1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Internet Redirection

Discussion in 'Malware and Virus Removal Archive' started by SteyrTMP, 2008/09/11.

  1. 2008/09/11
    SteyrTMP

    SteyrTMP Inactive Thread Starter

    Joined:
    2008/09/10
    Messages:
    5
    Likes Received:
    0
    I've seen several posts about Google re-directing, but this seems to be slightly deeper than that.

    While surfing, I'll have no problems, and then, suddenly I'll end up with a redirect randomly on sites I regularly post or visit. It is not always the same ones; if I reboot, it will go away for a while. I've tried Norton Antivirus, Windows Live security scan, MBAM, Spybot Search&Destroy. None seem to be able to recognize it.

    I'm guessing it's the two unnamed O2 BHO's, but I think I tried to fix them before to no avail.

    Here's my Hijackthis log

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 5:49:31 PM, on 9/11/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\WINDOWS\RTHDCPL.EXE
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
    C:\Program Files\MySpace\IM\MySpaceIM.exe
    C:\Program Files\AIM6\aim6.exe
    C:\Program Files\DAEMON Tools Pro\DTProAgent.exe
    C:\PROGRA~1\MICROS~2\rapimgr.exe
    C:\Program Files\AIM6\aolsoftware.exe
    C:\Program Files\MySpace\IM\MySpaceIM.exe
    C:\Program Files\Java\jre1.6.0_06\bin\jucheck.exe
    C:\Program Files\Juno\bin\juno.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
    O2 - BHO: (no name) - {8B7F88A9-CFC2-424D-A66C-43213A5CF08C} - (no file)
    O2 - BHO: (no name) - {EE1EA1BB-0FD8-4353-AA1E-8BA9964DA3E2} - (no file)
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
    O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe "
    O4 - HKLM\..\Run: [Start WingMan Profiler] C:\Program Files\Logitech\Gaming Software\LWEMon.exe /noui
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
    O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe "
    O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
    O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe "
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
    O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
    O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
    O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
    O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
    O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5036.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1212897651890
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1218354475093
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=21871
    O17 - HKLM\System\CCS\Services\Tcpip\..\{2D6717EF-C4E2-48C1-985C-1FCD68474F32}: NameServer = 166.102.165.13,166.102.165.11
    O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe

    --
    End of file - 6948 bytes
     
    SteyrTMP,
    #1
  2. 2008/09/13
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Welcome to WindowsBBS SteyrTMP :)

    Those 2 BHOs do indeed need to be removed with HijackThis. Whilst fixing them, make sure you close all open browser windows. When done, we'll need to see a log file from another tool.

    • Download RSIT by random/random and save it to your desktop.
    • Double click RSIT.exe to start the tool and click Continue at the disclaimer.
    • When the scan completes it will open a log named log.txt maximized, and a log named info.txt minimized.
    • Please post the contents of log.txt here in your next reply.
     
    noahdfear,
    #2


  3. to hide this advert.

  4. 2008/09/13
    SteyrTMP

    SteyrTMP Inactive Thread Starter

    Joined:
    2008/09/10
    Messages:
    5
    Likes Received:
    0
    Ok, did that.

    Logfile of random's system information tool (written by random/random)
    Run by Owner at 2008-09-13 02:24:52
    Microsoft Windows XP Home Edition Service Pack 2
    System drive C: has 500 GB (70%) free of 715 GB
    Total RAM: 2047 MB (75% free)

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 2:24:53 AM, on 9/13/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\WINDOWS\RTHDCPL.EXE
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
    C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\taskmgr.exe
    C:\Documents and Settings\Owner\Desktop\RSIT.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\Program Files\Trend Micro\HijackThis\Owner.exe

    O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
    O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe "
    O4 - HKLM\..\Run: [Start WingMan Profiler] C:\Program Files\Logitech\Gaming Software\LWEMon.exe /noui
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
    O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe "
    O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
    O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe "
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
    O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
    O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
    O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
    O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
    O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5036.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1212897651890
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1218354475093
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=21871
    O17 - HKLM\System\CCS\Services\Tcpip\..\{2D6717EF-C4E2-48C1-985C-1FCD68474F32}: NameServer = 166.102.165.13,166.102.165.11
    O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe

    --
    End of file - 6245 bytes

    Registry dump

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{39F7E362-828A-4B5A-BCAF-5B79BFDFEA60}]
    BitComet Helper - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll [2008-02-29 468280]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
    Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2008-07-07 1562448]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
    SSVHelper Class - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll [2008-03-25 509328]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon "=C:\WINDOWS\system32\NvCpl.dll [2008-05-02 13529088]
    "nwiz "=C:\WINDOWS\system32\nwiz.exe [2008-05-02 1630208]
    "NvMediaCenter "=C:\WINDOWS\system32\NvMcTray.dll [2008-05-02 86016]
    "RTHDCPL "=C:\WINDOWS\RTHDCPL.EXE [2008-05-28 16862720]
    "Alcmtr "=C:\WINDOWS\ALCMTR.EXE [2005-05-03 69632]
    "vptray "=C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe [2003-12-17 90112]
    "amd_dc_opt "=C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe [2006-11-17 77824]
    "PWRISOVM.EXE "=C:\Program Files\PowerISO\PWRISOVM.EXE [2007-04-09 200704]
    "SunJavaUpdateSched "=C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe [2008-03-25 144784]
    "Start WingMan Profiler "=C:\Program Files\Logitech\Gaming Software\LWEMon.exe [2008-04-04 88584]
    "RemoteControl "=C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [2004-11-02 32768]
    "Adobe Reader Speed Launcher "=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-01-11 39792]
    "AdaptecDirectCD "=C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe [2008-06-25 684032]
    "QuickTime Task "=C:\Program Files\QuickTime\qttask.exe [2008-05-27 413696]

