1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Rustock.b problem??

Discussion in 'Malware and Virus Removal Archive' started by kalle, 2007/01/31.

  1. 2007/01/31
    kalle

    kalle Inactive Thread Starter

    Joined:
    2007/01/31
    Messages:
    7
    Likes Received:
    0
    Hi,

    I have some strange behavior on my machine. It works just fine until I make VPN connection with it, then it will crash within minutes. I have looked at the dumps and lzx32.sys seems to cause the problem. Googling around I found this site and more information here as well. It seems to be the Rustock.b rootkit which seems really nasty.

    So I tried to clean it with Rustbfix.exe which was recommended in another thread here. Rustbfix says it cannot do it, more sophisticated tools are needed. I have tried to use Symantec antivirus but it doesn't help. So I would really appreciate some help on this.

    Thanks in advance!

    Rustbfix.exe log file:

    Rustock.b-ADS attached to the System32-folder:
    Attempting to remove ADS...

    Looking for Rustock.b-files in the System32-folder:
    ECHO is off.


    ******************* Post-run Status of system *******************

    Rustock.b-driver on the system:
    YOU NEED TO CONSULT MORE ADVANCED TOOLS!!
    The Gmer-rootkitscanner may be a good place to start.
    Gmer rootkit-scanner may be found here: http://www.gmer.net

    Rustock.b-ADS attached to the System32-folder:
    ECHO is off.
    You should either run the tool again or consult more advanced tools
    The Gmer-rootkitscanner may be a good place to start.
    Gmer rootkit-scanner may be found here: http://www.gmer.net

    Looking for Rustock.b-files in the System32-folder:
    ECHO is off.
    You should either run the tool again or consult more advanced tools
    Swandog46's Avenger or Gmer's-rootkitscanner may be a good place to start.
    Swandog46's Avenger may be found here: http://swandog46.geekstogo.com/avengernotes.htm
    Gmer rootkit-scanner may be found here: http://www.gmer.net


    ******************************* End of Logfile ********************************


    HijackThis log file after running Rustbfix.exe
    Logfile of HijackThis v1.99.1
    Scan saved at 13:19:24, on 2007-01-31
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0011)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\wltrysvc.exe
    C:\WINDOWS\System32\bcmwltry.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Acer\eManager\anbmServ.exe
    c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
    C:\Program Files\Dantz\Client\Remotsvc.exe
    C:\Program Files\Dantz\Client\retroclient.exe
    C:\Program Files\Symantec AntiVirus\SavRoam.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\NOTEPAD.EXE
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\AGRSMMSG.exe
    C:\acer\epm\epm-dm.exe
    C:\PROGRA~1\LAUNCH~1\LManager.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Microsoft IntelliPoint\point32.exe
    C:\Program Files\Microsoft IntelliType Pro\type32.exe
    C:\WINDOWS\system32\LVCOMSX.EXE
    C:\Program Files\Logitech\Video\LogiTray.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
    C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
    C:\Program Files\Picasa2\PicasaMediaDetector.exe
    C:\WINDOWS\system32\WLTRAY.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
    C:\PROGRA~1\MI3AA1~1\wcescomm.exe
    C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
    C:\Program Files\Skype\Phone\Skype.exe
    C:\Program Files\Dexpot\dexpot.exe
    C:\Program Files\Logitech\Video\FxSvr2.exe
    C:\PROGRA~1\MI3AA1~1\rapimgr.exe
    C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
    C:\Program Files\Attensa\AttensaEngine.exe
    C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    C:\Program Files\3M\PSNLite\PsnLite.exe
    C:\Program Files\confero\bin\invito.exe
    C:\Program Files\Juice\Juice.exe
    C:\Program Files\Clickatell Messenger-PRO 3\MessengerPRO.exe
    C:\Program Files\Miranda IM\miranda32.exe
    C:\PROGRA~1\3M\PSNLite\PSNGive.exe
    C:\WINDOWS\system32\cmd.exe
    C:\WINDOWS\system32\javaw.exe
    C:\Nokia\Update_Manager\bin\UMScheduler.exe
    C:\Program Files\Common Files\PCSuite\Services\NclBTHandler.exe
    C:\Program Files\Attensa\Analytics.exe
    C:\Program Files\Attensa\AttensaNotifier.exe
    C:\Program Files\Common Files\Teleca Shared\Generic.exe
    C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\epmworker.exe
    C:\Nokia\Tools\Nokia_Connectivity_Framework\bin\rendezvous.exe
    C:\Nokia\Tools\Nokia_Connectivity_Framework\bin\phoneNumberRegistry.exe
    C:\Nokia\Tools\Nokia_Connectivity_Framework\bin\bluetoothDispatcher.exe
    C:\PROGRA~1\MOZILL~2\THUNDE~1.EXE
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\HJT\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: PluginBHO Class - {6C1178CD-2276-45FE-ACC1-02CDD2481F9D} - C:\Program Files\Attensa\AttensaIEPlugin.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
    O3 - Toolbar: Attensa for IE - {458E6614-0D24-415A-824A-130064AF7BF8} - C:\Program Files\Attensa\AttensaIEPlugin.dll
    O4 - HKLM\..\Run: [LaunchApp] Alaunch
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [EPM-DM] c:\acer\epm\epm-dm.exe
    O4 - HKLM\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot
    O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
    O4 - HKLM\..\Run: [eRecoveryService] C:\Program Files\Acer\eRecovery\Monitor.exe
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe "
    O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe "
    O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
    O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
    O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe "
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
    O4 - HKLM\..\Run: [VaCtrl] C:\Program Files\VoiceAge\Common\VaCtrl.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
    O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
    O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
    O4 - HKLM\..\Run: [AutoSys] C:\WINDOWS\system32\autosys.exe
    O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MI3AA1~1\wcescomm.exe "
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - HKCU\..\Run: [Dexpot 1.4] C:\Program Files\Dexpot\dexpot.exe
    O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
    O4 - Startup: invito.lnk = C:\Program Files\confero\bin\invito.exe
    O4 - Startup: Juice.lnk = C:\Program Files\Juice\Juice.exe
    O4 - Startup: Messenger-PRO 3.lnk = C:\Program Files\Clickatell Messenger-PRO 3\MessengerPRO.exe
    O4 - Startup: Miranda IM.lnk = C:\Program Files\Miranda IM\miranda32.exe
    O4 - Startup: Nokia Connectivity Framework Lite.lnk = C:\Nokia\Tools\Nokia_Connectivity_Framework\bin\NCFStart.exe
    O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
    O4 - Startup: PowerReg Scheduler V3.exe
    O4 - Startup: UMScheduler 2.0.lnk = C:\Nokia\Update_Manager\bin\UMScheduler.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Attensa.lnk = C:\Program Files\Attensa\AttensaEngine.exe
    O4 - Global Startup: Bluetooth.lnk = ?
    O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Rea&d in intraVnews - C:\Program Files\intraVnews\ie.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
    O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Program Files\FileZilla Server\FileZilla Server.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
    O23 - Service: Retrospect Client - Dantz Development Corporation - C:\Program Files\Dantz\Client\Remotsvc.exe
    O23 - Service: Retrospect Helper - EMC Corporation - C:\Program Files\Dantz\Client\rthlpsvc.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: Apache Tomcat (Tomcat5) - Unknown owner - D:\Development\web\Tomcat 5.5\bin\tomcat5.exe" //RS//Tomcat5 (file missing)
    O23 - Service: wampapache - Unknown owner - d:\wamp\Apache2\bin\Apache.exe" -k runservice (file missing)
    O23 - Service: wampmysqld - Unknown owner - d:\wamp\mysql\bin\mysqld-nt.exe
    O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\UltraVNC\WinVNC.exe" -service (file missing)
    O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
     
