[Antichrist] [Day of judgment]-I really need help
My PC Hell Forum
November 19, 2008, 05:40:25 PM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Moving to New Location Soon! Watch out for notification. 14th Dec 2007.
 
   Home   Help Search Calendar Login Register  
Pages: [1] 2
« previous next »
  Print  
Author Topic: [Antichrist] [Day of judgment]-I really need help  (Read 1604 times)
amin30b
Contributor
**
Posts: 14


View Profile
« on: April 15, 2008, 03:46:35 PM »
Hello
I hope you find a solution for me about this virus (worm) .
While My  Windows is loading , on Windows blue Welcome screen at startup loads a little damn window with this
title : [Antichrist] and this entire inner text : [Day of judgment] .The window has only 1 botton : Ok
After click on Ok windows loads but at startup loads 2 pages from this URL:
Code:
C:\WINDOWS\system32\blank.htm
Please have a view on this screenshot:

I reinstalled my Windows but after installation I found this virus is placed on other hard drives too  yathink, because when I
double clicked on each drive , related drive would be browse in a new window not same window .Of course drive C
didn`t have this problem until first system restart , but after it I had same problem with drive C (Windows Drive).
Also I found that virus has disabled folder option ycry and removed it from Tools menu .
I used Avast 4.8 antivirus to find that virus but after complete scan I found that virus is still active in system  ycry.
The only difference after virus scan is in hard drives;Now when I double click on each of dives this error message
appears:

Still I have folder option problem . At last I`ve found this one :

what should I do now ?
Logged
Squeezebox
Administrator
******
Posts: 2756



View Profile
« Reply #1 on: April 15, 2008, 05:24:33 PM »
Essexboy should be able to help you solve this, you have an infection called "RenameLoi.A". 

http://www.pandasecurity.com/homeusers/security-info/about-malware/encyclopedia/overview.aspx?lst=det&idvirus=190904

Wait for him to come on line, he'll guide you through the fix process.
Logged
Essexboy
Administrator
*****
Posts: 899



View Profile WWW
« Reply #2 on: April 15, 2008, 06:13:16 PM »
Here I be    This looks like a fun one as it does a lot of registry changes

So lets go to work - I will do some exploratory removal first and progress from there

Please download ComboFix from Here or Here to your Desktop.

**Note:  In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
  • If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".
  • During the download, rename Combofix to Combo-Fix as follows:






  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.[/color]
    -----------------------------------------------------------
  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
  • Double click on combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you. 
  • Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**
Logged
VISTA
XPsp2
Avast (of course)



http://spaces.msn.com/members/essexboymkn/

 If ignorance is bliss  why aren't more people happy?
amin30b
Contributor
**
Posts: 14


View Profile
« Reply #3 on: April 15, 2008, 08:28:13 PM »
Thanks Essexboy 
I did your advice .
Log for Combo-Fix:
Code:
ComboFix 08-04-15.1 - Manam 04/16/2008  3:41:54.1 - [color=red][b]FAT32[/b][/color]x86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.510 [GMT 3.5:30]
Running from: C:\Combo-Fix.exe
 * Created a new restore point

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
D:\Autorun.inf
E:\Autorun.inf
F:\Autorun.inf
G:\Autorun.inf
J:\autorun.inf

.
(((((((((((((((((((((((((   Files Created from 2008-03-16 to 2008-04-16  )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-15 23:55 1,770,165 ----a-w C:\Combo-Fix.exe
2008-04-15 22:11 --------- d-----w C:\Program Files\eMule
2008-04-15 22:11 --------- d-----w C:\Documents and Settings\Manam\Application Data\eMule
2008-04-15 22:09 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-15 22:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\InstallShield
2008-04-15 22:07 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-04-15 18:59 --------- d-----w C:\Program Files\Babylon
2008-04-15 18:59 --------- d-----w C:\Documents and Settings\Manam\Application Data\Babylon
2008-04-15 18:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Babylon
2008-04-15 18:56 --------- d-----w C:\Program Files\FastStone Capture
2008-04-15 18:56 --------- d-----w C:\Documents and Settings\Manam\Application Data\FastStone
2008-04-15 16:24 --------- d-----w C:\Program Files\microsoft frontpage
2008-04-15 16:17 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-04-15 15:47 --------- d-----w C:\Program Files\Alwil Software
2008-03-29 18:45 1,146,232 ----a-w C:\WINDOWS\system32\aswBoot.exe
2008-03-29 18:35 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2008-03-29 18:35 20,560 ----a-w C:\WINDOWS\system32\drivers\aswFsBlk.sys
2008-03-29 18:31 75,856 ----a-w C:\WINDOWS\system32\drivers\aswSP.sys
2008-03-29 18:29 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2008-03-29 18:27 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2008-03-29 18:26 26,944 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2008-03-29 18:23 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [08/03/2004 11:56 PM 15360]
"blank"="C:\WINDOWS\system32\blank.htm" [04/15/2008 08:53 PM 917]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"blank"="C:\WINDOWS\system32\blank.htm" [04/15/2008 08:53 PM 917]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [03/29/2008 10:07 PM 79224]
"Babylon Client"="C:\Program Files\Babylon\Babylon-Pro\Babylon.exe" [04/15/2008 10:30 PM 2663480]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [ ]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [02/16/2005 04:15 PM 81920]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [08/03/2004 11:56 PM 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="regsvr32 /s /n /i:u shell32" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"LegalNoticeCaption"="[Antichrist]"
"LegalNoticeText"="[Day of judgment]"
"LogonPrompt"="[Day of judgment]"
"Welcome"="[Antichrist]"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\eMule\\emule.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [03/29/2008 10:01 PM]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [03/29/2008 10:05 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{818fd845-0b1f-11dd-b1ce-806d6172696f}]
\Shell\AutoRun\command - H:\setup.exe