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    "H/PC Connection Agent "=C:\Program Files\Microsoft ActiveSync\Wcescomm.exe [2006-11-13 1289000]
    "MySpaceIM "=C:\Program Files\MySpace\IM\MySpaceIM.exe [2008-04-17 9117696]
    "Aim6 "=C:\Program Files\AIM6\aim6.exe [2008-06-06 50528]
    "DAEMON Tools Pro Agent "=C:\Program Files\DAEMON Tools Pro\DTProAgent.exe [2007-09-06 136136]
    "SpybotSD TeaTimer "=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2008-08-18 1832272]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
    C:\WINDOWS\system32\NavLogon.dll [2003-12-17 45056]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
    "authentication packages "=msv1_0
    C:\WINDOWS\system32\tuvTjHxv

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    "SecurityProviders "=msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
    "dontdisplaylastusername "=0
    "legalnoticecaption "=
    "legalnoticetext "=
    "shutdownwithoutlogon "=1
    "undockwithoutlogon "=1

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
    "%windir%\system32\sessmgr.exe "= "%windir%\system32\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019 "
    "C:\games\Gas Powered Games\Supreme Commander - Forged Alliance\bin\ForgedAlliance.exe "= "C:\games\Gas Powered Games\Supreme Commander - Forged Alliance\bin\ForgedAlliance.exe:*:Enabled:Supreme Commander - Forged Alliance "
    "C:\games\Gas Powered Games\GPGNet\GPG.Multiplayer.Client.exe "= "C:\games\Gas Powered Games\GPGNet\GPG.Multiplayer.Client.exe:*:Enabled:GPGNet - Supreme Commander - Forged Alliance "
    "C:\Program Files\Juno\bin\juno.exe "= "C:\Program Files\Juno\bin\juno.exe:*:Enabled:Juno "
    "C:\Program Files\Microsoft ActiveSync\rapimgr.exe "= "C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager "
    "C:\Program Files\Microsoft ActiveSync\wcescomm.exe "= "C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager "
    "C:\Program Files\Microsoft ActiveSync\WCESMgr.exe "= "C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application "
    "C:\Program Files\Common Files\AOL\Loader\aolload.exe "= "C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader "
    "C:\Program Files\AIM6\aim6.exe "= "C:\Program Files\AIM6\aim6.exe:*:Enabled:AIM "
    "C:\Games\Mass Effect\Binaries\MassEffect.exe "= "C:\Games\Mass Effect\Binaries\MassEffect.exe:*:Enabled:Mass Effect Game "
    "C:\Games\Mass Effect\MassEffectLauncher.exe "= "C:\Games\Mass Effect\MassEffectLauncher.exe:*:Enabled:Mass Effect Launcher "
    "C:\Downloads\Daemon.Tools.Advanced.4.10.0218_FIXED-SupremoZX\setup\DTPro4100218Advanced.exe "= "C:\Downloads\Daemon.Tools.Advanced.4.10.0218_FIXED-SupremoZX\setup\DTPro4100218Advanced.exe:*:Enabled:Windows Application Service "
    "C:\Program Files\MySpace\IM\MySpaceIM.exe "= "C:\Program Files\MySpace\IM\MySpaceIM.exe:*:Enabled:MySpaceIM "

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
    "%windir%\system32\sessmgr.exe "= "%windir%\system32\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019 "
    "C:\Program Files\Microsoft ActiveSync\rapimgr.exe "= "C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager "
    "C:\Program Files\Microsoft ActiveSync\wcescomm.exe "= "C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager "
    "C:\Program Files\Microsoft ActiveSync\WCESMgr.exe "= "C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application "

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
    shell\AutoRun\command - G:\LaunchU3.exe -a