    kalle,
    #1
  2. 2007/01/31
    TeMerc

    TeMerc Inactive Alumni

    Joined:
    2006/05/13
    Messages:
    3,226
    Likes Received:
    4
    Hello and welcome to WindowsBBS Forums.

    Yes, rustockB may be a problem, but you also have a HackerDefender infection too. So we'll address that then run GMER.

    Download SDFix and save it to your Desktop.

    Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    • Instead of Windows loading as normal, the Advanced Options Menu should appear;
    • Select the first option, to run Windows in Safe Mode, then press Enter.
    • Choose your usual account.
    • Open the extracted SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
    • Finally copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log


    After that has run:
    Download GMER from one of the following sites listed on this Google page. Due to an ongoing DDoS attack, the good people at Google have offered to host the download links
    • Right Click the Zip and Select "Extract All "
    • Double-click gmer.exe to launch the program.
    • Click on the Rootkit Tab and on the right side, untick the Registry box, then click Scan.
    Once the scan is done, hit the copy button, then open notepad and paste the results here for me to see.
     
    TeMerc,
    #2


  3. to hide this advert.

  4. 2007/01/31
    kalle

    kalle Inactive Thread Starter

    Joined:
    2007/01/31
    Messages:
    7
    Likes Received:
    0
    SDFix report:


    SDFix: Version 1.63

    2007-01-31 - 16:26:40,59

    Microsoft Windows XP [Version 5.1.2600]

    Running From: C:\SDFix

    Safe Mode:
    Checking Services:

    Name:
    MsaSvc

    Path:
    C:\WINDOWS\system32\msasvc.exe

    MsaSvc Deleted

    Restoring Windows Registry Entries
    Restoring Default Hosts File


    Rebooting...

    Normal Mode:
    Checking Files:

    Below files will be copied to Backups folder then removed:

    C:\WINDOWS\system32\info.txt - Deleted



    ADS Check:

    C:\WINDOWS\system32
    No streams found.

    Final Check:

    Remaining Services:
    ------------------


    Authorized Application Key Export:

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "= "%windir%\\system32\\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019 "
    "C:\\Program Files\\iTunes\\iTunes.exe "= "C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes "
    "C:\\Program Files\\Miranda IM\\miranda32.exe "= "C:\\Program Files\\Miranda IM\\miranda32.exe:*:Enabled:Miranda IM "
    "C:\\Program Files\\confero\\bin\\invito.exe "= "C:\\Program Files\\confero\\bin\\invito.exe:*:Enabled:invito "
    "D:\\Development\\SonyEricsson\\J2ME_SDK\\PC_Emulation\\WTK2\\bin\\emulator.exe "= "D:\\Development\\SonyEricsson\\J2ME_SDK\\PC_Emulation\\WTK2\\bin\\emulator.exe:*:Enabled:emulator "
    "D:\\Development\\java\\WTK22\\bin\\emulator.exe "= "D:\\Development\\java\\WTK22\\bin\\emulator.exe:*:Enabled:emulator "
    "C:\\Program Files\\confero\\bin\\confero.exe "= "C:\\Program Files\\confero\\bin\\confero.exe:*:Enabled:confero "
    "C:\\WINDOWS\\system32\\java.exe "= "C:\\WINDOWS\\system32\\java.exe:*:Enabled:Java(TM) 2 Platform Standard Edition binary "
    "D:\\Development\\java\\jdk1.5.0_06\\bin\\java.exe "= "D:\\Development\\java\\jdk1.5.0_06\\bin\\java.exe:*:Enabled:Java(TM) 2 Platform Standard Edition binary "
    "C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe "= "C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager "
    "C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe "= "C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager "
    "C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe "= "C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application "
    "D:\\Development\\java\\jdk1.5.0_06\\bin\\javaw.exe "= "D:\\Development\\java\\jdk1.5.0_06\\bin\\javaw.exe:*:Enabled:Java(TM) 2 Platform Standard Edition binary "
    "C:\\WINDOWS\\system32\\javaw.exe "= "C:\\WINDOWS\\system32\\javaw.exe:*:Enabled:Java(TM) 2 Platform Standard Edition binary "
    "C:\\Program Files\\Ubisoft\\Ghost Recon Advanced Warfighter\\graw.exe "= "C:\\Program Files\\Ubisoft\\Ghost Recon Advanced Warfighter\\graw.exe:*:Enabled:graw "
    "D:\\Games\\Rainbow Six Lockdown\\Lockdown.exe "= "D:\\Games\\Rainbow Six Lockdown\\Lockdown.exe:*:Enabled:Lockdown "
    "D:\\wamp\\Apache2\\bin\\Apache.exe "= "D:\\wamp\\Apache2\\bin\\Apache.exe:*:Enabled:Apache HTTP Server "
    "C:\\Program Files\\FlashFXP\\flashfxp.exe "= "C:\\Program Files\\FlashFXP\\FlashFXP.exe:*:Enabled:FlashFXP v3 "
    "D:\\Development\\SonyEricsson\\J2ME_SDK\\PC_Emulation\\WTK1\\bin\\emulator.exe "= "D:\\Development\\SonyEricsson\\J2ME_SDK\\PC_Emulation\\WTK1\\bin\\emulator.exe:*:Enabled:emulator "
    "D:\\Development\\java\\SonyEricsson\\J2ME_SDK\\OnDeviceDebug\\bin\\serialproxy.exe "= "D:\\Development\\java\\SonyEricsson\\J2ME_SDK\\OnDeviceDebug\\bin\\serialproxy.exe:*:Enabled:serialproxy "
    "D:\\Development\\java\\SonyEricsson\\J2ME_SDK\\PC_Emulation\\WTK1\\bin\\emulator.exe "= "D:\\Development\\java\\SonyEricsson\\J2ME_SDK\\PC_Emulation\\WTK1\\bin\\emulator.exe:*:Enabled:emulator "
    "D:\\Development\\java\\SonyEricsson\\J2ME_SDK\\PC_Emulation\\WTK2\\bin\\emulator.exe "= "D:\\Development\\java\\SonyEricsson\\J2ME_SDK\\PC_Emulation\\WTK2\\bin\\emulator.exe:*:Enabled:emulator "
    "D:\\Development\\java\\SonyEricsson\\JavaME_SDK_CLDC\\PC_Emulation\\WTK1\\bin\\emulator.exe "= "D:\\Development\\java\\SonyEricsson\\JavaME_SDK_CLDC\\PC_Emulation\\WTK1\\bin\\emulator.exe:*:Enabled:emulator "
    "D:\\Development\\java\\SonyEricsson\\JavaME_SDK_CLDC\\PC_Emulation\\WTK2\\bin\\emulator.exe "= "D:\\Development\\java\\SonyEricsson\\JavaME_SDK_CLDC\\PC_Emulation\\WTK2\\bin\\emulator.exe:*:Enabled:emulator "
    "D:\\Development\\java\\SonyEricsson\\JavaME_SDK_CLDC\\OnDeviceDebug\\bin\\serialproxy.exe "= "D:\\Development\\java\\SonyEricsson\\JavaME_SDK_CLDC\\OnDeviceDebug\\bin\\serialproxy.exe:*:Enabled:serialproxy "
    "D:\\Development\\java\\SonyEricsson\\JavaME_SDK_CLDC\\PC_Emulation\\WTK2\\bin\\zayit.exe "= "D:\\Development\\java\\SonyEricsson\\JavaME_SDK_CLDC\\PC_Emulation\\WTK2\\bin\\zayit.exe:*:Enabled:zayit "
    "D:\\Development\\java\\jdk1.5.0_06\\jre\\bin\\java.exe "= "D:\\Development\\java\\jdk1.5.0_06\\jre\\bin\\java.exe:*:Enabled:Java(TM) 2 Platform Standard Edition binary "
    "C:\\Program Files\\Mozilla Firefox\\firefox.exe "= "C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox "
    "E:\\Setup.exe "= "E:\\Setup.exe:*:Enabled:Setup "
    "D:\\Games\\Liero\\LieroX.exe "= "D:\\Games\\Liero\\LieroX.exe:*:Enabled:LieroX "
    "D:\\Development\\cygwin\\usr\\X11R6\\bin\\XWin.exe "= "D:\\Development\\cygwin\\usr\\X11R6\\bin\\XWin.exe:*:Enabled:XWin "
    "C:\\Program Files\\Last.fm\\LastFM.exe "= "C:\\Program Files\\Last.fm\\LastFM.exe:*:Enabled:LastFM "
    "D:\\Development\\java\\SonyEricsson\\JavaME_SDK_CLDC\\OnDeviceDebug2\\bin\\serialproxy.exe "= "D:\\Development\\java\\SonyEricsson\\JavaME_SDK_CLDC\\OnDeviceDebug2\\bin\\serialproxy.exe:*:Enabled:serialproxy "
    "C:\\Nokia\\Tools\\Nokia_Connectivity_Framework\\bin\\phoneNumberRegistry.exe "= "C:\\Nokia\\Tools\\Nokia_Connectivity_Framework\\bin\\phoneNumberRegistry.exe:*:Enabled:phoneNumberRegistry "
    "C:\\Nokia\\Tools\\Nokia_Connectivity_Framework\\bin\\rendezvous.exe "= "C:\\Nokia\\Tools\\Nokia_Connectivity_Framework\\bin\\rendezvous.exe:*:Enabled:rendezvous "
    "C:\\Nokia\\Tools\\Nokia_Connectivity_Framework\\bin\\bluetoothDispatcher.exe "= "C:\\Nokia\\Tools\\Nokia_Connectivity_Framework\\bin\\bluetoothDispatcher.exe:*:Enabled:bluetoothDispatcher "
    "C:\\Nokia\\Update_Manager\\bin\\UMClient.exe "= "C:\\Nokia\\Update_Manager\\bin\\UMClient.exe:*:Enabled:Nokia Update Manager "
    "D:\\Development\\java\\WTK25-beta\\bin\\zayit.exe "= "D:\\Development\\java\\WTK25-beta\\bin\\zayit.exe:*:Enabled:zayit "
    "C:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe "= "C:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe:*:Enabled:nsu_ui_client "
    "C:\\Program Files\\Common Files\\Nokia\\Service Layer\\nsl_host_process.exe "= "C:\\Program Files\\Common Files\\Nokia\\Service Layer\\nsl_host_process.exe:*:Enabled:Nokia Service Layer Host Process "
    "C:\\Nokia\\Devices\\Nokia_Prototype_SDK_4_0\\devices\\Prototype_4_0_S60_MIDP_Emulator\\bin\\emulator.exe "= "C:\\Nokia\\Devices\\Nokia_Prototype_SDK_4_0\\devices\\Prototype_4_0_S60_MIDP_Emulator\\bin\\emulator.exe:*:Enabled:emulator "
    "D:\\Development\\java\\Tools\\Carbide_j_1_5\\S60_3rd_MIDP_SDK\\bin\\epoc32\\tools\\ecmt\\ecmtgw.exe "= "D:\\Development\\java\\Tools\\Carbide_j_1_5\\S60_3rd_MIDP_SDK\\bin\\epoc32\\tools\\ecmt\\ecmtgw.exe:*:Enabled:Device Connectivity Tool for S60 SDK "
    "D:\\Games\\Neverwinter Nights 2\\nwn2main.exe "= "D:\\Games\\Neverwinter Nights 2\\nwn2main.exe:*:Enabled:Neverwinter Nights 2 Main "
    "D:\\Games\\Neverwinter Nights 2\\nwn2main_amdxp.exe "= "D:\\Games\\Neverwinter Nights 2\\nwn2main_amdxp.exe:*:Enabled:Neverwinter Nights 2 AMD "
    "D:\\Games\\Neverwinter Nights 2\\nwupdate.exe "= "D:\\Games\\Neverwinter Nights 2\\nwupdate.exe:*:Enabled:Neverwinter Nights 2 Updater "
    "D:\\Games\\Neverwinter Nights 2\\nwn2server.exe "= "D:\\Games\\Neverwinter Nights 2\\nwn2server.exe:*:Enabled:Neverwinter Nights 2 Server "
    "D:\\Games\\Company of Heroes\\RelicCOH.exe "= "D:\\Games\\Company of Heroes\\RelicCOH.exe:*:Enabled:RelicCOH "
    "C:\\Program Files\\FileZilla\\FileZilla.exe "= "C:\\Program Files\\FileZilla\\FileZilla.exe:*:Enabled:FileZilla "
    "C:\\Documents and Settings\\kalle\\Local Settings\\Temp\\CoHMultiPatch.exe "= "C:\\Documents and Settings\\kalle\\Local Settings\\Temp\\CoHMultiPatch.exe:*:Enabled:TODO: <File description> "
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "= "%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:mad:xpsp3res.dll,-20000 "
    "D:\\Development\\java\\WTK25-beta\\bin\\mekeytool.exe "= "D:\\Development\\java\\WTK25-beta\\bin\\mekeytool.exe:*:Enabled:mekeytool "
    "C:\\WINDOWS\\explorer.exe "= "C:\\WINDOWS\\explorer.exe:*:Enabled:Windows Explorer "
    "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE "= "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer "
    "C:\\Program Files\\Attensa\\AttensaEngine.exe "= "C:\\Program Files\\Attensa\\AttensaEngine.exe:*:Enabled:AttensaEngine "
    "C:\\Program Files\\Skype\\Phone\\Skype.exe "= "C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype "


    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "= "%windir%\\system32\\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019 "
    "C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe "= "C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager "
    "C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe "= "C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager "
    "C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe "= "C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application "
    "C:\\Program Files\\confero\\bin\\invito.exe "= "C:\\Program Files\\confero\\bin\\invito.exe:*:Enabled:invito "
    "C:\\Program Files\\Miranda IM\\miranda32.exe "= "C:\\Program Files\\Miranda IM\\miranda32.exe:*:Enabled:Miranda IM "
    "C:\\Program Files\\FlashFXP\\flashfxp.exe "= "C:\\Program Files\\FlashFXP\\FlashFXP.exe:*:Enabled:FlashFXP v3 "
    "C:\\Program Files\\UltraVNC\\winvnc.exe "= "C:\\Program Files\\UltraVNC\\winvnc.exe:*:Enabled:VNC server for Win32 "
    "D:\\Development\\java\\SonyEricsson\\JavaME_SDK_CLDC\\OnDeviceDebug\\bin\\serialproxy.exe "= "D:\\Development\\java\\SonyEricsson\\JavaME_SDK_CLDC\\OnDeviceDebug\\bin\\serialproxy.exe:*:Enabled:serialproxy "
    "C:\\WINDOWS\\system32\\java.exe "= "C:\\WINDOWS\\system32\\java.exe:*:Enabled:Java(TM) 2 Platform Standard Edition binary "
    "C:\\Program Files\\iTunes\\iTunes.exe "= "C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes "
    "C:\\Program Files\\Last.fm\\LastFM.exe "= "C:\\Program Files\\Last.fm\\LastFM.exe:*:Enabled:LastFM "
    "D:\\Development\\cygwin\\usr\\X11R6\\bin\\XWin.exe "= "D:\\Development\\cygwin\\usr\\X11R6\\bin\\XWin.exe:*:Enabled:XWin "
    "D:\\Development\\java\\SonyEricsson\\JavaME_SDK_CLDC\\OnDeviceDebug2\\bin\\serialproxy.exe "= "D:\\Development\\java\\SonyEricsson\\JavaME_SDK_CLDC\\OnDeviceDebug2\\bin\\serialproxy.exe:*:Enabled:serialproxy "
    "D:\\Development\\java\\jdk1.5.0_06\\bin\\java.exe "= "D:\\Development\\java\\jdk1.5.0_06\\bin\\java.exe:*:Enabled:Java(TM) 2 Platform Standard Edition binary "
    "C:\\WINDOWS\\system32\\javaw.exe "= "C:\\WINDOWS\\system32\\javaw.exe:*:Enabled:Java(TM) 2 Platform Standard Edition binary "
    "D:\\Development\\java\\jdk1.5.0_06\\bin\\javaw.exe "= "D:\\Development\\java\\jdk1.5.0_06\\bin\\javaw.exe:*:Enabled:Java(TM) 2 Platform Standard Edition binary "
    "C:\\Nokia\\Tools\\Nokia_Connectivity_Framework\\bin\\bluetoothDispatcher.exe "= "C:\\Nokia\\Tools\\Nokia_Connectivity_Framework\\bin\\bluetoothDispatcher.exe:*:Enabled:bluetoothDispatcher "
    "C:\\Nokia\\Tools\\Nokia_Connectivity_Framework\\bin\\phoneNumberRegistry.exe "= "C:\\Nokia\\Tools\\Nokia_Connectivity_Framework\\bin\\phoneNumberRegistry.exe:*:Enabled:phoneNumberRegistry "
    "C:\\Nokia\\Tools\\Nokia_Connectivity_Framework\\bin\\rendezvous.exe "= "C:\\Nokia\\Tools\\Nokia_Connectivity_Framework\\bin\\rendezvous.exe:*:Enabled:rendezvous "
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "= "%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:mad:xpsp3res.dll,-20000 "
    "C:\\Program Files\\Skype\\Phone\\Skype.exe "= "C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype "


    Remaining Files:
    ---------------

    Backups Folder: - C:\SDFix\backups\backups.zip


    Checking For Files with Hidden Attributes :

    C:\mfc70.dll
    C:\mfc70u.dll
    C:\msvcp70.dll
    C:\msvcr70.dll
    C:\WINDOWS\system32\NTIBUN4.dll
    C:\WINDOWS\system32\NTICDMK7.dll
    C:\WINDOWS\system32\NTIFCD3.dll
    C:\WINDOWS\system32\NTIMP3.dll
    C:\WINDOWS\system32\NTIMPEG2.dll
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\Picasa2\setup.exe
    C:\hiberfil.sys
    C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp
    C:\Documents and Settings\root\Local Settings\Temp\ZTR101.tmp
    C:\Documents and Settings\root\Local Settings\Temp\ZTR103.tmp
    C:\Documents and Settings\root\Local Settings\Temp\ZTR105.tmp
    C:\Documents and Settings\root\Local Settings\Temp\ZTR107.tmp
    C:\Documents and Settings\root\Local Settings\Temp\ZTR109.tmp
    C:\Documents and Settings\root\Local Settings\Temp\ZTRE2.tmp
    C:\Documents and Settings\root\Local Settings\Temp\ZTRE4.tmp
    C:\Documents and Settings\root\Local Settings\Temp\ZTRE6.tmp
    C:\Documents and Settings\root\Local Settings\Temp\ZTRE8.tmp
    C:\Documents and Settings\root\Local Settings\Temp\ZTREA.tmp
    C:\Documents and Settings\root\Local Settings\Temp\ZTREC.tmp
    C:\Documents and Settings\root\Local Settings\Temp\ZTREE.tmp
    C:\Documents and Settings\root\Local Settings\Temp\ZTRF0.tmp
    C:\Documents and Settings\root\Local Settings\Temp\ZTRF2.tmp
    C:\Documents and Settings\root\Local Settings\Temp\ZTRF4.tmp
    C:\Documents and Settings\root\Local Settings\Temp\ZTRF6.tmp
    C:\Documents and Settings\root\Local Settings\Temp\ZTRF8.tmp
    C:\Documents and Settings\root\Local Settings\Temp\ZTRFA.tmp
    C:\Documents and Settings\root\Local Settings\Temp\ZTRFF.tmp
    C:\Documents and Settings\root\Local Settings\Temp\ZTS100.tmp
    C:\Documents and Settings\root\Local Settings\Temp\ZTS102.tmp
    C:\Documents and Settings\root\Local Settings\Temp\ZTS104.tmp
    C:\Documents and Settings\root\Local Settings\Temp\ZTS106.tmp
    C:\Documents and Settings\root\Local Settings\Temp\ZTS108.tmp
    C:\Documents and Settings\root\Local Settings\Temp\ZTS10A.tmp
    C:\Documents and Settings\root\Local Settings\Temp\ZTSE3.tmp
    C:\Documents and Settings\root\Local Settings\Temp\ZTSE5.tmp
    C:\Documents and Settings\root\Local Settings\Temp\ZTSE7.tmp
    C:\Documents and Settings\root\Local Settings\Temp\ZTSE9.tmp
    C:\Documents and Settings\root\Local Settings\Temp\ZTSEB.tmp
    C:\Documents and Settings\root\Local Settings\Temp\ZTSED.tmp
    C:\Documents and Settings\root\Local Settings\Temp\ZTSEF.tmp
    C:\Documents and Settings\root\Local Settings\Temp\ZTSF1.tmp
    C:\Documents and Settings\root\Local Settings\Temp\ZTSF3.tmp
    C:\Documents and Settings\root\Local Settings\Temp\ZTSF5.tmp
    C:\Documents and Settings\root\Local Settings\Temp\ZTSF7.tmp
    C:\Documents and Settings\root\Local Settings\Temp\ZTSF9.tmp
    C:\Documents and Settings\root\Local Settings\Temp\ZTSFB.tmp
    C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\0c096b9a042a9952f5fab6ff1bd528f3\BIT5.tmp