*Newly Created Service* - APPMGMT
*Newly Created Service* - CATCHME
*Newly Created Service* - UPNPHOST
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-16 03:43:05
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 04/16/2008  3:43:26
ComboFix-quarantined-files.txt  2008-04-16 00:13:26

Pre-Run: 11,162,083,328 bytes free
Post-Run: 11,169,857,536 bytes free
.
2008-04-15 23:30:35 --- E O F --- 

Log for hijackthis version 2.0.2 :

Code:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 03:46:41 ?.?, on 2008/04/16
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20583)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Babylon\Babylon-Pro\Babylon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [blank] C:\WINDOWS\system32\blank.htm
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon-Pro\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [blank] C:\WINDOWS\system32\blank.htm
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

--
End of file - 3785 bytes

Combo-Fix solved hard drives opening and folder option problems . 
What should I do for other problems ?  dribble
Logged
Essexboy
Administrator
*****
Posts: 899



View Profile WWW
« Reply #4 on: April 16, 2008, 04:24:43 AM »
Now I need to do a deep search and look for drivers

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt  -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.
Logged
VISTA
XPsp2
Avast (of course)



http://spaces.msn.com/members/essexboymkn/

 If ignorance is bliss  why aren't more people happy?
amin30b
Contributor
**
Posts: 14


View Profile
« Reply #5 on: April 16, 2008, 05:30:24 AM »
Ok  ymean

main.txt :
Code:
Deckard's System Scanner v20071014.68
Run by Manam on 2008-04-16 12:44:12
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
9: 2008-04-16 09:14:16 UTC - RP9 - Deckard's System Scanner Restore Point
8: 2008-04-16 01:30:42 UTC - RP8 - Software Distribution Service 3.0
7: 2008-04-16 01:04:28 UTC - RP7 - Installed Articulate Presenter 5 Professional
6: 2008-04-16 00:11:44 UTC - RP6 - ComboFix created restore point
5: 2008-04-15 23:30:22 UTC - RP5 - Software Distribution Service 3.0


-- First Restore Point --
1: 2008-04-15 15:32:38 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Manam.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:44:39 ?.?, on 2008/04/16
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20583)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Babylon\Babylon-Pro\Babylon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Documents and Settings\Manam\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Manam.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [blank] C:\WINDOWS\system32\blank.htm
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon-Pro\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [blank] C:\WINDOWS\system32\blank.htm
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallShield Licensing Service - Macrovision                                                     - C:\Program Files\Common Files\InstallShield Shared\Service\InstallShield Licensing Service.exe

--
End of file - 4030 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S3 catchme - c:\docume~1\manam\locals~1\temp\catchme.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S3 InstallShield Licensing Service - "c:\program files\common files\installshield shared\service\installshield licensing service.exe" <Not Verified; Macrovision; FLEXnet Authentication Service>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-03-16 and 2008-04-16 -----------------------------

2008-04-16 04:39:22         0 d-------- C:\Documents and Settings\Manam\Application Data\Macromedia
2008-04-16 04:34:35         0 d-------- C:\Program Files\Common Files\InstallShield Shared
2008-04-16 04:34:30         0 d-------- C:\Program Files\Articulate
2008-04-16 03:46:15         0 d-------- C:\Program Files\Trend Micro
2008-04-16 03:43:27         0 d--hs---- C:\Recycled
2008-04-16 03:40:44     68096 --a------ C:\WINDOWS\zip.exe
2008-04-16 03:40:44     49152 --a------ C:\WINDOWS\VFind.exe
2008-04-16 03:40:44    212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-04-16 03:40:44    136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-04-16 03:40:44    161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-04-16 03:40:44     98816 --a------ C:\WINDOWS\sed.exe
2008-04-16 03:40:44     80412 --a------ C:\WINDOWS\grep.exe
2008-04-16 03:40:44     73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-16 03:24:59   1770165 --a------ C:\Combo-Fix.exe
2008-04-16 03:00:27         0 d--h----- C:\WINDOWS\$hf_mig$
2008-04-16 01:41:54         0 d-------- C:\Documents and Settings\Manam\Application Data\eMule
2008-04-16 01:41:51         0 d-------- C:\Program Files\eMule
2008-04-16 01:41:08         0 d-------- C:\WINDOWS\system32\appmgmt
2008-04-16 01:39:38         0 d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-04-16 01:39:32         0 d-------- C:\Program Files\Common Files\InstallShield
2008-04-16 01:36:58         0 d-------- C:\Program Files\Microsoft ActiveSync
2008-04-16 01:36:19         0 d-------- C:\WINDOWS\SHELLNEW
Logged
amin30b
Contributor
**
Posts: 14