    File associations

    .reg - open - regedit.exe "%1" %*
    .scr - open - "%1" %*

    List of files/folders created in the last three months

    2008-10-09 18:49:27 ----D---- C:\Program Files\Spybot - Search & Destroy
    2008-10-09 18:04:49 ----D---- C:\Program Files\Trend Micro
    2008-09-13 02:17:08 ----D---- C:\rsit
    2008-09-06 07:00:14 ----D---- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Pro
    2008-09-02 20:56:32 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
    2008-08-30 07:31:42 ----A---- C:\WINDOWS\system32\devil.dll
    2008-08-30 07:31:41 ----A---- C:\WINDOWS\system32\yv12vfw.dll
    2008-08-30 07:31:41 ----A---- C:\WINDOWS\system32\i420vfw.dll
    2008-08-30 07:31:41 ----A---- C:\WINDOWS\system32\AVSredirect.dll
    2008-08-30 07:31:41 ----A---- C:\WINDOWS\system32\avisynth.dll
    2008-08-30 07:31:41 ----A---- C:\WINDOWS\MOTA113.exe
    2008-08-30 07:31:40 ----A---- C:\WINDOWS\x2.64.exe
    2008-08-30 07:31:40 ----A---- C:\WINDOWS\system32\x.264.exe
    2008-08-30 07:31:39 ----A---- C:\WINDOWS\meta4.exe
    2008-08-30 07:15:34 ----D---- C:\Program Files\Common Files\SWF Studio
    2008-08-30 07:15:31 ----D---- C:\Program Files\Riva
    2008-08-28 18:31:52 ----D---- C:\My Music
    2008-08-27 11:27:40 ----D---- C:\Documents and Settings\Owner\Application Data\U3
    2008-08-13 09:10:00 ----D---- C:\Documents and Settings\Owner\Application Data\Malwarebytes
    2008-08-13 09:09:57 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-08-12 10:43:08 ----D---- C:\Documents and Settings\Owner\Application Data\sldIM
    2008-08-10 07:17:50 ----A---- C:\WINDOWS\system32\cfb18698-.txt
    2008-08-10 07:17:37 ----ASH---- C:\WINDOWS\system32\vxHjTvut.ini2
    2008-08-10 07:17:37 ----ASH---- C:\WINDOWS\system32\vxHjTvut.ini
    2008-08-10 07:13:00 ----D---- C:\Program Files\DAEMON Tools Pro
    2008-08-10 06:42:11 ----D---- C:\Documents and Settings\Owner\Application Data\DAEMON Tools Pro
    2008-08-10 06:11:50 ----D---- C:\Program Files\UltraISO
    2008-08-10 06:11:50 ----D---- C:\Program Files\Common Files\EZB Systems
    2008-08-10 05:35:31 ----D---- C:\Documents and Settings\Owner\Application Data\DAEMON Tools
    2008-07-27 17:28:23 ----A---- C:\ASLog.txt
    2008-07-14 18:44:00 ----A---- C:\WINDOWS\cdplayer.ini
    2008-07-14 18:31:49 ----D---- C:\audiograbber
    2008-07-08 09:10:19 ----A---- C:\WINDOWS\system32\unrar.dll
    2008-07-08 09:10:18 ----D---- C:\Program Files\K-Lite Codec Pack
    2008-07-08 09:10:18 ----A---- C:\WINDOWS\system32\msvcr71.dll
    2008-07-08 07:57:31 ----D---- C:\Documents and Settings\Owner\Application Data\DivX
    2008-07-07 16:23:56 ----D---- C:\Documents and Settings\Owner\Application Data\DassaultSystemes
    2008-07-07 16:23:56 ----D---- C:\Documents and Settings\All Users\Application Data\DassaultSystemes
    2008-07-05 10:53:53 ----D---- C:\Documents and Settings\Owner\Application Data\Apple Computer
    2008-07-05 10:51:21 ----D---- C:\Program Files\QuickTime
    2008-07-05 10:51:21 ----D---- C:\Documents and Settings\All Users\Application Data\Apple Computer
    2008-07-05 10:51:14 ----D---- C:\Program Files\Apple Software Update
    2008-07-05 10:51:14 ----D---- C:\Documents and Settings\All Users\Application Data\Apple
    2008-06-25 15:28:08 ----D---- C:\Documents and Settings\Owner\Application Data\Roxio
    2008-06-25 15:02:16 ----A---- C:\Documents and Settings\Owner\Application Data\tsdnwin.dll
    2008-06-25 13:04:54 ----A---- C:\WINDOWS\system32\CDDBUIRoxio.dll
    2008-06-25 13:04:54 ----A---- C:\WINDOWS\system32\CDDBControlRoxio.dll
    2008-06-25 13:03:57----A----C:\Documents and Settings\All Users\Application Data\DirectCDUserName.txt
    2008-06-25 12:57:09 ----A---- C:\WINDOWS\uneng.exe
    2008-06-25 12:56:48 ----D---- C:\Program Files\Common Files\Adaptec Shared
    2008-06-25 12:56:48 ----D---- C:\Program Files\Adaptec
    2008-06-25 07:43:44 ----D---- C:\Documents and Settings\Owner\Application Data\SolidWorksNewsReader
    2008-06-25 07:42:55 ----D---- C:\Documents and Settings\Owner\Application Data\SolidWorks
    2008-06-25 07:40:56 ----D---- C:\Documents and Settings\Owner\Application Data\DWGeditor
    2008-06-25 07:40:33 ----D---- C:\Program Files\DWGeditor
    2008-06-25 07:40:15 ----D---- C:\Program Files\SolidWorks Installation Manager
    2008-06-25 07:40:05 ----A---- C:\WINDOWS\eDrawingOfficeAutomator.INI
    2008-06-25 07:37:14 ----D---- C:\Program Files\Common Files\Designer
    2008-06-25 07:37:13 ----D---- C:\Program Files\Common Files\eDrawings2007
    2008-06-25 07:37:08 ----D---- C:\Program Files\Microsoft Office
    2008-06-25 07:35:21 ----D---- C:\WINDOWS\system32\GroupPolicy
    2008-06-25 07:34:05 ----D---- C:\Program Files\Common Files\SolidWorks Shared
    2008-06-25 07:33:51 ----D---- C:\Program Files\SolidWorks
    2008-06-25 07:33:51 ----D---- C:\Program Files\Common Files\Solidworks Data
    2008-06-22 15:05:08 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
    2008-06-22 15:05:01 ----D---- C:\Program Files\Common Files\Adobe
    2008-06-22 15:05:01 ----D---- C:\Program Files\Adobe
    2008-06-17 10:51:55 ----A---- C:\WINDOWS\system32\wmpns.dll
    2008-06-16 07:22:26 ----D---- C:\WINDOWS\SxsCaPendDel
    2008-06-16 07:21:42 ----D---- C:\Program Files\Common Files\BioWare
    2008-06-15 04:37:35 ----D---- C:\Documents and Settings\Owner\Application Data\Help
    2008-06-15 00:28:46 ----D---- C:\Program Files\LView Pro 20
    2008-06-14 01:10:09 ----D---- C:\Documents and Settings\Owner\Application Data\CyberLink
    2008-06-14 01:08:51 ----D---- C:\Documents and Settings\All Users\Application Data\CyberLink
    2008-06-14 00:50:44 ----D---- C:\Program Files\CyberLink