    Finished




    HiJackThis log:
    Logfile of HijackThis v1.99.1
    Scan saved at 16:45, on 07-01-31
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0011)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\wltrysvc.exe
    C:\WINDOWS\System32\bcmwltry.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Acer\eManager\anbmServ.exe
    c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
    C:\Program Files\Dantz\Client\Remotsvc.exe
    C:\Program Files\Dantz\Client\retroclient.exe
    C:\Program Files\Symantec AntiVirus\SavRoam.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\AGRSMMSG.exe
    C:\acer\epm\epm-dm.exe
    C:\PROGRA~1\LAUNCH~1\LManager.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Microsoft IntelliPoint\point32.exe
    C:\Program Files\Microsoft IntelliType Pro\type32.exe
    C:\WINDOWS\system32\LVCOMSX.EXE
    C:\Program Files\Logitech\Video\LogiTray.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
    C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
    C:\Program Files\Picasa2\PicasaMediaDetector.exe
    C:\WINDOWS\system32\WLTRAY.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\PROGRA~1\MI3AA1~1\wcescomm.exe
    C:\Program Files\Skype\Phone\Skype.exe
    C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
    C:\Program Files\Dexpot\dexpot.exe
    C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
    C:\PROGRA~1\MI3AA1~1\rapimgr.exe
    C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
    C:\Program Files\Logitech\Video\FxSvr2.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\Program Files\Attensa\AttensaEngine.exe
    C:\Program Files\Common Files\PCSuite\Services\NclBTHandler.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
    C:\Program Files\3M\PSNLite\PsnLite.exe
    C:\Program Files\confero\bin\invito.exe
    C:\Program Files\Juice\Juice.exe
    C:\Program Files\Clickatell Messenger-PRO 3\MessengerPRO.exe
    C:\Program Files\Miranda IM\miranda32.exe
    C:\WINDOWS\system32\cmd.exe
    C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
    C:\PROGRA~1\3M\PSNLite\PSNGive.exe
    C:\WINDOWS\system32\javaw.exe
    C:\Nokia\Update_Manager\bin\UMScheduler.exe
    C:\Program Files\Attensa\Analytics.exe
    C:\Program Files\Attensa\AttensaNotifier.exe
    C:\Program Files\Common Files\Teleca Shared\Generic.exe
    C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\epmworker.exe
    C:\Nokia\Tools\Nokia_Connectivity_Framework\bin\rendezvous.exe
    C:\Nokia\Tools\Nokia_Connectivity_Framework\bin\phoneNumberRegistry.exe
    C:\Nokia\Tools\Nokia_Connectivity_Framework\bin\bluetoothDispatcher.exe
    C:\HJT\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: PluginBHO Class - {6C1178CD-2276-45FE-ACC1-02CDD2481F9D} - C:\Program Files\Attensa\AttensaIEPlugin.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
    O3 - Toolbar: Attensa for IE - {458E6614-0D24-415A-824A-130064AF7BF8} - C:\Program Files\Attensa\AttensaIEPlugin.dll
    O4 - HKLM\..\Run: [LaunchApp] Alaunch
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [EPM-DM] c:\acer\epm\epm-dm.exe
    O4 - HKLM\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot
    O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
    O4 - HKLM\..\Run: [eRecoveryService] C:\Program Files\Acer\eRecovery\Monitor.exe
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe "
    O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe "
    O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
    O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
    O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe "
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
    O4 - HKLM\..\Run: [VaCtrl] C:\Program Files\VoiceAge\Common\VaCtrl.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
    O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
    O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
    O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MI3AA1~1\wcescomm.exe "
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - HKCU\..\Run: [Dexpot 1.4] C:\Program Files\Dexpot\dexpot.exe
    O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
    O4 - Startup: invito.lnk = C:\Program Files\confero\bin\invito.exe
    O4 - Startup: Juice.lnk = C:\Program Files\Juice\Juice.exe
    O4 - Startup: Messenger-PRO 3.lnk = C:\Program Files\Clickatell Messenger-PRO 3\MessengerPRO.exe
    O4 - Startup: Miranda IM.lnk = C:\Program Files\Miranda IM\miranda32.exe
    O4 - Startup: Nokia Connectivity Framework Lite.lnk = C:\Nokia\Tools\Nokia_Connectivity_Framework\bin\NCFStart.exe
    O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
    O4 - Startup: PowerReg Scheduler V3.exe
    O4 - Startup: UMScheduler 2.0.lnk = C:\Nokia\Update_Manager\bin\UMScheduler.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Attensa.lnk = C:\Program Files\Attensa\AttensaEngine.exe
    O4 - Global Startup: Bluetooth.lnk = ?
    O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Rea&d in intraVnews - C:\Program Files\intraVnews\ie.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
    O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Program Files\FileZilla Server\FileZilla Server.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
    O23 - Service: Retrospect Client - Dantz Development Corporation - C:\Program Files\Dantz\Client\Remotsvc.exe
    O23 - Service: Retrospect Helper - EMC Corporation - C:\Program Files\Dantz\Client\rthlpsvc.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: Apache Tomcat (Tomcat5) - Unknown owner - D:\Development\web\Tomcat 5.5\bin\tomcat5.exe" //RS//Tomcat5 (file missing)
    O23 - Service: wampapache - Unknown owner - d:\wamp\Apache2\bin\Apache.exe" -k runservice (file missing)
    O23 - Service: wampmysqld - Unknown owner - d:\wamp\mysql\bin\mysqld-nt.exe
    O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\UltraVNC\WinVNC.exe" -service (file missing)
    O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

    I'll run the GMER now.... brb
     
    kalle,
    #3
  5. 2007/01/31
    kalle

    kalle Inactive Thread Starter

    Joined:
    2007/01/31
    Messages:
    7
    Likes Received:
    0
    GMER report:

    GMER 1.0.12.12011 - http://www.gmer.net
    Rootkit scan 2007-01-31 16:59:36
    Windows 5.1.2600 Service Pack 2


    ---- System - GMER 1.0.12 ----

    SSDT E2367628 ZwConnectPort

    ---- EOF - GMER 1.0.12 ----
     
    kalle,
    #4
  6. 2007/01/31
    TeMerc

    TeMerc Inactive Alumni

    Joined:
    2006/05/13
    Messages:
    3,226
    Likes Received:
    4
    Ok, looks like SDFix did abunch of stuff.

    We need you to check a file tho, for its validity.

    C:\WINDOWS\system32\cmd.exe<<<this one

    Please go to Jotti Online File Scanner
    At the top of the Jotti page, there is a blank box, with a 'browse' button next to it.
    • You need to click the browse button and then a 'Choose File' box will pop up.
    • Now depending on where you have last used this box, it may be at some different section on the drive, so lets select the 'My Computer' icon on the left side of that 'Choose File' box.
    • Then double-click the 'C' drive, and new files and folders will appear
    • Then go to the windows folder and double-click that folder, you will then be presented with all the files and folders contained within the Windows folder.
    • Then look for that file in the windows folder, and double-click it.
    This should shut down the 'Choose File' box and you should see the file path to that file, tho some of it will be obscured due to the limitations of the box. You then wait until the 'submit' button is bolded or the 'Status:' is 'Ready for scan', and hit the submit button. It will tell you the file is uploading and then spit out the results.

    Post the scan results back here for me, thanks.
     