View Profile
« Reply #6 on: April 16, 2008, 05:32:54 AM »
continue of main.txt :
Code:
2008-04-15 22:29:05         0 d-------- C:\Program Files\Babylon
2008-04-15 22:29:05         0 d-------- C:\Documents and Settings\All Users\Application Data\Babylon
2008-04-15 22:28:58         0 d-------- C:\Documents and Settings\Manam\Application Data\Babylon
2008-04-15 22:26:42         0 d-------- C:\Documents and Settings\Manam\Application Data\FastStone
2008-04-15 22:26:38         0 d-------- C:\Program Files\FastStone Capture
2008-04-15 21:56:03         0 --a------ C:\WINDOWS\nsreg.dat
2008-04-15 21:55:59         0 d-------- C:\Documents and Settings\Manam\Application Data\Mozilla
2008-04-15 20:00:51         0 d--hs---- C:\System Volume Information
2008-04-15 20:00:49         0 d-------- C:\WINDOWS\Prefetch
2008-04-15 20:00:48         0 d---s---- C:\WINDOWS\system32\Microsoft
2008-04-15 20:00:47         0 d--h----- C:\Documents and Settings\LocalService\Local Settings
2008-04-15 20:00:47         0 d--hs---- C:\Documents and Settings\LocalService\Cookies
2008-04-15 20:00:47         0 d-------- C:\Documents and Settings\LocalService\Application Data
2008-04-15 20:00:47         0 d---s---- C:\Documents and Settings\LocalService\Application Data\Microsoft
2008-04-15 20:00:37         0 d--h----- C:\Documents and Settings\NetworkService\Local Settings
2008-04-15 20:00:37         0 d--hs---- C:\Documents and Settings\NetworkService\Cookies
2008-04-15 20:00:37         0 d-------- C:\Documents and Settings\NetworkService\Application Data
2008-04-15 20:00:37         0 d---s---- C:\Documents and Settings\NetworkService\Application Data\Microsoft
2008-04-15 19:54:26         0 d-------- C:\WINDOWS\system32\xircom
2008-04-15 19:54:26         0 d-------- C:\Program Files\microsoft frontpage
2008-04-15 19:54:07    237568 ---h----- C:\Documents and Settings\Default User\NTUSER.DAT
2008-04-15 19:53:56         0 -rahs---- C:\MSDOS.SYS
2008-04-15 19:53:56         0 -rahs---- C:\IO.SYS
2008-04-15 19:53:56         0 --a------ C:\CONFIG.SYS
2008-04-15 19:53:56         0 --a------ C:\AUTOEXEC.BAT
2008-04-15 19:52:26         0 d--hs---- C:\Documents and Settings\All Users\DRM
2008-04-15 19:51:57         0 d--h----- C:\Program Files\WindowsUpdate
2008-04-15 19:51:34         0 d-------- C:\WINDOWS\system32\DirectX
2008-04-15 19:50:56         0 d---s---- C:\WINDOWS\Tasks
2008-04-15 19:50:53         0 d-------- C:\Program Files\Common Files\MSSoap
2008-04-15 19:50:48         0 d-------- C:\WINDOWS\srchasst
2008-04-15 19:50:33         0 d-------- C:\Program Files\Movie Maker
2008-04-15 19:50:15         0 d-------- C:\WINDOWS\system32\Restore
2008-04-15 19:48:50     21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-04-15 19:48:21         0 d-------- C:\WINDOWS\Registration
2008-04-15 19:48:12         0 d-------- C:\Program Files\Online Services
2008-04-15 19:48:01         0 d-------- C:\WINDOWS\Offline Web Pages
2008-04-15 19:48:00         0 d---s---- C:\WINDOWS\Downloaded Program Files
2008-04-15 19:47:49         0 d-------- C:\Program Files\Windows Media Connect 2
2008-04-15 19:47:46         0 d-------- C:\Program Files\Messenger
2008-04-15 19:47:43         0 d-------- C:\Program Files\MSN Gaming Zone
2008-04-15 19:47:01         0 d-------- C:\Program Files\Windows NT
2008-04-15 19:46:55         0 d-------- C:\WINDOWS\system32\MsDtc
2008-04-15 19:46:51         0 d-------- C:\WINDOWS\system32\Com
2008-04-15 19:26:01         0 d--hs---- C:\WINDOWS\Installer
2008-04-15 19:26:00         0 d-------- C:\Program Files\Common Files\ODBC
2008-04-15 19:25:56         0 dr------- C:\Program Files
2008-04-15 19:25:56         0 d-------- C:\Program Files\Common Files
2008-04-15 19:25:56         0 d-------- C:\Program Files\Common Files\SpeechEngines
2008-04-15 19:25:28         0 d--h----- C:\Documents and Settings\Default User\Templates