    List of drivers

    R1 Cdr4_xp;Cdr4_xp; C:\WINDOWS\system32\drivers\Cdr4_xp.sys [2008-06-25 62288]
    R1 Cdralw2k;Cdralw2k; C:\WINDOWS\system32\drivers\Cdralw2k.sys [2008-06-25 23436]
    R1 cdudf_xp;cdudf_xp; C:\WINDOWS\system32\drivers\cdudf_xp.sys [2008-06-25 241280]
    R1 ISODrive;ISO DVD/CD-ROM Device Driver; \??\C:\Program Files\UltraISO\drivers\ISODrive.sys []
    R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2004-08-12 14848]
    R1 pwd_2K;pwd_2K; C:\WINDOWS\system32\drivers\pwd_2K.sys [2008-06-25 144250]
    R1 SCDEmu;SCDEmu; C:\WINDOWS\system32\drivers\SCDEmu.sys [2007-04-09 31548]
    R1 UdfReadr_xp;UdfReadr_xp; C:\WINDOWS\system32\drivers\UdfReadr_xp.sys [2008-06-25 206464]
    R2 atksgt;atksgt; C:\WINDOWS\system32\DRIVERS\atksgt.sys [2008-08-10 278984]
    R2 Hardlock;Hardlock; \??\C:\WINDOWS\system32\drivers\hardlock.sys []
    R2 lirsgt;lirsgt; C:\WINDOWS\system32\DRIVERS\lirsgt.sys [2008-08-10 25416]
    R2 NAVAPEL;NAVAPEL; \??\C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\NAVAPEL.SYS []
    R3 AmdLLD;AMD Low Level Device Driver; C:\WINDOWS\system32\DRIVERS\AmdLLD.sys [2006-11-01 33280]
    R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2004-08-12 60800]
    R3 dvd_2K;dvd_2K; C:\WINDOWS\system32\drivers\dvd_2K.sys [2008-06-25 25930]
    R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2005-01-07 138752]
    R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]
    R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2008-06-02 4752384]
    R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2004-08-12 12160]
    R3 NAVAP;NAVAP; \??\C:\PROGRA~1\SYMANT~1\SYMANT~1\NAVAP.sys []
    R3 NAVENG;NAVENG; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20080912.002\NAVENG.sys []
    R3 NAVEX15;NAVEX15; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20080912.002\NAVEX15.sys []
    R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2004-08-12 61824]
    R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2008-05-02 6554496]
    R3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:\WINDOWS\system32\DRIVERS\NVENETFD.sys [2006-05-16 52736]
    R3 nvnetbus;NVIDIA Network Bus Enumerator; C:\WINDOWS\system32\DRIVERS\nvnetbus.sys [2006-05-16 18944]
    R3 SymEvent;SymEvent; \??\C:\Program Files\Symantec\SYMEVENT.SYS []
    R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-12 26624]
    R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-12 57600]
    R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2004-08-12 17024]
    R3 WmBEnum;Logitech Virtual Bus Enumerator Driver; C:\WINDOWS\system32\drivers\WmBEnum.sys [2008-01-24 19336]
    R3 WmFilter;Logitech Gaming HID Filter Driver; C:\WINDOWS\system32\drivers\WmFilter.sys [2008-01-24 28168]
    R3 WmHidLo;Logitech Gaming USB Filter Driver; C:\WINDOWS\system32\drivers\WmHidLo.sys [2008-01-24 29192]
    R3 WmVirHid;Logitech Virtual Hid Device Driver; C:\WINDOWS\system32\drivers\WmVirHid.sys [2008-01-24 14728]
    R3 WmXlCore;Logitech Translation Layer Driver; C:\WINDOWS\system32\drivers\WmXlCore.sys [2008-01-24 48904]
    S3 atx0nmv0;atx0nmv0; C:\WINDOWS\system32\drivers\atx0nmv0.sys []
    S3 ENTECH;ENTECH; \??\C:\WINDOWS\system32\DRIVERS\ENTECH.sys []
    S3 GVCplDrv;GVCplDrv; C:\WINDOWS\system32\drivers\GVCplDrv.sys [2004-05-02 23040]
    S3 mmc_2K;mmc_2K; C:\WINDOWS\system32\drivers\mmc_2K.sys [2008-06-25 30662]
    S3 usb_rndisx;USB RNDIS Adapter; C:\WINDOWS\system32\DRIVERS\usb8023x.sys [2005-10-20 12800]
    S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
    S3 wceusbsh;Windows CE USB Serial Host Driver; C:\WINDOWS\system32\DRIVERS\wceusbsh.sys [2006-11-06 28672]
    S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
    S4 sr;System Restore Filter Driver; C:\WINDOWS\system32\system32\DRIVERS\sr.sys []

    List of services

    R2 DefWatch;DefWatch; C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe [2003-12-17 32768]
    R2 Norton AntiVirus Server;Symantec AntiVirus Client; C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe [2003-12-17 651264]
    R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2008-05-02 159812]
    S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
    S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
    S3 SolidWorks Licensing Service;SolidWorks Licensing Service; C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe [2008-06-25 72704]

    -----------------EOF-----------------
     
    SteyrTMP,
    #3
  5. 2008/09/13
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Looks like you've got a Vundo infection.

    Download ComboFix by sUBs from here, saving the file to your desktop.


    Please disable realtime protection applications as they sometimes interfere with the tool. Check this link for your applicable programs.

    • Close all open programs and windows
    • Double click combofix.exe and follow the prompts.
    • It may reboot your computer and resume running when you logon. Wait for it to complete. When finished, it will open a log for you. Post that log and a new HijackThis log in your next reply.
    Note: Do not mouseclick combofix's window while its running. That may cause it to stall
     
    noahdfear,
    #4
  6. 2008/09/13
    SteyrTMP

    SteyrTMP Inactive Thread Starter

    Joined:
    2008/09/10
    Messages:
    5
    Likes Received:
    0
    Here's the result:


