont.for
2008-03-24 11:26 . 2008-03-24 05:24    

    d--------    C:\SDFix
2008-03-13 21:04 . 2008-03-13 21:04         d--------    C:\Program Files\Dell Photo AIO Printer 922
2008-03-13 21:04 . 2001-08-17 22:36    87,040    --a------    C:\WINDOWS\system32\wiafbdrv.dll
2008-03-13 21:04 . 2001-08-17 22:36    87,040    --a--c---    C:\WINDOWS\system32\dllcache\wiafbdrv.dll
2008-03-13 21:04 . 2004-08-03 22:58    15,104    --a------    C:\WINDOWS\system32\drivers\usbscan.sys
2008-03-13 21:04 . 2004-08-03 22:58    15,104    --a--c---    C:\WINDOWS\system32\dllcache\usbscan.sys
2008-03-09 12:49 . 2008-03-09 12:49         d--------    C:\Program Files\SafeNet Sentinel
2008-03-09 12:49 . 2008-03-09 12:49         d--------    C:\Program Files\Common Files\SafeNet Sentinel
2008-03-09 12:47 . 2008-03-09 12:47         d--------    C:\Program Files\NewTek
2008-03-09 12:23 . 2008-03-09 12:23         d--------    C:\Program Files\PowerISO
2008-03-07 19:10 . 2008-03-07 19:10         d--------    C:\Program Files\Alcohol Soft
2008-03-07 08:47 . 2008-03-07 08:47         d--------    C:\Program Files\Activision
2008-03-04 17:39 . 2008-03-04 22:54    52,224    --a------    C:\WINDOWS\system32\jpg.dll
2008-03-04 01:11 . 2008-03-04 01:11    108,336    --a------    C:\WINDOWS\system32\mswinsck.ocx
2008-03-04 01:11 . 2008-03-04 01:11    28,160    --a------    C:\WINDOWS\system32\zlib.dll
2008-03-02 00:02 . 2008-03-16 16:01         d--------    C:\Program Files\BitTorrent
2008-03-01 20:36 . 2008-03-01 20:36         d--------    C:\Documents and Settings\James\Application Data\BSplayer Pro
2008-03-01 20:36 . 2008-03-02 18:31         d--------    C:\Documents and Settings\James\Application Data\BSplayer
2008-03-01 19:32 . 2008-03-01 19:32         d--------    C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-03-01 19:31 . 2008-03-22 09:23         d--------    C:\WINDOWS\system32\ZoneLabs
2008-03-01 19:31 . 2004-04-27 05:40    11,264    --a------    C:\WINDOWS\system32\SpOrder.dll
2008-03-01 19:31 . 2008-03-01 19:33    4,212    ---h-----    C:\WINDOWS\system32\zllictbl.dat
2008-03-01 19:30 . 2008-03-22 09:23         d--------    C:\WINDOWS\Internet Logs
2008-03-01 19:23 . 2007-12-14 02:59    69,632    --a------    C:\WINDOWS\system32\javacpl.cpl
2008-03-01 19:22 . 2008-03-01 19:22         d--------    C:\Program Files\Common Files\Java
2008-03-01 17:29 . 2008-03-01 20:27         d--------    C:\Program Files\Trend Micro