2008-04-15 19:25:28         0 dr------- C:\Documents and Settings\Default User\Start Menu
2008-04-15 19:25:28         0 dr-h----- C:\Documents and Settings\Default User\SendTo
2008-04-15 19:25:28         0 d--h----- C:\Documents and Settings\Default User\Recent
2008-04-15 19:25:28         0 d--h----- C:\Documents and Settings\Default User\PrintHood
2008-04-15 19:25:28         0 d--h----- C:\Documents and Settings\Default User\NetHood
2008-04-15 19:25:28         0 d-------- C:\Documents and Settings\Default User\My Documents
2008-04-15 19:25:28         0 dr-h----- C:\Documents and Settings\Default User\Local Settings
2008-04-15 19:25:28         0 d-------- C:\Documents and Settings\Default User\Favorites
2008-04-15 19:25:28         0 d-------- C:\Documents and Settings\Default User\Desktop
2008-04-15 19:25:28         0 d--hs---- C:\Documents and Settings\Default User\Cookies
2008-04-15 19:25:28         0 d--h----- C:\Documents and Settings\All Users\Templates
2008-04-15 19:25:28         0 dr------- C:\Documents and Settings\All Users\Start Menu
2008-04-15 19:25:28         0 d-------- C:\Documents and Settings\All Users\Favorites
2008-04-15 19:25:28         0 dr------- C:\Documents and Settings\All Users\Documents
2008-04-15 19:25:28         0 d-------- C:\Documents and Settings\All Users\Desktop
2008-04-15 19:24:51         0 d-------- C:\WINDOWS\system32\CatRoot2
2008-04-15 19:24:51         0 d-------- C:\WINDOWS\system32\CatRoot
2008-04-15 19:24:45         0 dr-h----- C:\Documents and Settings\Default User\Application Data
2008-04-15 19:24:45         0 d---s---- C:\Documents and Settings\Default User\Application Data\Microsoft
2008-04-15 19:24:45         0 dr-h----- C:\Documents and Settings\All Users\Application Data
2008-04-15 19:24:45         0 d---s---- C:\Documents and Settings\All Users\Application Data\Microsoft
2008-04-15 19:24:16         0 d-------- C:\Documents and Settings
2008-04-15 19:18:53         0 d-------- C:\WINDOWS
2008-04-15 19:18:53         0 d-------- C:\WINDOWS\WinSxS
2008-04-15 19:18:53         0 dr------- C:\WINDOWS\Web
2008-04-15 19:18:53         0 d-------- C:\WINDOWS\twain_32
2008-04-15 19:18:53         0 d-------- C:\WINDOWS\system32
2008-04-15 19:18:53         0 d-------- C:\WINDOWS\system32\wins
2008-04-15 19:18:53         0 d-------- C:\WINDOWS\system32\wbem
2008-04-15 19:18:53         0 d-------- C:\WINDOWS\system32\usmt
2008-04-15 19:18:53         0 d-------- C:\WINDOWS\system32\spool
2008-04-15 19:18:53         0 d-------- C:\WINDOWS\system32\ShellExt
2008-04-15 19:18:53         0 d-------- C:\WINDOWS\system32\Setup
2008-04-15 19:18:53         0 d-------- C:\WINDOWS\system32\ras
2008-04-15 19:18:53         0 d-------- C:\WINDOWS\system32\PreInstall
2008-04-15 19:18:53         0 d-------- C:\WINDOWS\system32\oobe
2008-04-15 19:18:53         0 d-------- C:\WINDOWS\system32\npp
2008-04-15 19:18:53         0 d-------- C:\WINDOWS\system32\mui
2008-04-15 19:18:53         0 d-------- C:\WINDOWS\system32\Macromed
2008-04-15 19:18:53         0 d-------- C:\WINDOWS\system32\inetsrv
2008-04-15 19:18:53         0 d-------- C:\WINDOWS\system32\IME
2008-04-15 19:18:53         0 d-------- C:\WINDOWS\system32\icsxml
2008-04-15 19:18:53         0 d-------- C:\WINDOWS\system32\ias
2008-04-15 19:18:53         0 d-------- C:\WINDOWS\system32\export
2008-04-15 19:18:53         0 d-------- C:\WINDOWS\system32\drivers
2008-04-15 19:18:53         0 d-------- C:\WINDOWS\system32\drivers\UMDF
2008-04-15 19:18:53         0 d-------- C:\WINDOWS\system32\drivers\etc
2008-04-15 19:18:53         0 d-------- C:\WINDOWS\system32\drivers\disdn
2008-04-15 19:18:53         0 dr-hs---- C:\WINDOWS\system32\dllcache
2008-04-15 19:18:53         0 d-------- C:\WINDOWS\system32\dhcp
2008-04-15 19:18:53         0 d-------- C:\WINDOWS\system32\config