    ComboFix 08-09-12.09 - Owner 2008-09-13 9:53:43.1 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1399 [GMT -4:00]
    Running from: C:\Install\ComboFix.exe
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
    C:\Documents and Settings\Owner\Application Data\Adobe\crc.dat
    C:\Documents and Settings\Owner\Cookies\owner@2o7[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@2o7[10].txt
    C:\Documents and Settings\Owner\Cookies\owner@2o7[11].txt
    C:\Documents and Settings\Owner\Cookies\owner@2o7[12].txt
    C:\Documents and Settings\Owner\Cookies\owner@2o7[13].txt
    C:\Documents and Settings\Owner\Cookies\owner@2o7[14].txt
    C:\Documents and Settings\Owner\Cookies\owner@2o7[15].txt
    C:\Documents and Settings\Owner\Cookies\owner@2o7[16].txt
    C:\Documents and Settings\Owner\Cookies\owner@2o7[17].txt
    C:\Documents and Settings\Owner\Cookies\owner@2o7[18].txt
    C:\Documents and Settings\Owner\Cookies\owner@2o7[19].txt
    C:\Documents and Settings\Owner\Cookies\owner@2o7[2].txt
    C:\Documents and Settings\Owner\Cookies\owner@2o7[20].txt
    C:\Documents and Settings\Owner\Cookies\owner@2o7[21].txt
    C:\Documents and Settings\Owner\Cookies\owner@2o7[22].txt
    C:\Documents and Settings\Owner\Cookies\owner@2o7[23].txt
    C:\Documents and Settings\Owner\Cookies\owner@2o7[24].txt
    C:\Documents and Settings\Owner\Cookies\owner@2o7[25].txt
    C:\Documents and Settings\Owner\Cookies\owner@2o7[26].txt
    C:\Documents and Settings\Owner\Cookies\owner@2o7[27].txt
    C:\Documents and Settings\Owner\Cookies\owner@2o7[28].txt
    C:\Documents and Settings\Owner\Cookies\owner@2o7[29].txt
    C:\Documents and Settings\Owner\Cookies\owner@2o7[3].txt
    C:\Documents and Settings\Owner\Cookies\owner@2o7[30].txt
    C:\Documents and Settings\Owner\Cookies\owner@2o7[31].txt
    C:\Documents and Settings\Owner\Cookies\owner@2o7[32].txt
    C:\Documents and Settings\Owner\Cookies\owner@2o7[33].txt
    C:\Documents and Settings\Owner\Cookies\owner@2o7[34].txt
    C:\Documents and Settings\Owner\Cookies\owner@2o7[35].txt
    C:\Documents and Settings\Owner\Cookies\owner@2o7[36].txt
    C:\Documents and Settings\Owner\Cookies\owner@2o7[37].txt
    C:\Documents and Settings\Owner\Cookies\owner@2o7[38].txt
    C:\Documents and Settings\Owner\Cookies\owner@2o7[39].txt
    C:\Documents and Settings\Owner\Cookies\owner@2o7[4].txt
    C:\Documents and Settings\Owner\Cookies\owner@2o7[40].txt
    C:\Documents and Settings\Owner\Cookies\owner@2o7[41].txt
    C:\Documents and Settings\Owner\Cookies\owner@2o7[42].txt
    C:\Documents and Settings\Owner\Cookies\owner@2o7[43].txt
    C:\Documents and Settings\Owner\Cookies\owner@2o7[44].txt
    C:\Documents and Settings\Owner\Cookies\owner@2o7[45].txt
    C:\Documents and Settings\Owner\Cookies\owner@2o7[46].txt
    C:\Documents and Settings\Owner\Cookies\owner@2o7[47].txt
    C:\Documents and Settings\Owner\Cookies\owner@2o7[48].txt
    C:\Documents and Settings\Owner\Cookies\owner@2o7[49].txt
    C:\Documents and Settings\Owner\Cookies\owner@2o7[5].txt
    C:\Documents and Settings\Owner\Cookies\owner@2o7[50].txt
    C:\Documents and Settings\Owner\Cookies\owner@2o7[51].txt
    C:\Documents and Settings\Owner\Cookies\owner@2o7[52].txt
    C:\Documents and Settings\Owner\Cookies\owner@2o7[53].txt
    C:\Documents and Settings\Owner\Cookies\owner@2o7[54].txt
    C:\Documents and Settings\Owner\Cookies\owner@2o7[55].txt
    C:\Documents and Settings\Owner\Cookies\owner@2o7[56].txt
    C:\Documents and Settings\Owner\Cookies\owner@2o7[57].txt
    C:\Documents and Settings\Owner\Cookies\owner@2o7[58].txt
    C:\Documents and Settings\Owner\Cookies\owner@2o7[59].txt
    C:\Documents and Settings\Owner\Cookies\owner@2o7[6].txt
    C:\Documents and Settings\Owner\Cookies\owner@2o7[60].txt
    C:\Documents and Settings\Owner\Cookies\owner@2o7[61].txt
    C:\Documents and Settings\Owner\Cookies\owner@2o7[62].txt
    C:\Documents and Settings\Owner\Cookies\owner@2o7[63].txt
    C:\Documents and Settings\Owner\Cookies\owner@2o7[64].txt
    C:\Documents and Settings\Owner\Cookies\owner@2o7[65].txt
    C:\Documents and Settings\Owner\Cookies\owner@2o7[67].txt
    C:\Documents and Settings\Owner\Cookies\owner@2o7[7].txt
    C:\Documents and Settings\Owner\Cookies\owner@2o7[8].txt
    C:\Documents and Settings\Owner\Cookies\owner@2o7[9].txt
    C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[2].txt
    C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[4].txt
    C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[5].txt
    C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[6].txt
    C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[7].txt
    C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[9].txt
    C:\Documents and Settings\Owner\Cookies\owner@advertising[10].txt
    C:\Documents and Settings\Owner\Cookies\owner@advertising[11].txt
    C:\Documents and Settings\Owner\Cookies\owner@advertising[12].txt
    C:\Documents and Settings\Owner\Cookies\owner@advertising[13].txt
    C:\Documents and Settings\Owner\Cookies\owner@advertising[14].txt
    C:\Documents and Settings\Owner\Cookies\owner@advertising[15].txt
    C:\Documents and Settings\Owner\Cookies\owner@advertising[16].txt
    C:\Documents and Settings\Owner\Cookies\owner@advertising[17].txt
    C:\Documents and Settings\Owner\Cookies\owner@advertising[18].txt
    C:\Documents and Settings\Owner\Cookies\owner@advertising[19].txt
    C:\Documents and Settings\Owner\Cookies\owner@advertising[2].txt
    C:\Documents and Settings\Owner\Cookies\owner@advertising[20].txt
    C:\Documents and Settings\Owner\Cookies\owner@advertising[21].txt
    C:\Documents and Settings\Owner\Cookies\owner@advertising[22].txt
    C:\Documents and Settings\Owner\Cookies\owner@advertising[23].txt
    C:\Documents and Settings\Owner\Cookies\owner@advertising[24].txt
    C:\Documents and Settings\Owner\Cookies\owner@advertising[3].txt
    C:\Documents and Settings\Owner\Cookies\owner@advertising[4].txt
    C:\Documents and Settings\Owner\Cookies\owner@advertising[5].txt
    C:\Documents and Settings\Owner\Cookies\owner@advertising[6].txt
    C:\Documents and Settings\Owner\Cookies\owner@advertising[7].txt
    C:\Documents and Settings\Owner\Cookies\owner@advertising[8].txt
    C:\Documents and Settings\Owner\Cookies\owner@advertising[9].txt
    C:\Documents and Settings\Owner\Cookies\owner@CAJHVVQ0.txt
    C:\Documents and Settings\Owner\Cookies\owner@insightexpressai[2].txt
    C:\Documents and Settings\Owner\Cookies\owner@photobucket[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@photobucket[10].txt
    C:\Documents and Settings\Owner\Cookies\owner@photobucket[2].txt
    C:\Documents and Settings\Owner\Cookies\owner@photobucket[3].txt
    C:\Documents and Settings\Owner\Cookies\owner@photobucket[4].txt
    C:\Documents and Settings\Owner\Cookies\owner@photobucket[5].txt
    C:\Documents and Settings\Owner\Cookies\owner@photobucket[7].txt
    C:\Documents and Settings\Owner\Cookies\owner@photobucket[8].txt
    C:\Documents and Settings\Owner\Cookies\owner@photobucket[9].txt
    C:\Documents and Settings\Owner\Cookies\owner@revsci[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@serving-sys[1].txt
    C:\Documents and Settings\Owner\Cookies\owner@serving-sys[3].txt
    C:\Documents and Settings\Owner\Cookies\owner@www.craigshelper[2].txt
    C:\WINDOWS\system32\hdceupbb.ini
    C:\WINDOWS\system32\NnTCJRqr.ini
    C:\WINDOWS\system32\NnTCJRqr.ini2
    C:\WINDOWS\system32\vxHjTvut.ini
    C:\WINDOWS\system32\vxHjTvut.ini2