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-27 17:25    ---------    d-----w    C:\Documents and Settings\All Users\Application Data\avg7
2008-03-22 14:23    ---------    d--h--w    C:\Program Files\InstallShield Installation Information
2008-03-17 22:10    ---------    d-----w    C:\Program Files\a-squared Anti-Malware
2008-03-17 03:16    ---------    d-----w    C:\Program Files\Neffy
2008-03-16 17:54    ---------    d-----w    C:\Documents and Settings\James\Application Data\BitTorrent
2008-03-02 01:36    ---------    d-----w    C:\Program Files\Webteh
2008-03-02 00:23    ---------    d-----w    C:\Program Files\Java
2008-03-01 22:22    ---------    d-----w    C:\Documents and Settings\James\Application Data\AVG7
2008-03-01 21:52    ---------    d-----w    C:\Program Files\Common Files\Adobe
2008-02-27 23:07    ---------    d-----w    C:\Documents and Settings\LocalService\Application Data\AVG7
2008-02-24 20:15    ---------    d-----w    C:\Program Files\Google
2008-02-23 18:29    ---------    d-----w    C:\Program Files\The Witcher
2008-02-23 18:22    ---------    d-----w    C:\Program Files\MaxOn Soft
2008-02-23 18:22    ---------    d-----w    C:\Program Files\G-Collections
2008-02-23 18:22    ---------    d-----w    C:\Program Files\Common Files\AVSMedia
2008-02-23 18:22    ---------    d-----w    C:\Program Files\AutoMacroRecorder
2008-02-23 00:44    86,016    ----a-w    C:\WINDOWS\system32\VACFix.exe
2008-02-22 19:11    ---------    d-----w    C:\Program Files\Free WMA to MP3 Converter
2008-02-08 16:37    82,432    ----a-w    C:\WINDOWS\system32\IEDFix.exe
2006-12-29 03:47    774,144    ----a-w    C:\Program Files\RngInterstitial.dll
2003-07-16 20:51    379,519    --sh--w    C:\WINDOWS\inetexplorer.bat
2007-09-10 00:07    56    --sh--r    C:\WINDOWS\system32\C89ECD524E.sys
2007-09-10 00:07    952    --sha-w    C:\WINDOWS\system32\KGyGaAvL.sys
.

(((((((((((((((((((((((((((((   snapshot@2008-03-24_14.00.41.40   )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-01 01:32:17    16,384    ----atw    C:\WINDOWS\Temp\Perflib_Perfdata_730.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-12-01 00:49 4662776]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"msnmsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [ ]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 09:59 224248]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35 90112]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]
"sharK Server"="C:\WINDOWS\inetexplorer.bat" [2003-07-16 15:51 379519]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"www.shark-project.info"="C:\WINDOWS\inetexplorer.bat" [2003-07-16 15:51 379519]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-09-03 16:21:17 24576]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Find Fast.lnk
backup=C:\WINDOWS\pss\Microsoft Find Fast.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2005-12-10 09:57 133016 C:\Program Files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ESP]
--a------ 2006-07-30 14:09 63008 C:\Program Files\Cox\Applications\app\start.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-09-24 18:39 185784 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 Asapi;ASAPI;C:\WINDOWS\system32\drivers\Asapi.sys [2002-04-17 20:27]
R1 cdrdrv;cdrdrv;C:\WINDOWS\system32\drivers\cdrdrv.sys [2002-07-26 14:32]
R1 vobcom;vobcom;C:\WINDOWS\system32\drivers\vobcom.sys [2001-10-04 11:53]
R1 vobiw;vobiw;C:\WINDOWS\system32\drivers\vobiw.sys [2002-08-09 16:23]
R3 kbdcap;kbdcap;C:\WINDOWS\system32\drivers\kbdcap.sys [2006-09-14 22:05]
S1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys []
S3 XDva037;XDva037;C:\WINDOWS\system32\XDva037.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f63b9094-1ea2-11dc-aa31-0016765e33a8}]
\Shell\AutoRun\command - J:\RCAMemoryMgr.exe
\Shell\Manage your videos\command - J:\RCAMemoryMgr.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-31 20:47:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-31 20:47:55
ComboFix-quarantined-files.txt  2008-04-01 01:47:39
ComboFix2.txt  2008-03-24 19:01:16
.
2008-03-12 00:46:06    --- E O F ---  

 

bamajim

10.4K Posts

April 1st, 2008 14:00

ArcWay

The info on it i scarce, and none of it good. If you do not know what it is then I suggest we get rid of it.

We Need to temporarily disable SpyBotS&D Tea timer so it doesn't interfere with our fix
  • 1) Run Spybot-S&D
    2) Go to the Mode menu, and make sure "Advanced Mode" is selected
    3) On the left hand side, choose Tools -> Resident
    4) Uncheck "Resident TeaTimer" and OK any prompts
    5) Restart your computer.