2008-04-15 19:18:53         0 d-------- C:\WINDOWS\system32\3com_dmi
2008-04-15 19:18:53         0 d-------- C:\WINDOWS\system32\3076
2008-04-15 19:18:53         0 d-------- C:\WINDOWS\system32\2052
2008-04-15 19:18:53         0 d-------- C:\WINDOWS\system32\1054
2008-04-15 19:18:53         0 d-------- C:\WINDOWS\system32\1042
2008-04-15 19:18:53         0 d-------- C:\WINDOWS\system32\1041
2008-04-15 19:18:53         0 d-------- C:\WINDOWS\system32\1037
2008-04-15 19:18:53         0 d-------- C:\WINDOWS\system32\1033
2008-04-15 19:18:53         0 d-------- C:\WINDOWS\system32\1031
2008-04-15 19:18:53         0 d-------- C:\WINDOWS\system32\1028
2008-04-15 19:18:53         0 d-------- C:\WINDOWS\system32\1025
2008-04-15 19:18:53         0 d-------- C:\WINDOWS\system
2008-04-15 19:18:53         0 d-------- C:\WINDOWS\SoftwareDistribution
2008-04-15 19:18:53         0 d-------- C:\WINDOWS\security
2008-04-15 19:18:53         0 d-------- C:\WINDOWS\Resources
2008-04-15 19:18:53         0 d-------- C:\WINDOWS\repair
2008-04-15 19:18:53         0 d-------- C:\WINDOWS\Provisioning
2008-04-15 19:18:53         0 d-------- C:\WINDOWS\PeerNet
2008-04-15 19:18:53         0 d-------- C:\WINDOWS\pchealth
2008-04-15 19:18:53         0 d-------- C:\WINDOWS\Network Diagnostic
2008-04-15 19:18:53         0 d-------- C:\WINDOWS\mui
2008-04-15 19:18:53         0 d-------- C:\WINDOWS\msapps
2008-04-15 19:18:53         0 d-------- C:\WINDOWS\msagent
2008-04-15 19:18:53         0 d-------- C:\WINDOWS\Media
2008-04-15 19:18:53         0 d-------- C:\WINDOWS\l2schemas
2008-04-15 19:18:53         0 d-------- C:\WINDOWS\java
2008-04-15 19:18:53         0 d--h----- C:\WINDOWS\inf
2008-04-15 19:18:53         0 d-------- C:\WINDOWS\ime
2008-04-15 19:18:53         0 d-------- C:\WINDOWS\Help
2008-04-15 19:18:53         0 dr--s---- C:\WINDOWS\Fonts
2008-04-15 19:18:53         0 d-------- C:\WINDOWS\ehome
2008-04-15 19:18:53         0 d-------- C:\WINDOWS\Driver Cache
2008-04-15 19:18:53         0 d-------- C:\WINDOWS\Debug
2008-04-15 19:18:53         0 d-------- C:\WINDOWS\Cursors
2008-04-15 19:18:53         0 d-------- C:\WINDOWS\Connection Wizard
2008-04-15 19:18:53         0 d-------- C:\WINDOWS\Config
2008-04-15 19:18:53         0 d-------- C:\WINDOWS\AppPatch
2008-04-15 19:18:53         0 d-------- C:\WINDOWS\addins
2008-04-15 19:17:14         0 d-------- C:\Program Files\Alwil Software
2008-04-15 19:13:54         0 d-ahs---- C:\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}
2008-04-15 19:02:12         0 d-------- C:\Documents and Settings\Manam\Application Data\Identities
2008-04-15 19:01:58         0 d--h----- C:\Documents and Settings\Manam\Templates
2008-04-15 19:01:58         0 dr------- C:\Documents and Settings\Manam\Start Menu
2008-04-15 19:01:58         0 dr-h----- C:\Documents and Settings\Manam\SendTo
2008-04-15 19:01:58         0 dr-h----- C:\Documents and Settings\Manam\Recent
2008-04-15 19:01:58         0 d--h----- C:\Documents and Settings\Manam\PrintHood
2008-04-15 19:01:58   1310720 --ah----- C:\Documents and Settings\Manam\NTUSER.DAT
2008-04-15 19:01:58         0 d--h----- C:\Documents and Settings\Manam\NetHood
2008-04-15 19:01:58         0 dr------- C:\Documents and Settings\Manam\My Documents
2008-04-15 19:01:58         0 d--h----- C:\Documents and Settings\Manam\Local Settings
2008-04-15 19:01:58         0 dr------- C:\Documents and Settings\Manam\Favorites
2008-04-15 19:01:58         0 d-------- C:\Documents and Settings\Manam\Desktop
2008-04-15 19:01:58         0 d--hs---- C:\Documents and Settings\Manam\Cookies
2008-04-15 19:01:58         0 dr-h----- C:\Documents and Settings\Manam\Application Data
2008-04-15 19:00:47    237568 --ah----- C:\Documents and Settings\LocalService\NTUSER.DAT
2008-04-15 19:00:36    237568 --ah----- C:\Documents and Settings\NetworkService\NTUSER.DAT