    ----- BITS: Possible infected sites -----

    http://pornotube30.net
    .
    ((((((((((((((((((((((((( Files Created from 2008-08-13 to 2008-09-13 )))))))))))))))))))))))))))))))
    .

    2008-10-09 18:49 . 2008-10-09 18:51 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
    2008-10-09 18:04 . 2008-10-09 18:04 <DIR> d-------- C:\Program Files\Trend Micro
    2008-09-13 02:17 . 2008-09-13 02:24 <DIR> d-------- C:\rsit
    2008-09-06 07:00 . 2008-09-06 07:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Pro
    2008-09-06 06:53 . 2008-09-05 17:07 3,262 --a------ C:\WINDOWS\system32\1.ico
    2008-09-02 20:56 . 2008-09-02 20:57 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
    2008-09-02 20:56 . 2008-09-02 00:16 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
    2008-09-02 20:56 . 2008-09-02 00:16 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
    2008-08-30 07:31 . 2004-02-22 10:11 719,872 --a------ C:\WINDOWS\system32\devil.dll
    2008-08-30 07:31 . 2006-10-07 17:43 502,784 --a------ C:\WINDOWS\x2.64.exe
    2008-08-30 07:31 . 2007-05-17 17:30 318,976 --a------ C:\WINDOWS\system32\avisynth.dll
    2008-08-30 07:31 . 2005-02-28 13:16 240,128 --a------ C:\WINDOWS\system32\x.264.exe
    2008-08-30 07:31 . 2006-04-12 09:47 217,073 --a------ C:\WINDOWS\meta4.exe
    2008-08-30 07:31 . 2004-01-25 00:00 70,656 --a------ C:\WINDOWS\system32\yv12vfw.dll
    2008-08-30 07:31 . 2004-01-25 00:00 70,656 --a------ C:\WINDOWS\system32\i420vfw.dll
    2008-08-30 07:31 . 2006-04-05 08:09 66,560 --a------ C:\WINDOWS\MOTA113.exe
    2008-08-30 07:31 . 2005-07-14 12:31 27,648 --a------ C:\WINDOWS\system32\AVSredirect.dll
    2008-08-30 07:30 . 2005-02-12 18:00 186,880 -r-hs---- C:\WINDOWS\system32\RLOgg.ax
    2008-08-30 07:30 . 2005-01-17 18:26 179,200 -r-hs---- C:\WINDOWS\system32\DiracSplitter.ax
    2008-08-30 07:30 . 2006-08-16 09:53 175,104 -r-hs---- C:\WINDOWS\system32\CoreAAC.ax
    2008-08-30 07:30 . 2005-02-05 18:00 92,672 -r-hs---- C:\WINDOWS\system32\RLVorbisDec.ax
    2008-08-30 07:30 . 2005-02-22 11:55 81,920 -r-hs---- C:\WINDOWS\system32\aac_parser.ax
    2008-08-30 07:30 . 2005-02-12 18:00 67,584 -r-hs---- C:\WINDOWS\system32\RLTheoraDec.ax
    2008-08-30 07:30 . 2005-02-12 18:00 51,712 -r-hs---- C:\WINDOWS\system32\RLSpeexDec.ax
    2008-08-30 07:15 . 2008-08-30 07:25 <DIR> d-------- C:\Program Files\Riva
    2008-08-30 07:15 . 2008-08-30 07:15 <DIR> d-------- C:\Program Files\Common Files\SWF Studio
    2008-08-28 18:31 . 2008-08-28 18:34 <DIR> d-------- C:\My Music
    2008-08-27 11:27 . 2008-08-27 11:42 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\U3
    2008-08-13 09:10 . 2008-08-13 09:10 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
    2008-08-13 09:09 . 2008-08-13 09:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-10-10 00:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2008-10-09 23:09 --------- d-----w C:\Program Files\Windows Live Safety Center
    2008-09-13 06:26 --------- d-----w C:\Program Files\Juno
    2008-09-06 10:57 --------- d-----w C:\Program Files\DAEMON Tools Pro
    2008-08-12 14:43 --------- d-----w C:\Documents and Settings\Owner\Application Data\sldIM
    2008-08-10 11:23 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2008-08-10 11:15 --------- d-----w C:\Documents and Settings\Owner\Application Data\DAEMON Tools Pro
    2008-08-10 10:11 --------- d-----w C:\Program Files\UltraISO
    2008-08-10 10:11 --------- d-----w C:\Program Files\Common Files\EZB Systems
    2008-08-10 09:35 717,296 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
    2008-08-10 09:35 --------- d-----w C:\Documents and Settings\Owner\Application Data\DAEMON Tools
    2008-08-10 07:45 278,984 ----a-w C:\WINDOWS\system32\drivers\atksgt.sys
    2008-08-10 07:45 25,416 ----a-w C:\WINDOWS\system32\drivers\lirsgt.sys
    2008-07-31 04:37 --------- d-----w C:\Documents and Settings\Owner\Application Data\SolidWorks
    2008-07-14 22:25 --------- d-----w C:\Program Files\Winamp
    2008-06-25 19:03 1,570,816 ----a-w C:\Documents and Settings\Owner\Application Data\tsdnwin.dll
    2008-06-25 17:04 57,344 ----a-w C:\WINDOWS\uneng.exe
    .