    TeMerc,
    #5
  7. 2007/02/01
    kalle

    kalle Inactive Thread Starter

    Joined:
    2007/01/31
    Messages:
    7
    Likes Received:
    0
    You meant I should browse into system32 as well I guess, wasnt in the instructions but cmd.exe is in that folder...

    Scan done, turned up nothing, seems my machine is clear?

    File: cmd.exe
    Status:
    OK(Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
    MD5 eeb024f2c81f0d55936fb825d21a91d6
    Packers detected:
    -
    Scanner results
    Scan taken on 01 Feb 2007 08:31:28 (GMT)
    AntiVir Found nothing
    ArcaVir Found nothing
    Avast Found nothing
    AVG Antivirus Found nothing
    BitDefender Found nothing
    ClamAV Found nothing
    Dr.Web Found nothing
    F-Prot Antivirus Found nothing
    F-Secure Anti-Virus Found nothing
    Fortinet Found nothing
    Kaspersky Anti-Virus Found nothing
    NOD32 Found nothing
    Norman Virus Control Found nothing
    VirusBuster Found nothing
    VBA32 Found nothing

    If thats all, THANKS A LOT!

    /Kalle
     
    kalle,
    #6
  8. 2007/02/01
    TeMerc

    TeMerc Inactive Alumni

    Joined:
    2006/05/13
    Messages:
    3,226
    Likes Received:
    4
    OK, lets get a fresh HJT log please. Also advise of any suspicious activity or unwanted symptoms on the system.
     
    TeMerc,
    #7
  9. 2007/02/02
    kalle

    kalle Inactive Thread Starter

    Joined:
    2007/01/31
    Messages:
    7
    Likes Received:
    0
    Has not seen any peculiarities with the machine since the cleaning but here is a fresh HJT as asked. And once more, thanks a lot!

    Logfile of HijackThis v1.99.1
    Scan saved at 09:27, on 07-02-02
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0011)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\wltrysvc.exe
    C:\WINDOWS\System32\bcmwltry.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Acer\eManager\anbmServ.exe
    c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
    C:\Program Files\Dantz\Client\Remotsvc.exe
    C:\Program Files\Dantz\Client\retroclient.exe
    C:\Program Files\Symantec AntiVirus\SavRoam.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\AGRSMMSG.exe
    C:\acer\epm\epm-dm.exe
    C:\PROGRA~1\LAUNCH~1\LManager.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Microsoft IntelliPoint\point32.exe
    C:\Program Files\Microsoft IntelliType Pro\type32.exe
    C:\WINDOWS\system32\LVCOMSX.EXE
    C:\Program Files\Logitech\Video\LogiTray.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
    C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
    C:\Program Files\Picasa2\PicasaMediaDetector.exe
    C:\WINDOWS\system32\WLTRAY.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\PROGRA~1\MI3AA1~1\wcescomm.exe
    C:\Program Files\Skype\Phone\Skype.exe
    C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
    C:\Program Files\Dexpot\dexpot.exe
    C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
    C:\PROGRA~1\MI3AA1~1\rapimgr.exe
    C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
    C:\Program Files\Logitech\Video\FxSvr2.exe
    C:\Program Files\Attensa\AttensaEngine.exe
    C:\Program Files\Common Files\PCSuite\Services\NclBTHandler.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
    C:\Program Files\3M\PSNLite\PsnLite.exe
    C:\Program Files\confero\bin\invito.exe
    C:\Program Files\Juice\Juice.exe
    C:\Program Files\Clickatell Messenger-PRO 3\MessengerPRO.exe
    C:\Program Files\Miranda IM\miranda32.exe
    C:\WINDOWS\system32\cmd.exe
    C:\PROGRA~1\3M\PSNLite\PSNGive.exe
    C:\WINDOWS\system32\javaw.exe
    C:\Nokia\Update_Manager\bin\UMScheduler.exe
    C:\Program Files\Attensa\Analytics.exe
    C:\Program Files\Attensa\AttensaNotifier.exe
    C:\Program Files\Common Files\Teleca Shared\Generic.exe
    C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\epmworker.exe
    C:\Nokia\Tools\Nokia_Connectivity_Framework\bin\phoneNumberRegistry.exe
    C:\Nokia\Tools\Nokia_Connectivity_Framework\bin\bluetoothDispatcher.exe
    C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
    C:\PROGRA~1\MOZILL~2\THUNDE~1.EXE
    C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
    C:\Program Files\Last.fm\LastFM.exe
    C:\WINDOWS\system32\cmd.exe
    D:\Development\cygwin\bin\bash.exe
    C:\WINDOWS\system32\cmd.exe
    D:\Development\cygwin\bin\bash.exe
    C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
    c:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
    C:\HJT\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: PluginBHO Class - {6C1178CD-2276-45FE-ACC1-02CDD2481F9D} - C:\Program Files\Attensa\AttensaIEPlugin.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
    O3 - Toolbar: Attensa for IE - {458E6614-0D24-415A-824A-130064AF7BF8} - C:\Program Files\Attensa\AttensaIEPlugin.dll
    O4 - HKLM\..\Run: [LaunchApp] Alaunch
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [EPM-DM] c:\acer\epm\epm-dm.exe
    O4 - HKLM\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot
    O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
    O4 - HKLM\..\Run: [eRecoveryService] C:\Program Files\Acer\eRecovery\Monitor.exe
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe "
    O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe "
    O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
    O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
    O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe "
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
    O4 - HKLM\..\Run: [VaCtrl] C:\Program Files\VoiceAge\Common\VaCtrl.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
    O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
    O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
    O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MI3AA1~1\wcescomm.exe "
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - HKCU\..\Run: [Dexpot 1.4] C:\Program Files\Dexpot\dexpot.exe
    O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
    O4 - Startup: invito.lnk = C:\Program Files\confero\bin\invito.exe
    O4 - Startup: Juice.lnk = C:\Program Files\Juice\Juice.exe
    O4 - Startup: Messenger-PRO 3.lnk = C:\Program Files\Clickatell Messenger-PRO 3\MessengerPRO.exe
    O4 - Startup: Miranda IM.lnk = C:\Program Files\Miranda IM\miranda32.exe
    O4 - Startup: Nokia Connectivity Framework Lite.lnk = C:\Nokia\Tools\Nokia_Connectivity_Framework\bin\NCFStart.exe
    O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
    O4 - Startup: PowerReg Scheduler V3.exe
    O4 - Startup: UMScheduler 2.0.lnk = C:\Nokia\Update_Manager\bin\UMScheduler.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Attensa.lnk = C:\Program Files\Attensa\AttensaEngine.exe
    O4 - Global Startup: Bluetooth.lnk = ?
    O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Rea&d in intraVnews - C:\Program Files\intraVnews\ie.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O17 - HKLM\System\CCS\Services\Tcpip\..\{255E8E23-7645-475D-B56E-F366B521B54C}: NameServer = 193.10.66.195 193.10.66.43
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
    O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Program Files\FileZilla Server\FileZilla Server.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
    O23 - Service: Retrospect Client - Dantz Development Corporation - C:\Program Files\Dantz\Client\Remotsvc.exe
    O23 - Service: Retrospect Helper - EMC Corporation - C:\Program Files\Dantz\Client\rthlpsvc.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: Apache Tomcat (Tomcat5) - Unknown owner - D:\Development\web\Tomcat 5.5\bin\tomcat5.exe" //RS//Tomcat5 (file missing)
    O23 - Service: wampapache - Unknown owner - d:\wamp\Apache2\bin\Apache.exe" -k runservice (file missing)
    O23 - Service: wampmysqld - Unknown owner - d:\wamp\mysql\bin\mysqld-nt.exe
    O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\UltraVNC\WinVNC.exe" -service (file missing)
    O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
     