-- Find3M Report ---------------------------------------------------------------

2008-04-15 19:25:30        62 --ahs---- C:\Documents and Settings\Manam\Application Data\desktop.ini


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"blank"="C:\WINDOWS\system32\blank.htm" [04/15/2008 08:53 PM]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [03/29/2008 10:07 PM]
"Babylon Client"="C:\Program Files\Babylon\Babylon-Pro\Babylon.exe" [04/15/2008 10:30 PM]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [02/16/2005 04:15 PM]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [02/16/2005 04:15 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [08/03/2004 11:56 PM]
"blank"="C:\WINDOWS\system32\blank.htm" [04/15/2008 08:53 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"ShowDeskFix"=regsvr32 /s /n /i:u shell32

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)




-- End of Deckard's System Scanner: finished at 2008-04-16 12:45:45 ------------
Logged
amin30b
Contributor
**
Posts: 14


View Profile
« Reply #7 on: April 16, 2008, 05:35:00 AM »
extra.txt :
Code:
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel(R) Pentium(R) 4 CPU 2.00GHz
Percentage of Memory in Use: 31%
Physical Memory (total/avail): 767.48 MiB / 524.39 MiB
Pagefile Memory (total/avail): 1878.62 MiB / 1656.55 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1925.97 MiB

A: is Removable (No Media)
C: is Fixed (FAT32) - 14.49 GiB total, 10.25 GiB free.
D: is Fixed (FAT32) - 11.99 GiB total, 0.42 GiB free.
E: is Fixed (FAT32) - 5.99 GiB total, 0.55 GiB free.
F: is Fixed (FAT32) - 19.91 GiB total, 2.27 GiB free.
G: is Fixed (FAT32) - 4.81 GiB total, 3.76 GiB free.
H: is CDROM (CDFS)
I: is CDROM (CDFS)
J: is Removable (FAT32)

\\.\PHYSICALDRIVE0 - Maxtor 4D060H3 - 57.25 GiB - 5 partitions
  \PARTITION0 (bootable) - Unknown - 14.5 GiB - C:
  \PARTITION1 - Extended w/Extended Int 13 - 42.75 GiB - D: - E: - F: - G:

\\.\PHYSICALDRIVE1 - Generic USB Flash Disk USB Device - 980.53 MiB - 1 partition
  \PARTITION0 (bootable) - Unknown - 983.97 MiB - J:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.
AntivirusOverride is set.

AV: avast! antivirus 4.8.1169 [VPS 080416-0] v4.8.1169 (ALWIL Software) [COLOR=RED]Disabled[/COLOR]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\eMule\\emule.exe"="C:\\Program Files\\eMule\\emule.exe:*:Enabled:eMule"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Manam\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=DAILY-B0146F581
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Manam
LOGONSERVER=\\DAILY-B0146F581
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0204
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Manam\LOCALS~1\Temp
TMP=C:\DOCUME~1\Manam\LOCALS~1\Temp
USERDOMAIN=DAILY-B0146F581
USERNAME=Manam
USERPROFILE=C:\Documents and Settings\Manam
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Manam [I](admin)[/I]


-- Add/Remove Programs ---------------------------------------------------------

 --> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Articulate Presenter 5 Professional --> MsiExec.exe /I{CA9291F3-8F12-40B7-BB1A-C64E5F86F4FC}
avast! Antivirus --> C:\Program Files\Alwil Software\Avast4\aswRunDll.exe "C:\Program Files\Alwil Software\Avast4\Setup\setiface.dll",RunSetup
Babylon --> C:\Program Files\Babylon\Babylon-Pro\Utils\uninstbb.exe
eMule --> "C:\Program Files\eMule\Uninstall.exe"
FastStone Capture 5.3 --> C:\Program Files\FastStone Capture\uninst.exe
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Mozilla Firefox (2.0.0.12) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type39 / Warning
Event Submitted/Written: 04/16/2008 01:37:25 AM
Event ID/Source: 5603 / WinMgmt
Event Description:
A provider, OffProv11, has been registered in the WMI namespace, Root\MSAPPS11, but did not specify the HostingModel property.  This provider will be run using the LocalSystem account.  This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.  Ensure that provider has been reviewed for security behavior and update the HostingModel property of the provider registration to an account with the least privileges possible for the required functionality.