    ------- Sigcheck -------

    2007-10-30 12:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
    2004-08-12 10:07 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
    md5deep: C:\WINDOWS\SoftwareDistribution\Download\146ae5e7b51a37f45e0e5cf03d0d5e3c\sp2gdr\tcpip.sys: No such file or directory
    md5deep: C:\WINDOWS\SoftwareDistribution\Download\146ae5e7b51a37f45e0e5cf03d0d5e3c\sp2qfe\tcpip.sys: No such file or directory
    2008-06-11 21:03 360064 b2d63ed3c81269e9e5cd4f1f93f534f8 C:\WINDOWS\system32\dllcache\tcpip.sys
    2008-06-11 21:03 360064 b2d63ed3c81269e9e5cd4f1f93f534f8 C:\WINDOWS\system32\drivers\tcpip.sys
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "H/PC Connection Agent "= "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 1289000]
    "MySpaceIM "= "C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-04-17 9117696]
    "Aim6 "= "C:\Program Files\AIM6\aim6.exe" [2008-06-06 50528]
    "DAEMON Tools Pro Agent "= "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe" [2007-09-06 136136]
    "SpybotSD TeaTimer "= "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 1832272]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon "= "C:\WINDOWS\system32\NvCpl.dll" [2008-05-02 13529088]
    "NvMediaCenter "= "C:\WINDOWS\system32\NvMcTray.dll" [2008-05-02 86016]
    "vptray "= "C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-12-17 90112]
    "amd_dc_opt "= "C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2006-11-17 77824]
    "PWRISOVM.EXE "= "C:\Program Files\PowerISO\PWRISOVM.EXE" [2007-04-09 200704]
    "SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 144784]
    "Start WingMan Profiler "= "C:\Program Files\Logitech\Gaming Software\LWEMon.exe" [2008-04-04 88584]
    "RemoteControl "= "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
    "Adobe Reader Speed Launcher "= "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
    "AdaptecDirectCD "= "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2008-06-25 684032]
    "QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [2008-05-27 413696]
    "nwiz "= "nwiz.exe" [2008-05-02 C:\WINDOWS\system32\nwiz.exe]
    "RTHDCPL "= "RTHDCPL.EXE" [2008-05-28 C:\WINDOWS\RTHDCPL.exe]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "MySpaceIM "= "C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-04-17 9117696]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "vidc.I420 "= i420vfw.dll
    "vidc.yv12 "= yv12vfw.dll

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall "= 0 (0x0)
    "mW[íµˆÖ¾`=µÃº¾Ëœv%S8’ÿÙêé>grl>*Ã\†Ã=Ÿà۱Þ "=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "C:\\games\\Gas Powered Games\\Supreme Commander - Forged Alliance\\bin\\ForgedAlliance.exe "=
    "C:\\games\\Gas Powered Games\\GPGNet\\GPG.Multiplayer.Client.exe "=
    "C:\\Program Files\\Juno\\bin\\juno.exe "=
    "C:\Program Files\Microsoft ActiveSync\rapimgr.exe "= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
    "C:\Program Files\Microsoft ActiveSync\wcescomm.exe "= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
    "C:\Program Files\Microsoft ActiveSync\WCESMgr.exe "= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
    "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe "=
    "C:\\Program Files\\AIM6\\aim6.exe "=
    "C:\\Games\\Mass Effect\\Binaries\\MassEffect.exe "=
    "C:\\Games\\Mass Effect\\MassEffectLauncher.exe "=
    "C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe "=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "26675:TCP "= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
    "12989:TCP "= 12989:TCP:BitComet 12989 TCP
    "12989:UDP "= 12989:UDP:BitComet 12989 UDP


    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
    \Shell\AutoRun\command - G:\LaunchU3.exe -a
    .
    - - - - ORPHANS REMOVED - - - -

    BHO-{8B7F88A9-CFC2-424D-A66C-43213A5CF08C} - (no file)
    BHO-{EE1EA1BB-0FD8-4353-AA1E-8BA9964DA3E2} - (no file)


    .
    ------- Supplementary Scan -------
    .
    R0 -: HKCU-Main,Start Page = hxxp://www.google.com/
    O8 -: &D&ownload &with BitComet - C:\Program Files\BitComet\BitComet.exe/AddLink.htm
    O8 -: &D&ownload all video with BitComet - C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
    O8 -: &D&ownload all with BitComet - C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
    O9 -: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206
    O17 -: HKLM\CCS\Interface\{2D6717EF-C4E2-48C1-985C-1FCD68474F32}: NameServer = 166.102.165.13,166.102.165.11
    .
    .
    ------- File Associations (Beta) -------
    .
    scrfile= "%1" %*
    .