    kalle,
    #8
  10. 2007/02/02
    TeMerc

    TeMerc Inactive Alumni

    Joined:
    2006/05/13
    Messages:
    3,226
    Likes Received:
    4
    Ok, things look ok.

    But I do have one question, did you by chance have 3 command prompts running when you made the log? I see 3 instances of it, and this is not normal.

    It could be a sign there is something hiding.
     
    TeMerc,
    #9
  11. 2007/02/03
    kalle

    kalle Inactive Thread Starter

    Joined:
    2007/01/31
    Messages:
    7
    Likes Received:
    0
    I had two, I use cygwin a lot, and as you can see in the log, there are also after two, the bash.exe from cygwin. Though the third cmd.exe I cant say where it comes from.... Just checked my Processes tab in the Task Manager and I have one now without any command prompts open... any tips what could be hiding there, if anything?
     
    kalle,
    #10
  12. 2007/02/03
    TeMerc

    TeMerc Inactive Alumni

    Joined:
    2006/05/13
    Messages:
    3,226
    Likes Received:
    4
    Yeah, I'd like to see what the heck that is.

    Lets download Process Explorer.

    Install as prompted then open it up.

    From the toolbar, select 'View', the select 'Select columns', in the 'Process Image' tab, tick the 'command line' box[] and close the window. You may have to adjust the sizes of each column, but get them set to where you can see the 'command line' column and see what that cmd.exe is running.
     
    TeMerc,
    #11
  13. 2007/02/05
    kalle

    kalle Inactive Thread Starter

    Joined:
    2007/01/31
    Messages:
    7
    Likes Received:
    0
    Just found out what it is, nothing strange. Its the Nokia Connectivity Framework that gets started at startup.

    cmd /c C:\Nokia\Tools\Nokia_Connectivity_Framework\bin\StartNCF.cmd

    It launches some tools for downloading their latest patches and also to connect to their phones. Puuh, seems that all got cleared out then?
     
    kalle,
    #12
  14. 2007/02/05
    TeMerc

    TeMerc Inactive Alumni

    Joined:
    2006/05/13
    Messages:
    3,226
    Likes Received:
    4
    Yup, looks like it was nothing, tho I'd not allow that to be calling out and block it with my firewall. No need really for it to be starting.

    Now a few final items to finish up and our recommendations for secure surfing.

    We have 3 more things to do, mostly maintenance and then our recommendations:

    Empty the TIF (Temporary Internet Files)
    Delete all the files in (and any subfolders of) the C:\Windows\Temp folder
    The app below will help with temp files.
    Index.dat Suite

    Also, delete all your cookies, and empty your recycle bin. But remember, by deleting your cookies, you will have to re-enter any passwords and log-in info for any sites you are usually required to do so with.

    This would also be a good time to set a new system restore point for your machine.
    Set New System Restore Point. Do not do this unless there are no other user accounts to be diagnosed.

    Also, as you are an XP user, if there are any other accounts on this machine, they too, must be cleaned with AdAware, Spybot S&D, then HJT. Not all infections are global, nor are all the HJT fixes global. You can post each user account here into this thread, but please, do only one at a time to avoid confusion. It is very rare that anything significant is ever found.

    Here is a link which describes how security apps work with WIN XP machines.
    XP User Accts Security Apps Operation

    To further prevent the installation of ad/mal/spyware, DL the apps below, which are just as good the fight against ad/mal/spyware as AdAware & Spybot S&D:

    SpywareBlaster
    With SpywareBlaster v3.5.1 , just DL, install and check for updates, enable Internet Explorer protection, and your done! I don't recommend using IE restricted sites protection as it's not a very large database. Use IE-SPYADs below.

    To avoid known malware infested sites from loading in IE install IESPY ADS.
    And MVPS Hosts File will accomplish a similar tactic and provide another layer of protection.

    And to prevent unknown applications from being inserted to start up on your machine install WinPatrol v10.0.5.

    Another thing I would suggest, is to install SiteAdvisor. It gives sites a few different 'ratings' and while not fool proof, a good additional layer of information about many sites.

    Links for tutorials for all the apps I mentioned can be found on my site as well.

    Confused about which apps are good or not? Read about Rogue/Approved Anti Security apps

    And just because you have security apps installed, they are useless unless updated regularly. Keep track of updates for ALL your security needs here:
    Calendar of Updates

    Subscribe to update alerts for all the above security apps here.

    You can also see my own ongoing security testing with all the above apps proving how securely you can safe with them installed.
    TeMerc Test Box Forum

    Happy surfing!!
    Tom :D
     
    TeMerc,
    #13

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...