Event Record #/Type38 / Warning
Event Submitted/Written: 04/16/2008 01:37:25 AM
Event ID/Source: 5603 / WinMgmt
Event Description:
A provider, OffProv11, has been registered in the WMI namespace, Root\MSAPPS11, but did not specify the HostingModel property.  This provider will be run using the LocalSystem account.  This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.  Ensure that provider has been reviewed for security behavior and update the HostingModel property of the provider registration to an account with the least privileges possible for the required functionality.

Event Record #/Type18 / Warning
Event Submitted/Written: 04/15/2008 06:53:14 PM
Event ID/Source: 5603 / WinMgmt
Event Description:
A provider, Rsop Planning Mode Provider, has been registered in the WMI namespace, root\RSOP, but did not specify the HostingModel property.  This provider will be run using the LocalSystem account.  This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.  Ensure that provider has been reviewed for security behavior and update the HostingModel property of the provider registration to an account with the least privileges possible for the required functionality.

Event Record #/Type17 / Warning
Event Submitted/Written: 04/15/2008 06:53:14 PM
Event ID/Source: 5603 / WinMgmt
Event Description:
A provider, Rsop Planning Mode Provider, has been registered in the WMI namespace, root\RSOP, but did not specify the HostingModel property.  This provider will be run using the LocalSystem account.  This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.  Ensure that provider has been reviewed for security behavior and update the HostingModel property of the provider registration to an account with the least privileges possible for the required functionality.

Event Record #/Type13 / Warning
Event Submitted/Written: 04/15/2008 06:49:19 PM
Event ID/Source: 63 / WinMgmt
Event Description:
A provider, CmdTriggerConsumer, has been registered in the WMI namespace, Root\cimv2, to use the LocalSystem account.  This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type167 / Warning
Event Submitted/Written: 04/16/2008 01:37:54 AM
Event ID/Source: 20 / Print
Event Description:
Printer Driver Microsoft Office Document Image Writer Driver for Windows NT x86 Version-3 was added or updated. Files:- mdigraph.dll, mdiui.dll, mdiui.dll.

Event Record #/Type9 / Error
Event Submitted/Written: 04/15/2008 06:59:50 PM
Event ID/Source: 27287 / Setup
Event Description:
Windows Setup encountered non-fatal errors during installation. Please check the setuperr.log found in your Windows directory for more information.



-- End of Deckard's System Scanner: finished at 2008-04-16 12:45:45 ------------
Logged
Essexboy
Administrator
*****
Posts: 899



View Profile WWW
« Reply #8 on: April 16, 2008, 04:23:40 PM »
There are no tools for deleting this nightmare so I will have to do it manually

Download and run ERUNT  http://www.larshederer.homepage.t-online.de/erunt/

Start ERUNT, confirm the Welcome message.

Type in the name of a restore folder where the backed up registry
files should be saved, or click "..." to browse your computer's drives
and select a folder. You can also simply leave the default, which is a
folder named ERDNT inside your Windows folder, the advantage being
that you have access to this folder from the Windows Recovery Console
in case Windows does not boot anymore.


Next, select the backup options:

- System registry:

- Current user registy: .

- Other open user registries:

Click "OK" and wait until the backup process is complete. (Note that
depending on your system configuration this may take some time, and
that the first bar is NOT a progress bar, just an indicator that the
program is still running.) The ERDNT program for later restoration of
the registry is automatically copied to the restore folder.

WARNING these fixes are designed for this user only and may cause damage if run on an uninfected machine

REGISTRY FIX
Quote
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"blank"=-

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"blank"=-

[HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer]
"NoFolderOptions"=0

[HKEY_CURRENT_USER\ Software\ Microsoft\ Internet Explorer\ Main]
"Window Title"=""

[HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion\ Winlogon]
"Shell"="Explorer.exe"

[HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion\ Winlogon]
"Userinit"="%sysdir%\userinit.exe"

[HKEY_CURRENT_USER\ Software\ Microsoft\ Windows NT\ CurrentVersion\ Windows]
"Load"=""

[HKEY_CURRENT_USER\ Software\ Microsoft\ Internet Explorer\ Main]
"Search Page"=""

[HKEY_CURRENT_USER\ Software\ Microsoft\ Internet Explorer\ Main]
"Start Page"=""

[HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion\ Winlogon]
"SFCDisable"=00, 00, 00, 00

[HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion]
"RegisteredOrganization"=""

[HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion]
"RegisteredOwner"=""

[HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion\ Winlogon]
"LegalNoticeCaption"=""

[HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion\ Winlogon]
"LegalNoticeText"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"LogonPrompt"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Welcome"=""

[HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Advanced]
"Hidden"=01, 00, 00, 00

[HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Advanced]
ShowSuperHidden"=01, 00, 00, 00


Next you will need to create the repair registry fix to do that copy and paste ALL of the above in the quote box to a notepad file.  Ensure there is no space above the REGEDIT4.
Then in notepad go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
Then in the FILE NAME box type fix.reg
This will create a fix.reg file on your desktop

To use this file you will need to right click the icon and select merge, accept the warning if it appears and you are done.