    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-09-13 09:57:28
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    PROCESS: C:\WINDOWS\system32\winlogon.exe
    -> C:\WINDOWS\system32\NavLogon.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\PROGRA~1\MICROS~2\rapimgr.exe
    C:\Program Files\AIM6\aolsoftware.exe
    .
    **************************************************************************
    .
    Completion time: 2008-09-13 10:01:05 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-09-13 14:01:02

    Pre-Run: 523,955,089,408 bytes free
    Post-Run: 524,767,289,344 bytes free

    292
     
    SteyrTMP,
    #5
  7. 2008/09/13
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    We need to get a better look at some registry entries. Please copy the contents of the code box below, then click Start>Run, paste in the copied text and hit Enter.

    Code:
    
regedit /a  "%userprofile%\desktop\firewall.txt"  "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile "
    It should produce a text file on the desktop named firewall.txt
    Please post the contents of that log here.

    Then, lets get an online scan. Please do an online scan with Kaspersky Online Scanner

    Click Accept, when prompted to download and install the program files and database of malware definitions.
    • Click Run at the Security prompt.
    • The program will then begin downloading and installing and will also update the database.
    • Please be patient as this can take several minutes.
    • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
    • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
    • Click View scan report at the bottom.
    • Click the Save Report As... button.
    • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.
    **Note**

    To optimize scanning time and produce a more sensible report for review:
    • Close any open programs.
    • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
    Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.


    Post the Kaspersky log and one more fresh RSIT log.
     
    noahdfear,
    #6
  8. 2008/09/14
    SteyrTMP

    SteyrTMP Inactive Thread Starter

    Joined:
    2008/09/10
    Messages:
    5
    Likes Received:
    0
    I cannot get to the Kaspersky site--it's down apparently.

    I did get the firewall log.

    REGEDIT4

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall "=dword:00000000
    "mW[íµˆÃ–¾`=µÃº¾˜v%S8’ÿÙêé>grl>*Ã\\†Ã=ŸÃ ۱Þ "=" "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "= "%windir%\\system32\\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019 "
    "C:\\games\\Gas Powered Games\\Supreme Commander - Forged Alliance\\bin\\ForgedAlliance.exe "= "C:\\games\\Gas Powered Games\\Supreme Commander - Forged Alliance\\bin\\ForgedAlliance.exe:*:Enabled:Supreme Commander - Forged Alliance "
    "C:\\games\\Gas Powered Games\\GPGNet\\GPG.Multiplayer.Client.exe "= "C:\\games\\Gas Powered Games\\GPGNet\\GPG.Multiplayer.Client.exe:*:Enabled:GPGNet - Supreme Commander - Forged Alliance "
    "C:\\Program Files\\Juno\\bin\\juno.exe "= "C:\\Program Files\\Juno\\bin\\juno.exe:*:Enabled:Juno "
    "C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe "= "C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager "
    "C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe "= "C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager "
    "C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe "= "C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application "
    "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe "= "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader "
    "C:\\Program Files\\AIM6\\aim6.exe "= "C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM "
    "C:\\Games\\Mass Effect\\Binaries\\MassEffect.exe "= "C:\\Games\\Mass Effect\\Binaries\\MassEffect.exe:*:Enabled:Mass Effect Game "
    "C:\\Games\\Mass Effect\\MassEffectLauncher.exe "= "C:\\Games\\Mass Effect\\MassEffectLauncher.exe:*:Enabled:Mass Effect Launcher "
    "C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe "= "C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe:*:Enabled:MySpaceIM "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
    "1900:UDP "= "1900:UDP:LocalSubNet:Disabled:mad:xpsp2res.dll,-22007 "
    "2869:TCP "= "2869:TCP:LocalSubNet:Disabled:mad:xpsp2res.dll,-22008 "
    "139:TCP "= "139:TCP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22004 "
    "445:TCP "= "445:TCP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22005 "
    "137:UDP "= "137:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22001 "
    "138:UDP "= "138:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22002 "
    "26675:TCP "= "26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service "
    "12989:TCP "= "12989:TCP:*:Enabled:BitComet 12989 TCP "
    "12989:UDP "= "12989:UDP:*:Enabled:BitComet 12989 UDP "
     
    SteyrTMP,
    #7
  9. 2008/09/14
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Try Kaspersky later on then.

    Please open the firewall export and edit the first few lines so that they appear as below.

    Code:
    REGEDIT4

[B][-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile][/B]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
 "EnableFirewall "=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]
    Notice that I have added the bolded line (with a minus sign as the second character), and removed the entry beneath "EnableFirewall" (the one with the strange characters). All other lines should remain intact. Close it and save the changes.
    Now right click the export and select Rename, then change the .txt extension to .reg
    Double click the reg file and allow it to merge with the registry.
     
    noahdfear,
    #8
  10. 2008/09/14
    SteyrTMP

    SteyrTMP Inactive Thread Starter

    Joined:
    2008/09/10
    Messages:
    5
    Likes Received:
    0
    Thank you. I will do that now. I was finally able to get to the Kaspersky site, and am running the scanner now. I will post the log when completed.
     
    SteyrTMP,
    #9

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...