1. Rerun Hijackthis (scan only) and place checks beside the following entries
  • O4 - HKLM\..\Run: [www.shark-project.info] "C:\WINDOWS\inetexplorer.bat"
    O4 - HKCU\..\Run: [sharK Server] "C:\WINDOWS\inetexplorer.bat"

Close all other open windows except Hijackthis and Select " Fix checked"

Close Hijackthis ->> Reboot your PC ->> Rerun Hijackthis and post a fresh Hijackthis log













Microsoft MVP Consumer-Security

 


"The world is what you make of it"




Arcway

20 Posts

April 1st, 2008 22:00

I'm not sure that worked, because I had to do it about three times. Everytime I ran it after it booted up they were there again. It's not on there now, but

    O4 - HKCU\..\Run: [boredcodersÿ] "C:\WINDOWS\inetexplorer.bat"

is there now, is that ok?

 

 

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:10:26 PM, on 4/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Cox\Applications\app\SysSvcNt.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn6\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn6\yt.dll
O4 - HKLM\..\Run: "C:\WINDOWS\inetexplorer.bat"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [boredcodersÿ] "C:\WINDOWS\inetexplorer.bat"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\James\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {03A0F84E-3E69-4B3E-B4D3-019CB73B57B3} (AuthWebWizardMain.DHTMLPage1) - http://www3.authentium.com/cssrelease/bin/WizMain.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
O16 - DPF: {5FFFA267-0B81-42B4-BE64-77B5C9FE287F} (MinWebLauncher Control) - http://www.playran.com/game/MinWebLauncher.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159037365656
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Cox High Speed Internet Security Suite System Service (AuthSysSvc) - Authentium, Inc. - C:\Program Files\Cox\Applications\app\SysSvcNt.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe

--
End of file - 7582 bytes
 

bamajim

10.4K Posts

April 2nd, 2008 12:00

Arcway

It seems to be putting up a fight.

1. Rerun Hijackthis (scan only) and place checks beside the following entries
  • O4 - HKLM\..\Run: "C:\WINDOWS\inetexplorer.bat"
    O4 - HKCU\..\Run: [boredcodersÿ] "C:\WINDOWS\inetexplorer.bat"

Close all other open windows except Hijackthis and Select " Fix checked"

Close Hijackthis ->> Reboot your PC ->> Rerun Hijackthis and post a fresh Hijackthis log

2. Are you sure that file inetexplorer.bat in not in the C:\WINDOWS\ folder?

3. Your log shows signs of Symantec (norton) and avast!. Which one are you using for an Anti Virus Program?

















Microsoft MVP Consumer-Security

 


"The world is what you make of it"




Arcway

20 Posts

April 5th, 2008 00:00

1. Alright, but shark came back, you're right it seems to be fighting back.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:33:08 PM, on 4/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Cox\Applications\app\SysSvcNt.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn6\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn6\yt.dll
O4 - HKLM\..\Run: [arK Server] "C:\WINDOWS\inetexplorer.bat"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [sharK Server] "C:\WINDOWS\inetexplorer.bat"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\James\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {03A0F84E-3E69-4B3E-B4D3-019CB73B57B3} (AuthWebWizardMain.DHTMLPage1) - http://www3.authentium.com/cssrelease/bin/WizMain.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
O16 - DPF: {5FFFA267-0B81-42B4-BE64-77B5C9FE287F} (MinWebLauncher Control) - http://www.playran.com/game/MinWebLauncher.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159037365656
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Cox High Speed Internet Security Suite System Service (AuthSysSvc) - Authentium, Inc. - C:\Program Files\Cox\Applications\app\SysSvcNt.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe

--
End of file - 7591 bytes
 

2. I'm sure, its in :  C:\WINDOWS\Prefetch\INETEXPLORER.BAT-221840DC.pf

        That was has close to the file that I could find.

3. I use to have norton, a trial version, but I didn't think it worked all that well, so I uninstalled it and got avast. A friend of mine had told me about avast and how good it was, and after using it I agree with him. I thought I had completely uninstalled but I guess there was a bit left.

View More

View All

No Events found!

Top