NEXT

During this run you will loose your desktop

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:
KillAll::

File::
C:\WINDOWS\SHELL.EXE
C:\WINDOWS\VXDS.EXE
C:\WINDOWS\system32\SYS.EXE
C:\WINDOWS\system32\OEMINFO.INI
C:\WINDOWS\system32\OEMLOGO.BMP
C:\WINDOWS\system32\BLANK.HTM
C:\WINDOWS\help\HLPS.EXE
C:\WINDOWS\media\WMA.EXE
C:\WINDOWS\media\WINDOWS XP RINGIN.WAV

3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below.  This will start ComboFix again.




5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.
Logged
VISTA
XPsp2
Avast (of course)



http://spaces.msn.com/members/essexboymkn/

 If ignorance is bliss  why aren't more people happy?
Squeezebox
Administrator
******
Posts: 2756



View Profile
« Reply #9 on: April 16, 2008, 06:12:48 PM »
Essexboy,

There was a fix that worked in the thread here:

http://forum.kaspersky.com/lofiversion/index.php/t61039.html

It involves some manual registry edits.

Any help?

Something has made this topic spread out across too much web page! Not sure what it was, but it only appeared after your last post.
Logged
amin30b
Contributor
**
Posts: 14


View Profile
« Reply #10 on: April 17, 2008, 10:34:54 AM »
Sorry , I got error for running fix.reg :


But I did other steps and these are reports :

Code:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 05:59:32 ?.?, on 2008/04/17
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20583)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\AppServ\Apache2.2\bin\httpd.exe
C:\AppServ\MySQL\bin\mysqld-nt.exe
C:\AppServ\Apache2.2\bin\httpd.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Babylon\Babylon-Pro\Babylon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
C:\Program Files\TrayLayout\TrayLayout.exe
C:\Program Files\TechSmith\SnagIt 8\TSCHelp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon-Pro\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O4 - Startup: TrayLayout.lnk = C:\Program Files\TrayLayout\TrayLayout.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: SnagIt 8.lnk = C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Apache2.2 - Apache Software Foundation - C:\AppServ\Apache2.2\bin\httpd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallShield Licensing Service - Macrovision                                                     - C:\Program Files\Common Files\InstallShield Shared\Service\InstallShield Licensing Service.exe
O23 - Service: mysql - Unknown owner - C:\AppServ\MySQL\bin\mysqld-nt.exe

--
End of file - 5626 bytes
Logged
amin30b
Contributor
**
Posts: 14


View Profile
« Reply #11 on: April 17, 2008, 10:37:25 AM »
ComboFix :
Code:
ComboFix 08-04-15.1 - Manam 04/17/2008 17:53:29.2 - [color=red][b]FAT32[/b][/color]x86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.472 [GMT 3.5:30]
Running from: C:\Combo-Fix.exe
Command switches used :: C:\CFScript.txt
 * Created a new restore point

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]

FILE ::
C:\WINDOWS\help\HLPS.EXE
C:\WINDOWS\media\WINDOWS XP RINGIN.WAV
C:\WINDOWS\media\WMA.EXE
C:\WINDOWS\SHELL.EXE
C:\WINDOWS\system32\BLANK.HTM
C:\WINDOWS\system32\OEMINFO.INI
C:\WINDOWS\system32\OEMLOGO.BMP
C:\WINDOWS\system32\SYS.EXE
C:\WINDOWS\VXDS.EXE
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\media\WINDOWS XP RINGIN.WAV
C:\WINDOWS\system32\BLANK.HTM
C:\WINDOWS\system32\OEMINFO.INI
C:\WINDOWS\system32\OEMLOGO.BMP

.
(((((((((((((((((((((((((   Files Created from 2008-03-17 to 2008-04-17  )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-17 14:14 --------- d-----w C:\Program Files\ERUNT
2008-04-17 06:18 --------- d-----w C:\Documents and Settings\Manam\Application Data\Ahead
2008-04-17 06:16 --------- d-----w C:\Program Files\Common Files\Ahead
2008-04-17 06:16 --------- d-----w C:\Program Files\Ahead
2008-04-16 23:59 791,393 ----a-w C:\erunt-setup.exe
2008-04-16 19:18 --------- d-----w C:\Program Files\TechSmith
2008-04-16 19:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\TechSmith
2008-04-16 19:17 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-16 19:06 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-16 19:06 --------- d-----w C:\Program Files\Macromedia
2008-04-16 19:06 --------- d-----w C:\Program Files\Common Files\Macromedia
2008-04-16 17:57 --------- d-----w C:\Program Files\TrayLayout
2008-04-16 11:21 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-16 11:21 --------- d-----w C:\Documents and Settings\Manam\Application Data\AdobeUM
2008-04-16 08:38 686,630 ----a-w C:\dss.exe
2008-04-16 01:04 ---